diff options
-rw-r--r-- | mpi/ec-inline.h | 66 | ||||
-rw-r--r-- | mpi/ec-nist.c | 86 | ||||
-rw-r--r-- | tests/t-mpi-point.c | 738 |
3 files changed, 837 insertions, 53 deletions
diff --git a/mpi/ec-inline.h b/mpi/ec-inline.h index 25c3b40d..a07826e3 100644 --- a/mpi/ec-inline.h +++ b/mpi/ec-inline.h @@ -40,6 +40,8 @@ #define HI32_LIMB64(v) (u32)((mpi_limb_t)(v) >> (BITS_PER_MPI_LIMB - 32)) #define LO32_LIMB64(v) ((u32)(v)) #define LIMB64_C(hi, lo) (((mpi_limb_t)(u32)(hi) << 32) | (u32)(lo)) +#define MASK_AND64(mask, val) ((mask) & (val)) +#define LIMB_OR64(val1, val2) ((val1) | (val2)) #define STORE64_COND(x, pos, mask1, val1, mask2, val2) \ ((x)[(pos)] = ((mask1) & (val1)) | ((mask2) & (val2))) @@ -73,9 +75,9 @@ LIMB64_HILO(u32 hi, u32 lo) : "0" ((mpi_limb_t)(B2)), \ "1" ((mpi_limb_t)(B1)), \ "2" ((mpi_limb_t)(B0)), \ - "g" ((mpi_limb_t)(C2)), \ - "g" ((mpi_limb_t)(C1)), \ - "g" ((mpi_limb_t)(C0)) \ + "rme" ((mpi_limb_t)(C2)), \ + "rme" ((mpi_limb_t)(C1)), \ + "rme" ((mpi_limb_t)(C0)) \ : "cc") #define SUB3_LIMB64(A3, A2, A1, A0, B2, B1, B0, C2, C1, C0) \ @@ -88,9 +90,9 @@ LIMB64_HILO(u32 hi, u32 lo) : "0" ((mpi_limb_t)(B2)), \ "1" ((mpi_limb_t)(B1)), \ "2" ((mpi_limb_t)(B0)), \ - "g" ((mpi_limb_t)(C2)), \ - "g" ((mpi_limb_t)(C1)), \ - "g" ((mpi_limb_t)(C0)) \ + "rme" ((mpi_limb_t)(C2)), \ + "rme" ((mpi_limb_t)(C1)), \ + "rme" ((mpi_limb_t)(C0)) \ : "cc") #define ADD4_LIMB64(A3, A2, A1, A0, B3, B2, B1, B0, C3, C2, C1, C0) \ @@ -106,10 +108,10 @@ LIMB64_HILO(u32 hi, u32 lo) "1" ((mpi_limb_t)(B2)), \ "2" ((mpi_limb_t)(B1)), \ "3" ((mpi_limb_t)(B0)), \ - "g" ((mpi_limb_t)(C3)), \ - "g" ((mpi_limb_t)(C2)), \ - "g" ((mpi_limb_t)(C1)), \ - "g" ((mpi_limb_t)(C0)) \ + "rme" ((mpi_limb_t)(C3)), \ + "rme" ((mpi_limb_t)(C2)), \ + "rme" ((mpi_limb_t)(C1)), \ + "rme" ((mpi_limb_t)(C0)) \ : "cc") #define SUB4_LIMB64(A3, A2, A1, A0, B3, B2, B1, B0, C3, C2, C1, C0) \ @@ -125,10 +127,10 @@ LIMB64_HILO(u32 hi, u32 lo) "1" ((mpi_limb_t)(B2)), \ "2" ((mpi_limb_t)(B1)), \ "3" ((mpi_limb_t)(B0)), \ - "g" ((mpi_limb_t)(C3)), \ - "g" ((mpi_limb_t)(C2)), \ - "g" ((mpi_limb_t)(C1)), \ - "g" ((mpi_limb_t)(C0)) \ + "rme" ((mpi_limb_t)(C3)), \ + "rme" ((mpi_limb_t)(C2)), \ + "rme" ((mpi_limb_t)(C1)), \ + "rme" ((mpi_limb_t)(C0)) \ : "cc") #define ADD5_LIMB64(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0, \ @@ -148,11 +150,11 @@ LIMB64_HILO(u32 hi, u32 lo) "2" ((mpi_limb_t)(B2)), \ "3" ((mpi_limb_t)(B1)), \ "4" ((mpi_limb_t)(B0)), \ - "g" ((mpi_limb_t)(C4)), \ - "g" ((mpi_limb_t)(C3)), \ - "g" ((mpi_limb_t)(C2)), \ - "g" ((mpi_limb_t)(C1)), \ - "g" ((mpi_limb_t)(C0)) \ + "rme" ((mpi_limb_t)(C4)), \ + "rme" ((mpi_limb_t)(C3)), \ + "rme" ((mpi_limb_t)(C2)), \ + "rme" ((mpi_limb_t)(C1)), \ + "rme" ((mpi_limb_t)(C0)) \ : "cc") #define SUB5_LIMB64(A4, A3, A2, A1, A0, B4, B3, B2, B1, B0, \ @@ -172,11 +174,11 @@ LIMB64_HILO(u32 hi, u32 lo) "2" ((mpi_limb_t)(B2)), \ "3" ((mpi_limb_t)(B1)), \ "4" ((mpi_limb_t)(B0)), \ - "g" ((mpi_limb_t)(C4)), \ - "g" ((mpi_limb_t)(C3)), \ - "g" ((mpi_limb_t)(C2)), \ - "g" ((mpi_limb_t)(C1)), \ - "g" ((mpi_limb_t)(C0)) \ + "rme" ((mpi_limb_t)(C4)), \ + "rme" ((mpi_limb_t)(C3)), \ + "rme" ((mpi_limb_t)(C2)), \ + "rme" ((mpi_limb_t)(C1)), \ + "rme" ((mpi_limb_t)(C0)) \ : "cc") #endif /* __x86_64__ */ @@ -593,6 +595,22 @@ STORE64(mpi_ptr_t x, unsigned int pos, mpi_limb64_t v) x[pos * 2 + 1] = v.hi; } +static inline mpi_limb64_t +MASK_AND64(mpi_limb_t mask, mpi_limb64_t val) +{ + val.lo &= mask; + val.hi &= mask; + return val; +} + +static inline mpi_limb64_t +LIMB_OR64(mpi_limb64_t val1, mpi_limb64_t val2) +{ + val1.lo |= val2.lo; + val1.hi |= val2.hi; + return val1; +} + static inline void STORE64_COND(mpi_ptr_t x, unsigned int pos, mpi_limb_t mask1, mpi_limb64_t val1, mpi_limb_t mask2, mpi_limb64_t val2) diff --git a/mpi/ec-nist.c b/mpi/ec-nist.c index 955d2b7c..69b05a6d 100644 --- a/mpi/ec-nist.c +++ b/mpi/ec-nist.c @@ -94,12 +94,12 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx) }; const mpi_limb64_t zero = LIMB_TO64(0); mpi_ptr_t wp; - mpi_ptr_t pp; mpi_size_t wsize = 192 / BITS_PER_MPI_LIMB64; mpi_limb64_t s[wsize + 1]; mpi_limb64_t o[wsize + 1]; mpi_limb_t mask1; mpi_limb_t mask2; + mpi_limb_t s_is_negative; int carry; MPN_NORMALIZE (w->d, w->nlimbs); @@ -109,7 +109,6 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx) RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2 * LIMBS_PER_LIMB64); RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64); - pp = ctx->p->d; wp = w->d; prefetch (p_mult, sizeof(p_mult)); @@ -143,9 +142,13 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx) ADD4_LIMB64 (o[3], o[2], o[1], o[0], s[3], s[2], s[1], s[0], - zero, LOAD64(pp, 2), LOAD64(pp, 1), LOAD64(pp, 0)); - mask1 = vzero - (LO32_LIMB64(o[3]) >> 31); - mask2 = (LO32_LIMB64(o[3]) >> 31) - vone; + zero, + p_mult[0][2], p_mult[0][1], p_mult[0][0]); + + s_is_negative = LO32_LIMB64(s[3]) >> 31; + + mask2 = vzero - s_is_negative; + mask1 = s_is_negative - vone; STORE64_COND(wp, 0, mask2, o[0], mask1, s[0]); STORE64_COND(wp, 1, mask2, o[1], mask1, s[1]); @@ -183,13 +186,13 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx) }; const mpi_limb64_t zero = LIMB_TO64(0); mpi_ptr_t wp; - mpi_ptr_t pp; mpi_size_t wsize = (224 + BITS_PER_MPI_LIMB64 - 1) / BITS_PER_MPI_LIMB64; mpi_size_t psize = ctx->p->nlimbs; mpi_limb64_t s[wsize]; mpi_limb64_t d[wsize]; mpi_limb_t mask1; mpi_limb_t mask2; + mpi_limb_t s_is_negative; int carry; MPN_NORMALIZE (w->d, w->nlimbs); @@ -200,7 +203,6 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx) RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64); ctx->p->nlimbs = psize; - pp = ctx->p->d; wp = w->d; prefetch (p_mult, sizeof(p_mult)); @@ -263,10 +265,13 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx) ADD4_LIMB64 (d[3], d[2], d[1], d[0], s[3], s[2], s[1], s[0], - LOAD64(pp, 3), LOAD64(pp, 2), LOAD64(pp, 1), LOAD64(pp, 0)); + p_mult[0 + 2][3], p_mult[0 + 2][2], + p_mult[0 + 2][1], p_mult[0 + 2][0]); - mask1 = vzero - (HI32_LIMB64(d[3]) >> 31); - mask2 = (HI32_LIMB64(d[3]) >> 31) - vone; + s_is_negative = (HI32_LIMB64(s[3]) >> 31); + + mask2 = vzero - s_is_negative; + mask1 = s_is_negative - vone; STORE64_COND(wp, 0, mask2, d[0], mask1, s[0]); STORE64_COND(wp, 1, mask2, d[1], mask1, s[1]); @@ -280,7 +285,7 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx) void _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx) { - static const mpi_limb64_t p_mult[11][5] = + static const mpi_limb64_t p_mult[12][5] = { { /* P * -3 */ LIMB64_C(0x00000000U, 0x00000003U), LIMB64_C(0xfffffffdU, 0x00000000U), @@ -340,14 +345,17 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx) }; const mpi_limb64_t zero = LIMB_TO64(0); mpi_ptr_t wp; - mpi_ptr_t pp; mpi_size_t wsize = (256 + BITS_PER_MPI_LIMB64 - 1) / BITS_PER_MPI_LIMB64; mpi_size_t psize = ctx->p->nlimbs; mpi_limb64_t s[wsize + 1]; mpi_limb64_t t[wsize + 1]; mpi_limb64_t d[wsize + 1]; + mpi_limb64_t e[wsize + 1]; mpi_limb_t mask1; mpi_limb_t mask2; + mpi_limb_t mask3; + mpi_limb_t s_is_negative; + mpi_limb_t d_is_negative; int carry; MPN_NORMALIZE (w->d, w->nlimbs); @@ -358,7 +366,6 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx) RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64); ctx->p->nlimbs = psize; - pp = ctx->p->d; wp = w->d; prefetch (p_mult, sizeof(p_mult)); @@ -465,7 +472,7 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx) /* mod p: * 's[4]' holds carry value (-4..6). Subtract (carry + 1) * p. Result - * will be with in range -p...p. Handle result being negative with + * will be with in range -2*p...p. Handle result being negative with * addition and conditional store. */ carry = LO32_LIMB64(s[4]); @@ -476,18 +483,39 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx) p_mult[carry + 4][2], p_mult[carry + 4][1], p_mult[carry + 4][0]); + /* Add 1*P */ ADD5_LIMB64 (d[4], d[3], d[2], d[1], d[0], s[4], s[3], s[2], s[1], s[0], zero, - LOAD64(pp, 3), LOAD64(pp, 2), LOAD64(pp, 1), LOAD64(pp, 0)); - - mask1 = vzero - (LO32_LIMB64(d[4]) >> 31); - mask2 = (LO32_LIMB64(d[4]) >> 31) - vone; + p_mult[0 + 4][3], p_mult[0 + 4][2], + p_mult[0 + 4][1], p_mult[0 + 4][0]); - STORE64_COND(wp, 0, mask2, d[0], mask1, s[0]); - STORE64_COND(wp, 1, mask2, d[1], mask1, s[1]); - STORE64_COND(wp, 2, mask2, d[2], mask1, s[2]); - STORE64_COND(wp, 3, mask2, d[3], mask1, s[3]); + /* Add 2*P */ + ADD5_LIMB64 (e[4], e[3], e[2], e[1], e[0], + s[4], s[3], s[2], s[1], s[0], + zero, + p_mult[1 + 4][3], p_mult[1 + 4][2], + p_mult[1 + 4][1], p_mult[1 + 4][0]); + + s_is_negative = LO32_LIMB64(s[4]) >> 31; + d_is_negative = LO32_LIMB64(d[4]) >> 31; + mask3 = vzero - d_is_negative; + mask2 = (vzero - s_is_negative) & ~mask3; + mask1 = (s_is_negative - vone) & ~mask3; + + s[0] = LIMB_OR64(MASK_AND64(mask2, d[0]), MASK_AND64(mask1, s[0])); + s[1] = LIMB_OR64(MASK_AND64(mask2, d[1]), MASK_AND64(mask1, s[1])); + s[2] = LIMB_OR64(MASK_AND64(mask2, d[2]), MASK_AND64(mask1, s[2])); + s[3] = LIMB_OR64(MASK_AND64(mask2, d[3]), MASK_AND64(mask1, s[3])); + s[0] = LIMB_OR64(MASK_AND64(mask3, e[0]), s[0]); + s[1] = LIMB_OR64(MASK_AND64(mask3, e[1]), s[1]); + s[2] = LIMB_OR64(MASK_AND64(mask3, e[2]), s[2]); + s[3] = LIMB_OR64(MASK_AND64(mask3, e[3]), s[3]); + + STORE64(wp, 0, s[0]); + STORE64(wp, 1, s[1]); + STORE64(wp, 2, s[2]); + STORE64(wp, 3, s[3]); w->nlimbs = wsize * LIMBS_PER_LIMB64; MPN_NORMALIZE (wp, w->nlimbs); @@ -567,7 +595,6 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx) }; const mpi_limb64_t zero = LIMB_TO64(0); mpi_ptr_t wp; - mpi_ptr_t pp; mpi_size_t wsize = (384 + BITS_PER_MPI_LIMB64 - 1) / BITS_PER_MPI_LIMB64; mpi_size_t psize = ctx->p->nlimbs; #if (BITS_PER_MPI_LIMB64 == BITS_PER_MPI_LIMB) && defined(WORDS_BIGENDIAN) @@ -579,6 +606,7 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx) mpi_limb64_t x[wsize + 1]; mpi_limb_t mask1; mpi_limb_t mask2; + mpi_limb_t s_is_negative; int carry; MPN_NORMALIZE (w->d, w->nlimbs); @@ -589,7 +617,6 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx) RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64); ctx->p->nlimbs = psize; - pp = ctx->p->d; wp = w->d; prefetch (p_mult, sizeof(p_mult)); @@ -738,12 +765,13 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx) ADD7_LIMB64 (d[6], d[5], d[4], d[3], d[2], d[1], d[0], s[6], s[5], s[4], s[3], s[2], s[1], s[0], zero, - LOAD64(pp, 5), LOAD64(pp, 4), - LOAD64(pp, 3), LOAD64(pp, 2), - LOAD64(pp, 1), LOAD64(pp, 0)); + p_mult[0 + 3][5], p_mult[0 + 3][4], + p_mult[0 + 3][3], p_mult[0 + 3][2], + p_mult[0 + 3][1], p_mult[0 + 3][0]); - mask1 = vzero - (LO32_LIMB64(d[6]) >> 31); - mask2 = (LO32_LIMB64(d[6]) >> 31) - vone; + s_is_negative = LO32_LIMB64(s[6]) >> 31; + mask2 = vzero - s_is_negative; + mask1 = s_is_negative - vone; STORE64_COND(wp, 0, mask2, d[0], mask1, s[0]); STORE64_COND(wp, 1, mask2, d[1], mask1, s[1]); diff --git a/tests/t-mpi-point.c b/tests/t-mpi-point.c index 6cd030f1..6e4deba6 100644 --- a/tests/t-mpi-point.c +++ b/tests/t-mpi-point.c @@ -3586,6 +3586,743 @@ check_ec_mul (void) } +static void +check_ec_mul_reduction (void) +{ + static struct + { + const char *curve; + const char *scalar; + const char *ux; + const char *uy; + const char *uz; + const char *qx; + const char *qy; + } tv[] = + { + /* --- NIST P-192 --- */ + + /* Bug report: https://dev.gnupg.org/T5510 */ + { + "NIST P-192", + "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", + "000000000000000000000000000000000FFFFFFFFFFFFFF00", + "030A893B61A4E76AF2B682FDB86E043C427C1AD2DFDABB62E", + NULL, + "000000000000000000000000000000000FFFFFFFFFFFFFF00", + "0CF576C49E5B18950D497D024791FBC3AD83E52D2025449D1" + }, + { + "NIST P-192", + "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", + "000000000000000000000000000000000FFFFFFFFFFFFFF00", + "0CF576C49E5B18950D497D024791FBC3AD83E52D2025449D1", + NULL, + "000000000000000000000000000000000FFFFFFFFFFFFFF00", + "030A893B61A4E76AF2B682FDB86E043C427C1AD2DFDABB62E" + }, + + /* Test #1 for NIST P-192 fast reduction */ + { + "NIST P-192", + "09977FBFF49FFB1F115C20E3378819ACCFB2A2A19EF9D00C2", + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0000000000000000000000000000000000000000000000001", + NULL, + "019298C549B3982415E831422E8FF991D25C589B214B3EC20", + "09CF5FFD92F0218F704E1F5D4F888FEB1AE5C09674428D9FE" + }, + { + "NIST P-192", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCD", + "019298C549B3982415E831422E8FF991D25C589B214B3EC20", + "09CF5FFD92F0218F704E1F5D4F888FEB1AE5C09674428D9FE", + NULL, + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0000000000000000000000000000000000000000000000001" + }, + + /* Test #2 for NIST P-192 fast reduction */ + { + "NIST P-192", + "09977FBFF49FFB1F115C20E3378819ACCFB2A2A19EF9D00C2", + "03DA9DE5C6BFA357FDAD6F1B64479BFF526480BF1647D1DDE", + "0000000000000000000000000000000010000000000000001", + NULL, + "0FA56FFAE18551DEC7B10335F9E4D9844B11EEF9C3124B7CF", + "06EC4073A143832560600767FDDC0499A1721BE8C2DEE9B68" + }, + { + "NIST P-192", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCD", + "0FA56FFAE18551DEC7B10335F9E4D9844B11EEF9C3124B7CF", + "06EC4073A143832560600767FDDC0499A1721BE8C2DEE9B68", + NULL, + "03DA9DE5C6BFA357FDAD6F1B64479BFF526480BF1647D1DDE", + "0000000000000000000000000000000010000000000000001" + }, + + /* Test #3 for NIST P-192 fast reduction */ + { + "NIST P-192", + "09977FBFF49FFB1F115C20E3378819ACCFB2A2A19EF9D00C2", + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE", + NULL, + "019298C549B3982415E831422E8FF991D25C589B214B3EC20", + "0630A0026D0FDE708FB1E0A2B0777014D51A3F698BBD72601" + }, + { + "NIST P-192", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCD", + "019298C549B3982415E831422E8FF991D25C589B214B3EC20", + "0630A0026D0FDE708FB1E0A2B0777014D51A3F698BBD72601", + NULL, + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE" + }, + + /* Test #4 for NIST P-192 fast reduction */ + { + "NIST P-192", + "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0000000000000000000000000000000000000000000000001", + NULL, + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE" + }, + { + "NIST P-192", + "0FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22830", + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFE", + NULL, + "06D9D789820A2C19237C96AD4B8D86B87FB49D4D6C728B84F", + "0000000000000000000000000000000000000000000000001" + }, + + /* --- NIST P-224 --- */ + + /* Test #1 for NIST P-224 fast reduction */ + { + "NIST P-224", + "05793BE916A89FC5475A3267BE6F3530901AEC6010E8C2EA2D79F9EE8", + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "000000000000000000000000000000000000000000000000000000001", + NULL, + "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7", + "05BBF4A452ADCAFB15484C0E3AAEBF37153543DA0785EBB61A8F2A1B9" + }, + { + "NIST P-224", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF012345", + "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7", + "05BBF4A452ADCAFB15484C0E3AAEBF37153543DA0785EBB61A8F2A1B9", + NULL, + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "000000000000000000000000000000000000000000000000000000001" + }, + + /* Test #2 for NIST P-224 fast reduction */ + { + "NIST P-224", + "05793BE916A89FC5475A3267BE6F3530901AEC6010E8C2EA2D79F9EE8", + "02FEB134F401D499197917C3470242239093606F5B8EA463A763C3AC4", + "0C0000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF", + NULL, + "0384BD56C5E3FA9C109C841485CCB0B8C90FB5928A87388A658E164AA", + "04701B697F333FD522787DF61F3CDB3F964FF43F288858BC4524CA3CD" + }, + { + "NIST P-224", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF012345", + "0384BD56C5E3FA9C109C841485CCB0B8C90FB5928A87388A658E164AA", + "04701B697F333FD522787DF61F3CDB3F964FF43F288858BC4524CA3CD", + NULL, + "02FEB134F401D499197917C3470242239093606F5B8EA463A763C3AC4", + "0C0000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF" + }, + + /* Test #3 for NIST P-224 fast reduction */ + { + "NIST P-224", + "05793BE916A89FC5475A3267BE6F3530901AEC6010E8C2EA2D79F9EE8", + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000", + NULL, + "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7", + "0A440B5BAD523504EAB7B3F1C55140C8DACABC25F87A1449E570D5E48" + }, + { + "NIST P-224", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF012345", + "0B5457C849D65FBA90C724C9528F500C10930B744F1ECFF60015238D7", + "0A440B5BAD523504EAB7B3F1C55140C8DACABC25F87A1449E570D5E48", + NULL, + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000" + }, + + /* Test #4 for NIST P-224 fast reduction */ + { + "NIST P-224", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3C", + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "000000000000000000000000000000000000000000000000000000001", + NULL, + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000" + }, + { + "NIST P-224", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3C", + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000", + NULL, + "03B5889352DDF7468BF8C0729212AA1B2A3FCB1A844B8BE91ABB753D5", + "000000000000000000000000000000000000000000000000000000001" + }, + + /* --- NIST P-256 --- */ + + /* Bug report: https://dev.gnupg.org/T5510 */ + { + "NIST P-256", + "00000000000FF0000000400000000000000000000005D00003277002000010000", + "00000FFFFFFFF0000000000000000000000000000000000000000000000000000", + "0CFE26D107A5134D6FEB38CE3577075BDC7AA70FF7523D3B203C8A973F2D3DC8E", + NULL, + "0FD351B304AD50F36153D8193C4BBF7D4C3BEE26E5AF52A9C70133EDFA62C273E", + "005DA8312615436E9C81B5B0624E68667233ACE6307AFC8056EAE85049CA63226" + }, + { + "NIST P-256", + "096D8332E8F1265354CB7D213EF7809BA2D9639DFA634F321420C238CD2ED1830", + "0FD351B304AD50F36153D8193C4BBF7D4C3BEE26E5AF52A9C70133EDFA62C273E", + "005DA8312615436E9C81B5B0624E68667233ACE6307AFC8056EAE85049CA63226", + NULL, + "00000FFFFFFFF0000000000000000000000000000000000000000000000000000", + "0CFE26D107A5134D6FEB38CE3577075BDC7AA70FF7523D3B203C8A973F2D3DC8E" + }, + + /* Test #1 for NIST P-256 fast reduction */ + { + "NIST P-256", + "0F14DE6DA4CBA6F4C7B7E988EEF4D168088B6300BAB207054AA24E6D3019D5A23", + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "00000000000000000000000000000000000000000000000000000000000000001", + NULL, + "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF", + "0D2B9F7FA3982EE114FBBA108E132CECB5A605520661B3C4F7CF2906714B400E2" + }, + { + "NIST P-256", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC", + "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF", + "0D2B9F7FA3982EE114FBBA108E132CECB5A605520661B3C4F7CF2906714B400E2", + NULL, + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "00000000000000000000000000000000000000000000000000000000000000001" + }, + + /* Test #2 for NIST P-256 fast reduction */ + { + "NIST P-256", + "0F14DE6DA4CBA6F4C7B7E988EEF4D168088B6300BAB207054AA24E6D3019D5A23", + "0F650B5048E7DE9587399E64274C008A4CA0992BA29DC05F7E51243D34C2949EC", + "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", + NULL, + "0BEF9CCBF964B86724C97CF35D3890CAB3E9802EDAD1A3D9070695FD04C640087", + "0E540F49BAC4AA879B7A1D7C40CE03F7097A910B77F098DA2F7C441407BAD119B" + }, + { + "NIST P-256", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC", + "0BEF9CCBF964B86724C97CF35D3890CAB3E9802EDAD1A3D9070695FD04C640087", + "0E540F49BAC4AA879B7A1D7C40CE03F7097A910B77F098DA2F7C441407BAD119B", + NULL, + "0F650B5048E7DE9587399E64274C008A4CA0992BA29DC05F7E51243D34C2949EC", + "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001" + }, + + /* Test #3 for NIST P-256 fast reduction */ + { + "NIST P-256", + "0F14DE6DA4CBA6F4C7B7E988EEF4D168088B6300BAB207054AA24E6D3019D5A23", + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE", + NULL, + "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF", + "02D460804C67D11EFB0445EF71ECD3134A59FAAE099E4C3B0830D6F98EB4BFF1D" + }, + { + "NIST P-256", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC", + "0688856989B61877BC62ED4D2EE8E0FCA4588D90C2F9A282FA4AD6ACCFBAA95DF", + "02D460804C67D11EFB0445EF71ECD3134A59FAAE099E4C3B0830D6F98EB4BFF1D", + NULL, + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE" + }, + + /* Test #4 for NIST P-256 fast reduction */ + { + "NIST P-256", + "0FD1AEFA76594FC4D14169064B1AE89B2224AEB9F9C314E21BDCFEB5F2AFB3B81", + "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", + "0AFE89640E5A59FE8F69ADB58DB0059E522E5CC1D0CEDAB7AC6F8455F49AADED2", + NULL, + "0063257268860D4F13CFC6071CE09E3D1BD8B77B08A0714CFF42880F430A4F1CE", + "09665C75111B793CE3BF6E2BF45F9B55E065D22F93C4063A79DF8C9D139E83173" + }, + { + "NIST P-256", + "0C0DE4C0FFEE1111C0DE4C0FFEE1111C0DE4C0FFEE1111C0DE4C0FFEE1111C0DE", + "0063257268860D4F13CFC6071CE09E3D1BD8B77B08A0714CFF42880F430A4F1CE", + "09665C75111B793CE3BF6E2BF45F9B55E065D22F93C4063A79DF8C9D139E83173", + NULL, + "0FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", + "0AFE89640E5A59FE8F69ADB58DB0059E522E5CC1D0CEDAB7AC6F8455F49AADED2" + }, + + /* Test #5 for NIST P-256 fast reduction */ + { + "NIST P-256", + "0FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550", + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "00000000000000000000000000000000000000000000000000000000000000001", + NULL, + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE" + }, + { + "NIST P-256", + "0FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550", + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "0FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFE", + NULL, + "08D0177EBAB9C6E9E10DB6DD095DBAC0D6375E8A97B70F611875D877F0069D2C7", + "00000000000000000000000000000000000000000000000000000000000000001" + }, + + /* --- NIST P-384 --- */ + + /* Bug report: https://dev.gnupg.org/T5510 */ + { + "NIST P-384", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF" + "581A0DB248B0A77AECEC196ACCC52972", + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000FFFFFFFFFFFFFFFFFFFFFC", + "1B0D6F8FB7F2DE5B8875645B64042AE20F119F3E1CFEFC0215857EEAE5F4A8FC" + "A737057D69A42C44D958E7CFCC77CE6B", + NULL, + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000FFFFFFFFFFFFFFFFFFFFFC", + "E4F29070480D21A4778A9BA49BFBD51DF0EE60C1E30103FDEA7A81151A0B5702" + "58C8FA81965BD3BB26A7183133883194" + }, + { + "NIST P-384", + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF" + "581A0DB248B0A77AECEC196ACCC52972", + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000FFFFFFFFFFFFFFFFFFFFFC", + "E4F29070480D21A4778A9BA49BFBD51DF0EE60C1E30103FDEA7A81151A0B5702" + "58C8FA81965BD3BB26A7183133883194", + NULL, + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000FFFFFFFFFFFFFFFFFFFFFC", + "1B0D6F8FB7F2DE5B8875645B64042AE20F119F3E1CFEFC0215857EEAE5F4A8FC" + "A737057D69A42C44D958E7CFCC77CE6B" + }, + + /* Test #1 for NIST P-384 fast reduction */ + { + "NIST P-384", + "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121" + "D2DCE779834057EEAE390D113E337DDB", + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "00000000000000000000000000000000000000000000000000000000000000000" + "00000000000000000000000000000001", + NULL, + "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860" + "B21334F09C2F33AAA565E7190225C793", + "00512D4C3F17BA90EEDBCC74C7CBA4410A4F68C8FC0EFB9B981501B454F574744" + "8947DFC29E4BAEE30439A84D455627C6" + }, + { + "NIST P-384", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890A", + "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860" + "B21334F09C2F33AAA565E7190225C793", + "00512D4C3F17BA90EEDBCC74C7CBA4410A4F68C8FC0EFB9B981501B454F574744" + "8947DFC29E4BAEE30439A84D455627C6", + NULL, + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "00000000000000000000000000000000000000000000000000000000000000000" + "00000000000000000000000000000001" + }, + + /* Test #2 for NIST P-384 fast reduction */ + { + "NIST P-384", + "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121" + "D2DCE779834057EEAE390D113E337DDB", + "0C4A2DEA4D2A725EAEEFA6CA6FA301155510309F46EA1C70C909B988B49E1D612" + "468051EB758869259D1BF892E0A555C2", + "00000000000000000000000000000000000000000000000000000000000000001" + "00000000FFFFFFFFFFFFFFFF00000001", + NULL, + "0ED97AD545DB70C379C94BDA35926921F26FA9B9B338D32D8F2A163DBBEC5CFAF" + "600830D133A14C0B599B53E57D206DE2", + "069B72397B725CA8FA7A59173D4F588273C8303B5F6A5AFD8ACBD6B56CC7CCF32" + "B6FCE2DBB991DE4C6E9CCFAF21B8ECCF" + }, + { + "NIST P-384", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890A", + "0ED97AD545DB70C379C94BDA35926921F26FA9B9B338D32D8F2A163DBBEC5CFAF" + "600830D133A14C0B599B53E57D206DE2", + "069B72397B725CA8FA7A59173D4F588273C8303B5F6A5AFD8ACBD6B56CC7CCF32" + "B6FCE2DBB991DE4C6E9CCFAF21B8ECCF", + NULL, + "0C4A2DEA4D2A725EAEEFA6CA6FA301155510309F46EA1C70C909B988B49E1D612" + "468051EB758869259D1BF892E0A555C2", + "00000000000000000000000000000000000000000000000000000000000000001" + "00000000FFFFFFFFFFFFFFFF00000001" + }, + + /* Test #3 for NIST P-384 fast reduction */ + { + "NIST P-384", + "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121" + "D2DCE779834057EEAE390D113E337DDB", + "05ADE55A6BD4FA27FCA00D1C38653843E3E8421E018DFC7DDAD34076C4D41A621" + "980D62417D12330DAE5948C2C6D7D347", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFD", + NULL, + "0A85779C7427F50E92166268399F4ABEDDAA7B8866B0A495ED603BE80A8900786" + "DD287FF5C28708D039AF02DD1FC197CC", + "0CB97C2A5822A86B82DFE300E7F6278A087506A718EBD4FF317D7529581E98470" + "56FCE58652AA1B6D6FBB62851099A9FF" + }, + { + "NIST P-384", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890A", + "0A85779C7427F50E92166268399F4ABEDDAA7B8866B0A495ED603BE80A8900786" + "DD287FF5C28708D039AF02DD1FC197CC", + "0CB97C2A5822A86B82DFE300E7F6278A087506A718EBD4FF317D7529581E98470" + "56FCE58652AA1B6D6FBB62851099A9FF", + NULL, + "05ADE55A6BD4FA27FCA00D1C38653843E3E8421E018DFC7DDAD34076C4D41A621" + "980D62417D12330DAE5948C2C6D7D347", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFD" + }, + + /* Test #4 for NIST P-384 fast reduction */ + { + "NIST P-384", + "0739C89BDC9F071F1DC8391A52A0764EE0E15387DBB56E4FDAD647993F52C9121" + "D2DCE779834057EEAE390D113E337DDB", + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFE", + NULL, + "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860" + "B21334F09C2F33AAA565E7190225C793", + "0FAED2B3C0E8456F1124338B38345BBEF5B0973703F1046467EAFE4BAB0A8B8BA" + "76B8203C61B4511CFBC657B3BAA9D839" + }, + { + "NIST P-384", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890A", + "041CF9FB4C86482B7EC4850FB8AA31771D5F2D3944168B16D47C307468929A860" + "B21334F09C2F33AAA565E7190225C793", + "0FAED2B3C0E8456F1124338B38345BBEF5B0973703F1046467EAFE4BAB0A8B8BA" + "76B8203C61B4511CFBC657B3BAA9D839", + NULL, + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFE" + }, + + /* Test #5 for NIST P-384 fast reduction */ + { + "NIST P-384", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF" + "581A0DB248B0A77AECEC196ACCC52972", + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "0000000000000000000000000000000000000000000000000000000000000000" + "00000000000000000000000000000001", + NULL, + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFE" + }, + { + "NIST P-384", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF" + "581A0DB248B0A77AECEC196ACCC52972", + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "0FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + "FFFFFFFF0000000000000000FFFFFFFE", + NULL, + "02261B2BF605C22F2F3AEF6338719B2C486388AD5240719A5257315969EF01BA2" + "7F0A104C89704773A81FDABEE6AB5C78", + "0000000000000000000000000000000000000000000000000000000000000000" + "00000000000000000000000000000001", + }, + + /* --- NIST P-521 --- */ + + /* Test #1 for NIST P-521 fast reduction */ + { + "NIST P-521", + "014395758AE77FEE059DA0B5ABC00C374ACA51984B95451C08AD8309DC8CEFB9F" + "0B7D03950131E54E63319D4592D679C1F8CFD610289F7B791D5C1C09B7BC5122195", + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "00000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000001", + NULL, + "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07" + "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B", + "00534EE41FFDDCE7E171AF630593437896A4C0344900671D1886ED21EF61AC26D" + "A3DF4C6D7F1330B3EA25ABB6CA2127A605A650F2A6E916EAB757FE8B43116227FA1" + }, + { + "NIST P-521", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890AB", + "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07" + "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B", + "00534EE41FFDDCE7E171AF630593437896A4C0344900671D1886ED21EF61AC26D" + "A3DF4C6D7F1330B3EA25ABB6CA2127A605A650F2A6E916EAB757FE8B43116227FA1", + NULL, + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "00000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000001" + }, + + /* Test #2 for NIST P-521 fast reduction */ + { + "NIST P-521", + "014395758AE77FEE059DA0B5ABC00C374ACA51984B95451C08AD8309DC8CEFB9F" + "0B7D03950131E54E63319D4592D679C1F8CFD610289F7B791D5C1C09B7BC5122195", + "01A255D0D3B19B08BE171002C6D73096CA0E41498E805ABF61016EBF1A41E8018" + "D5F876D2870BFF35AA254BE8D6A303A79C4E4A3427AA4BDF8EE59DCAC22F4C83CD6", + "01000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000003", + NULL, + "00CEA3C8CE463F76789E7B0FCBEE5253E64BFA0FCBE101944CEFFC04D1786FF88" + "C9EC5650BFAC13D4037C34064E6E0CE00AA666EAC026F7EE4CE6F7805A10AD9C743", + "01F2D67A2DD50C916C48011BEE7BADFA488CD8C4F8BD69064C8BB454579E7B2FB" + "EDE9B52418239251C5B81638970916D1B3CACD25487927978CE7B0CD2A25916F9FE" + }, + { + "NIST P-521", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890AB", + "00CEA3C8CE463F76789E7B0FCBEE5253E64BFA0FCBE101944CEFFC04D1786FF88" + "C9EC5650BFAC13D4037C34064E6E0CE00AA666EAC026F7EE4CE6F7805A10AD9C743", + "01F2D67A2DD50C916C48011BEE7BADFA488CD8C4F8BD69064C8BB454579E7B2FB" + "EDE9B52418239251C5B81638970916D1B3CACD25487927978CE7B0CD2A25916F9FE", + NULL, + "01A255D0D3B19B08BE171002C6D73096CA0E41498E805ABF61016EBF1A41E8018" + "D5F876D2870BFF35AA254BE8D6A303A79C4E4A3427AA4BDF8EE59DCAC22F4C83CD6", + "01000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000003" + }, + + /* Test #3 for NIST P-521 fast reduction */ + { + "NIST P-521", + "014395758AE77FEE059DA0B5ABC00C374ACA51984B95451C08AD8309DC8CEFB9F" + "0B7D03950131E54E63319D4592D679C1F8CFD610289F7B791D5C1C09B7BC5122195", + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE", + NULL, + "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07" + "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B", + "01ACB11BE00223181E8E509CFA6CBC87695B3FCBB6FF98E2E77912DE109E53D92" + "5C20B39280ECCF4C15DA544935DED859FA59AF0D5916E91548A80174BCEE9DD805E" + }, + { + "NIST P-521", + "01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890ABC" + "DEF01234567890ABCDEF01234567890ABCDEF01234567890ABCDEF01234567890AB", + "0091EC67F53DC1C752724942D6B94A3D66D91C16C997F42524400D3CD10074C07" + "FF6F7981A44292B25B478AE551DE980999404EC9221FD3FACE26C40FE783576EF1B", + "01ACB11BE00223181E8E509CFA6CBC87695B3FCBB6FF98E2E77912DE109E53D92" + "5C20B39280ECCF4C15DA544935DED859FA59AF0D5916E91548A80174BCEE9DD805E", + NULL, + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + }, + + /* Test #4 for NIST P-521 fast reduction */ + { + "NIST P-521", + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386408", + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "00000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000001", + NULL, + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" + }, + { + "NIST P-521", + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386408", + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE", + NULL, + "00D9CB7A32DAB342F863EDB340F3EA61DDF833E755CE66BB1A918A42714BA05BC" + "DF4FF10994F616A9D80CD0B48B326E3A8A2A8F5634D824875B6E71FB7CDDD7B5018", + "00000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000001" + }, + + { NULL, NULL, NULL, NULL, NULL, NULL } + }; + gpg_error_t err; + gcry_ctx_t ctx; + gcry_mpi_t scalar, ux, uy, uz, x, y; + gcry_mpi_point_t U, Q; + int idx; + + for (idx = 0; tv[idx].curve; idx++) + { + /* P-192 is not supported in fips mode */ + if (gcry_fips_mode_active()) + { + if (!strcmp(tv[idx].curve, "NIST P-192")) + { + static int once; + if (!once) + info ("skipping %s in fips mode\n", tv[idx].curve); + once = 1; + continue; + } + if (!strcmp(tv[idx].curve, "secp256k1")) + { + static int once; + if (!once) + info ("skipping %s in fips mode\n", tv[idx].curve); + once = 1; + continue; + } + } + + err = gcry_mpi_ec_new (&ctx, NULL, tv[idx].curve); + if (err) + { + fail ("tv[%d].'%s': can't create context: %s\n", + idx, tv[idx].curve, gpg_strerror (err)); + return; + } + + if (tv[idx].ux) + ux = hex2mpi (tv[idx].ux); + else + die ("tv[%d].'%s': missing 'ux'\n", idx, tv[idx].curve); + + if (tv[idx].uy) + uy = hex2mpi (tv[idx].uy); + else + die ("tv[%d].'%s': missing 'uy'\n", idx, tv[idx].curve); + + if (tv[idx].uz) + uz = hex2mpi (tv[idx].uz); + else + uz = gcry_mpi_set_ui(NULL, 1); + + if (tv[idx].scalar) + scalar = hex2mpi (tv[idx].scalar); + else + die ("tv[%d].'%s': missing 'scalar'\n", idx, tv[idx].curve); + + U = gcry_mpi_point_new (0); + gcry_mpi_point_set (U, ux, uy, uz); + Q = gcry_mpi_point_new (0); + x = gcry_mpi_new (0); + y = gcry_mpi_new (0); + + if (!gcry_mpi_ec_curve_point (U, ctx)) + { + print_point (" U", U); + die ("tv[%d].'%s': point expected on curve but not " + "identified as such\n", idx, tv[idx].curve); + } + + gcry_mpi_ec_mul (Q, scalar, U, ctx); + + if (!gcry_mpi_ec_curve_point (Q, ctx)) + { + print_point (" Q", Q); + die ("tv[%d].'%s': point expected on curve but not " + "identified as such\n", idx, tv[idx].curve); + } + + if (gcry_mpi_ec_get_affine (x, y, Q, ctx)) + { + fail ("tv[%d].'%s': failed to get affine coordinates\n", + idx, tv[idx].curve); + return; + } + + if ((tv[idx].qx != NULL && tv[idx].qy != NULL) + && (cmp_mpihex (x, tv[idx].qx) || cmp_mpihex (y, tv[idx].qy))) + { + fail ("tv[%d].'%s': sample point multiply failed:\n", + idx, tv[idx].curve); + print_mpi (" scalar", scalar); + print_mpi (" Qx", x); + printf ("expected Qx: %s\n", tv[idx].qx); + print_mpi (" Qy", y); + printf ("expected Qy: %s\n", tv[idx].qy); + } + + gcry_mpi_release (uy); + gcry_mpi_release (ux); + gcry_mpi_release (uz); + gcry_mpi_release (scalar); + gcry_mpi_release (y); + gcry_mpi_release (x); + gcry_mpi_point_release (Q); + gcry_mpi_point_release (U); + gcry_ctx_release (ctx); + } +} + + int main (int argc, char **argv) { @@ -3610,6 +4347,7 @@ main (int argc, char **argv) basic_ec_math (); point_on_curve (); check_ec_mul (); + check_ec_mul_reduction (); /* The tests are for P-192 and ed25519 which are not supported in FIPS mode. */ |