From 771fe867ef661c3a61ab4bb9f479c9f43c5da6b0 Mon Sep 17 00:00:00 2001 From: Zhi Guan Date: Sun, 14 Apr 2024 10:20:11 +0800 Subject: [PATCH] Adjust SM9 API MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 不再将Fp, Fn上的元素视为一种类型,而是看做在sm9_z256_t类型上的特殊计算类型,同理Montgomery计算也是sm9_z256_t上的计算。通过函数名可以完全体现在sm9_z256_t上的计算类型。 于此不同的是,GF(p^2), GF(p^4), GF(p^12) 几个类型在内部完全采用Montgomery形式表示,因此sm9_z256_fp2_t等表示特殊的类型,不再区分mul和mont_mul,因为所有计算都是Montgomery上的计算。 --- include/gmssl/sm9_z256.h | 47 ++--- src/sm9_z256_alg.c | 387 ++++++++++++++++++++------------------- src/sm9_z256_key.c | 24 +-- src/sm9_z256_lib.c | 15 +- tests/sm9test.c | 98 +++++----- 5 files changed, 285 insertions(+), 286 deletions(-) diff --git a/include/gmssl/sm9_z256.h b/include/gmssl/sm9_z256.h index 4d8b203c..d9fdec50 100644 --- a/include/gmssl/sm9_z256.h +++ b/include/gmssl/sm9_z256.h @@ -44,33 +44,26 @@ int sm9_z256_rand_range(sm9_z256_t r, const sm9_z256_t range); void sm9_z256_print_bn(const char *prefix, const sm9_z256_t a); int sm9_z256_print(FILE *fp, int ind, int fmt, const char *label, const sm9_z256_t a); +void sm9_z256_modp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); +void sm9_z256_modp_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); +void sm9_z256_modp_dbl(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modp_tri(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modp_haf(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modp_neg(sm9_z256_t r, const sm9_z256_t a); -// 从逻辑上讲,fp元素模式还是一个z256的值,需要显示的被转换为mont格式 -// 因此在计算上是需要区分mont_mul,也提供了to_mont, from_mont的计算 -// 因此这里最好不要用fp来表示,而是用modp来表示,这样逻辑更正确 +void sm9_z256_modp_to_mont(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modp_from_mont(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modp_mont_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); +void sm9_z256_modp_mont_sqr(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modp_mont_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e); +void sm9_z256_modp_mont_inv(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); -void sm9_z256_fp_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); -void sm9_z256_fp_dbl(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_tri(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_div2(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_neg(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_to_mont(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_from_mont(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_mont_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); -void sm9_z256_fp_mont_sqr(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fp_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e); -void sm9_z256_fp_inv(sm9_z256_t r, const sm9_z256_t a); -int sm9_z256_fp_rand(sm9_z256_t r); - -void sm9_z256_fn_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); -void sm9_z256_fn_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); -void sm9_z256_fn_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); -void sm9_z256_fn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e); -void sm9_z256_fn_inv(sm9_z256_t r, const sm9_z256_t a); -void sm9_z256_fn_from_hash(sm9_z256_t h, const uint8_t Ha[40]); -int sm9_z256_fn_from_bytes(sm9_z256_t a, const uint8_t in[32]); // 这个就比较特殊了,应该支持这个函数吗?我觉得不应该支持,这个太奇怪了 -int sm9_z256_fn_rand(sm9_z256_t r); +void sm9_z256_modn_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); +void sm9_z256_modn_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); +void sm9_z256_modn_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b); +void sm9_z256_modn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e); +void sm9_z256_modn_inv(sm9_z256_t r, const sm9_z256_t a); +void sm9_z256_modn_from_hash(sm9_z256_t h, const uint8_t Ha[40]); // 但是在GF(p^2) @@ -105,7 +98,7 @@ void sm9_z256_fp2_sqr(sm9_z256_fp2_t r, const sm9_z256_fp2_t a); void sm9_z256_fp2_sqr_u(sm9_z256_fp2_t r, const sm9_z256_fp2_t a); void sm9_z256_fp2_inv(sm9_z256_fp2_t r, const sm9_z256_fp2_t a); void sm9_z256_fp2_div(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_fp2_t b); -void sm9_z256_fp2_div2(sm9_z256_fp2_t r, const sm9_z256_fp2_t a); +void sm9_z256_fp2_haf(sm9_z256_fp2_t r, const sm9_z256_fp2_t a); typedef sm9_z256_fp2_t sm9_z256_fp4_t[2]; @@ -122,7 +115,7 @@ void sm9_z256_fp4_add(sm9_z256_fp4_t r, const sm9_z256_fp4_t a, const sm9_z256_f void sm9_z256_fp4_dbl(sm9_z256_fp4_t r, const sm9_z256_fp4_t a); void sm9_z256_fp4_sub(sm9_z256_fp4_t r, const sm9_z256_fp4_t a, const sm9_z256_fp4_t b); void sm9_z256_fp4_neg(sm9_z256_fp4_t r, const sm9_z256_fp4_t a); -void sm9_z256_fp4_div2(sm9_z256_fp4_t r, const sm9_z256_fp4_t a); +void sm9_z256_fp4_haf(sm9_z256_fp4_t r, const sm9_z256_fp4_t a); void sm9_z256_fp4_a_mul_v(sm9_z256_fp4_t r, sm9_z256_fp4_t a); void sm9_z256_fp4_mul(sm9_z256_fp4_t r, const sm9_z256_fp4_t a, const sm9_z256_fp4_t b); void sm9_z256_fp4_mul_fp(sm9_z256_fp4_t r, const sm9_z256_fp4_t a, const sm9_z256_t k); diff --git a/src/sm9_z256_alg.c b/src/sm9_z256_alg.c index b876080e..0c9dd3e1 100644 --- a/src/sm9_z256_alg.c +++ b/src/sm9_z256_alg.c @@ -411,7 +411,7 @@ int sm9_z512_print(FILE *fp, int ind, int fmt, const char *label, const uint64_t */ #ifndef ENABLE_SM9_Z256_ARMV8 -void sm9_z256_fp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) +void sm9_z256_modp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) { uint64_t c; c = sm9_z256_add(r, a, b); @@ -426,7 +426,7 @@ void sm9_z256_fp_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) } } -void sm9_z256_fp_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) +void sm9_z256_modp_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) { uint64_t c; c = sm9_z256_sub(r, a, b); @@ -437,19 +437,19 @@ void sm9_z256_fp_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) } } -void sm9_z256_fp_dbl(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_dbl(sm9_z256_t r, const sm9_z256_t a) { - sm9_z256_fp_add(r, a, a); + sm9_z256_modp_add(r, a, a); } -void sm9_z256_fp_tri(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_tri(sm9_z256_t r, const sm9_z256_t a) { sm9_z256_t t; - sm9_z256_fp_add(t, a, a); - sm9_z256_fp_add(r, t, a); + sm9_z256_modp_add(t, a, a); + sm9_z256_modp_add(r, t, a); } -void sm9_z256_fp_div2(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_haf(sm9_z256_t r, const sm9_z256_t a) { uint64_t c = 0; @@ -468,13 +468,14 @@ void sm9_z256_fp_div2(sm9_z256_t r, const sm9_z256_t a) r[3] = (r[3] >> 1) | ((c & 1) << 63); } -void sm9_z256_fp_neg(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_neg(sm9_z256_t r, const sm9_z256_t a) { (void)sm9_z256_sub(r, SM9_Z256_P, a); } #endif -int sm9_z256_fp_rand(sm9_z256_t r) +/* +int sm9_z256_modp_rand(sm9_z256_t r) { if (sm9_z256_rand_range(r, SM9_Z256_P) != 1) { error_print(); @@ -483,6 +484,7 @@ int sm9_z256_fp_rand(sm9_z256_t r) return 1; } +*/ // p = b640000002a3a6f1d603ab4ff58ec74521f2934b1a7aeedbe56f9b27e351457d // p' = -p^(-1) mod 2^256 = afd2bac5558a13b3966a4b291522b137181ae39613c8dbaf892bc42c2f2ee42b @@ -505,7 +507,7 @@ const uint64_t SM9_Z256_P_LEFT_32[8] = { const uint32_t SM9_Z256_MU_32 = 0xd0d11bd5; -void sm9_z256_fp_mont_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) +void sm9_z256_modp_mont_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) { int i; uint32_t a_[8], b_[8]; @@ -658,7 +660,7 @@ static uint64_t sm9_z512_add(uint64_t r[8], const uint64_t a[8], const uint64_t // z = a*b // c = (z + (z * p' mod 2^256) * p)/2^256 -void sm9_z256_fp_mont_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) +void sm9_z256_modp_mont_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4]) { uint64_t z[8]; uint64_t t[8]; @@ -690,23 +692,23 @@ void sm9_z256_fp_mont_mul(uint64_t r[4], const uint64_t a[4], const uint64_t b[4 #ifndef ENABLE_SM9_Z256_ARMV8 -void sm9_z256_fp_to_mont(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_to_mont(sm9_z256_t r, const sm9_z256_t a) { - sm9_z256_fp_mont_mul(r, a, SM9_Z256_MODP_2e512); + sm9_z256_modp_mont_mul(r, a, SM9_Z256_MODP_2e512); } -void sm9_z256_fp_from_mont(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_from_mont(sm9_z256_t r, const sm9_z256_t a) { - sm9_z256_fp_mont_mul(r, a, SM9_Z256_ONE); + sm9_z256_modp_mont_mul(r, a, SM9_Z256_ONE); } -void sm9_z256_fp_mont_sqr(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_mont_sqr(sm9_z256_t r, const sm9_z256_t a) { - sm9_z256_fp_mont_mul(r, a, a); + sm9_z256_modp_mont_mul(r, a, a); } #endif -void sm9_z256_fp_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) +void sm9_z256_modp_mont_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) { sm9_z256_t t; uint64_t w; @@ -718,9 +720,9 @@ void sm9_z256_fp_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) for (i = 3; i >= 0; i--) { w = e[i]; for (j = 0; j < 64; j++) { - sm9_z256_fp_mont_sqr(t, t); + sm9_z256_modp_mont_sqr(t, t); if (w & 0x8000000000000000) { - sm9_z256_fp_mont_mul(t, t, a); + sm9_z256_modp_mont_mul(t, t, a); } w <<= 1; } @@ -729,18 +731,18 @@ void sm9_z256_fp_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) sm9_z256_copy(r, t); } -void sm9_z256_fp_inv(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modp_mont_inv(sm9_z256_t r, const sm9_z256_t a) { - sm9_z256_fp_pow(r, a, SM9_Z256_P_MINUS_TWO); + sm9_z256_modp_mont_pow(r, a, SM9_Z256_P_MINUS_TWO); } // 这个函数不合适,而且这个实现也不正确啊 // 但是对于SM9的Fp2,Fp4等而言,必须一开始就转换到Montgomery上面,因为没有 /* -int sm9_z256_fp_from_bytes(sm9_z256_t r, const uint8_t buf[32]) +int sm9_z256_modp_from_bytes(sm9_z256_t r, const uint8_t buf[32]) { sm9_z256_from_bytes(r, buf); - sm9_z256_fp_to_mont(r, r); + sm9_z256_modp_to_mont(r, r); if (sm9_z256_cmp(r, SM9_Z256_P) >= 0) { error_print(); return -1; @@ -749,14 +751,14 @@ int sm9_z256_fp_from_bytes(sm9_z256_t r, const uint8_t buf[32]) } */ -void sm9_z256_fp_to_bytes(const sm9_z256_t r, uint8_t out[32]) +void sm9_z256_modp_to_bytes(const sm9_z256_t r, uint8_t out[32]) { sm9_z256_t t; - sm9_z256_fp_from_mont(t, r); + sm9_z256_modp_from_mont(t, r); sm9_z256_to_bytes(t, out); } -int sm9_z256_fp_from_hex(sm9_z256_t r, const char hex[64]) +int sm9_z256_modp_from_hex(sm9_z256_t r, const char hex[64]) { if (sm9_z256_from_hex(r, hex) != 1) { error_print(); @@ -766,14 +768,14 @@ int sm9_z256_fp_from_hex(sm9_z256_t r, const char hex[64]) error_print(); return -1; } - sm9_z256_fp_to_mont(r, r); + sm9_z256_modp_to_mont(r, r); return 1; } -void sm9_z256_fp_to_hex(const sm9_z256_t r, char hex[64]) +void sm9_z256_modp_to_hex(const sm9_z256_t r, char hex[64]) { sm9_z256_t t; - sm9_z256_fp_from_mont(t, r); + sm9_z256_modp_from_mont(t, r); int i; for (i = 3; i >= 0; i--) { (void)sprintf(hex + 16*(3-i), "%016llx", t[i]); @@ -822,8 +824,11 @@ void sm9_z256_fp2_copy(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) int sm9_z256_fp2_rand(sm9_z256_fp2_t r) { - if (sm9_z256_fp_rand(r[0]) != 1 - || sm9_z256_fp_rand(r[1]) != 1) { + if (sm9_z256_rand_range(r[0], SM9_Z256_P) != 1) { + error_print(); + return -1; + } + if (sm9_z256_rand_range(r[1], SM9_Z256_P) != 1) { error_print(); return -1; } @@ -832,8 +837,8 @@ int sm9_z256_fp2_rand(sm9_z256_fp2_t r) void sm9_z256_fp2_to_bytes(const sm9_z256_fp2_t a, uint8_t buf[64]) { - sm9_z256_fp_to_bytes(a[1], buf); - sm9_z256_fp_to_bytes(a[0], buf + 32); + sm9_z256_modp_to_bytes(a[1], buf); + sm9_z256_modp_to_bytes(a[0], buf + 32); } int sm9_z256_fp2_from_bytes(sm9_z256_fp2_t r, const uint8_t buf[64]) @@ -850,12 +855,12 @@ int sm9_z256_fp2_from_bytes(sm9_z256_fp2_t r, const uint8_t buf[64]) return -1; } - sm9_z256_fp_to_mont(r[1], r[1]); - sm9_z256_fp_to_mont(r[0], r[0]); + sm9_z256_modp_to_mont(r[1], r[1]); + sm9_z256_modp_to_mont(r[0], r[0]); /* - if (sm9_z256_fp_from_bytes(r[1], buf) != 1 - || sm9_z256_fp_from_bytes(r[0], buf + 32) != 1) { + if (sm9_z256_modp_from_bytes(r[1], buf) != 1 + || sm9_z256_modp_from_bytes(r[0], buf + 32) != 1) { error_print(); return -1; } @@ -865,8 +870,8 @@ int sm9_z256_fp2_from_bytes(sm9_z256_fp2_t r, const uint8_t buf[64]) int sm9_z256_fp2_from_hex(sm9_z256_fp2_t r, const char hex[129]) { - if (sm9_z256_fp_from_hex(r[1], hex) != 1 - || sm9_z256_fp_from_hex(r[0], hex + 65) != 1) { + if (sm9_z256_modp_from_hex(r[1], hex) != 1 + || sm9_z256_modp_from_hex(r[0], hex + 65) != 1) { error_print(); return -1; } @@ -881,47 +886,47 @@ int sm9_z256_fp2_from_hex(sm9_z256_fp2_t r, const char hex[129]) void sm9_z256_fp2_to_hex(const sm9_z256_fp2_t a, char hex[129]) { - sm9_z256_fp_to_hex(a[1], hex); + sm9_z256_modp_to_hex(a[1], hex); hex[64] = SM9_Z256_HEX_SEP; - sm9_z256_fp_to_hex(a[0], hex + 65); + sm9_z256_modp_to_hex(a[0], hex + 65); } void sm9_z256_fp2_add(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_fp2_t b) { - sm9_z256_fp_add(r[0], a[0], b[0]); - sm9_z256_fp_add(r[1], a[1], b[1]); + sm9_z256_modp_add(r[0], a[0], b[0]); + sm9_z256_modp_add(r[1], a[1], b[1]); } void sm9_z256_fp2_dbl(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) { - sm9_z256_fp_dbl(r[0], a[0]); - sm9_z256_fp_dbl(r[1], a[1]); + sm9_z256_modp_dbl(r[0], a[0]); + sm9_z256_modp_dbl(r[1], a[1]); } void sm9_z256_fp2_tri(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) { - sm9_z256_fp_tri(r[0], a[0]); - sm9_z256_fp_tri(r[1], a[1]); + sm9_z256_modp_tri(r[0], a[0]); + sm9_z256_modp_tri(r[1], a[1]); } void sm9_z256_fp2_sub(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_fp2_t b) { - sm9_z256_fp_sub(r[0], a[0], b[0]); - sm9_z256_fp_sub(r[1], a[1], b[1]); + sm9_z256_modp_sub(r[0], a[0], b[0]); + sm9_z256_modp_sub(r[1], a[1], b[1]); } void sm9_z256_fp2_neg(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) { - sm9_z256_fp_neg(r[0], a[0]); - sm9_z256_fp_neg(r[1], a[1]); + sm9_z256_modp_neg(r[0], a[0]); + sm9_z256_modp_neg(r[1], a[1]); } void sm9_z256_fp2_a_mul_u(sm9_z256_fp2_t r, sm9_z256_fp2_t a) { sm9_z256_t r0; - sm9_z256_fp_dbl(r0, a[1]); - sm9_z256_fp_neg(r0, r0); + sm9_z256_modp_dbl(r0, a[1]); + sm9_z256_modp_neg(r0, r0); sm9_z256_copy(r[1], a[0]); sm9_z256_copy(r[0], r0); @@ -935,23 +940,23 @@ void sm9_z256_fp2_mul(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_f sm9_z256_t t2; // t2 = (a0 + a1) * (b0 + b1) - sm9_z256_fp_add(t0, a[0], a[1]); - sm9_z256_fp_add(t1, b[0], b[1]); - sm9_z256_fp_mont_mul(t2, t0, t1); + sm9_z256_modp_add(t0, a[0], a[1]); + sm9_z256_modp_add(t1, b[0], b[1]); + sm9_z256_modp_mont_mul(t2, t0, t1); // t0 = a0 * b0 - sm9_z256_fp_mont_mul(t0, a[0], b[0]); + sm9_z256_modp_mont_mul(t0, a[0], b[0]); // t1 = a1 * b1 - sm9_z256_fp_mont_mul(t1, a[1], b[1]); + sm9_z256_modp_mont_mul(t1, a[1], b[1]); // r1 = t2 - t0 - t1 = a0 * b1 + a1 * b0 - sm9_z256_fp_sub(t2, t2, t0); - sm9_z256_fp_sub(t2, t2, t1); + sm9_z256_modp_sub(t2, t2, t0); + sm9_z256_modp_sub(t2, t2, t1); // r0 = t0 - 2*t1 = a0 * b0 - 2(a1 * b1) - sm9_z256_fp_dbl(t1, t1); - sm9_z256_fp_sub(t0, t0, t1); + sm9_z256_modp_dbl(t1, t1); + sm9_z256_modp_sub(t0, t0, t1); sm9_z256_copy(r[0], t0); sm9_z256_copy(r[1], t2); @@ -964,25 +969,25 @@ void sm9_z256_fp2_mul_u(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256 sm9_z256_t t2; // t2 = (a0 + a1) * (b0 + b1) - sm9_z256_fp_add(t0, a[0], a[1]); - sm9_z256_fp_add(t1, b[0], b[1]); - sm9_z256_fp_mont_mul(t2, t0, t1); + sm9_z256_modp_add(t0, a[0], a[1]); + sm9_z256_modp_add(t1, b[0], b[1]); + sm9_z256_modp_mont_mul(t2, t0, t1); // t0 = a0 * b0 - sm9_z256_fp_mont_mul(t0, a[0], b[0]); + sm9_z256_modp_mont_mul(t0, a[0], b[0]); // t1 = a1 * b1 - sm9_z256_fp_mont_mul(t1, a[1], b[1]); + sm9_z256_modp_mont_mul(t1, a[1], b[1]); // r0 = -2 *(t2 - t0 - t1) = -2 * (a0 * b1 + a1 * b0) - sm9_z256_fp_sub(t2, t2, t0); - sm9_z256_fp_sub(t2, t2, t1); - sm9_z256_fp_dbl(t2, t2); - sm9_z256_fp_neg(t2, t2); + sm9_z256_modp_sub(t2, t2, t0); + sm9_z256_modp_sub(t2, t2, t1); + sm9_z256_modp_dbl(t2, t2); + sm9_z256_modp_neg(t2, t2); // r1 = t0 - 2*t1 = a0 * b0 - 2(a1 * b1) - sm9_z256_fp_dbl(t1, t1); - sm9_z256_fp_sub(t0, t0, t1); + sm9_z256_modp_dbl(t1, t1); + sm9_z256_modp_sub(t0, t0, t1); sm9_z256_copy(r[0], t2); sm9_z256_copy(r[1], t0); @@ -990,8 +995,8 @@ void sm9_z256_fp2_mul_u(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256 void sm9_z256_fp2_mul_fp(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_t k) { - sm9_z256_fp_mont_mul(r[0], a[0], k); - sm9_z256_fp_mont_mul(r[1], a[1], k); + sm9_z256_modp_mont_mul(r[0], a[0], k); + sm9_z256_modp_mont_mul(r[1], a[1], k); } void sm9_z256_fp2_sqr(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) @@ -999,15 +1004,15 @@ void sm9_z256_fp2_sqr(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) sm9_z256_t r0, r1, c0, c1; // r0 = (a0 + a1) * (a0 - 2a1) + a0 * a1 - sm9_z256_fp_mont_mul(r1, a[0], a[1]); - sm9_z256_fp_add(c0, a[0], a[1]); - sm9_z256_fp_dbl(c1, a[1]); - sm9_z256_fp_sub(c1, a[0], c1); - sm9_z256_fp_mont_mul(r0, c0, c1); - sm9_z256_fp_add(r0, r0, r1); + sm9_z256_modp_mont_mul(r1, a[0], a[1]); + sm9_z256_modp_add(c0, a[0], a[1]); + sm9_z256_modp_dbl(c1, a[1]); + sm9_z256_modp_sub(c1, a[0], c1); + sm9_z256_modp_mont_mul(r0, c0, c1); + sm9_z256_modp_add(r0, r0, r1); // r1 = 2 * a0 * a1 - sm9_z256_fp_dbl(r1, r1); + sm9_z256_modp_dbl(r1, r1); sm9_z256_copy(r[0], r0); sm9_z256_copy(r[1], r1); @@ -1020,23 +1025,23 @@ void sm9_z256_fp2_sqr_u(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) sm9_z256_t t2; // t0 = a0 * a1 - sm9_z256_fp_mont_mul(t0, a[0], a[1]); + sm9_z256_modp_mont_mul(t0, a[0], a[1]); // t1 = a0 + a1 - sm9_z256_fp_add(t1, a[0], a[1]); + sm9_z256_modp_add(t1, a[0], a[1]); // t2 = a0 - 2*a - sm9_z256_fp_sub(t2, a[0], a[1]); - sm9_z256_fp_sub(t2, t2, a[1]); + sm9_z256_modp_sub(t2, a[0], a[1]); + sm9_z256_modp_sub(t2, t2, a[1]); // r1 = t1 * t2 + t0 - sm9_z256_fp_mont_mul(t2, t2, t1); - sm9_z256_fp_add(t2, t2, t0); + sm9_z256_modp_mont_mul(t2, t2, t1); + sm9_z256_modp_add(t2, t2, t0); // r0 = -4 * t0 - sm9_z256_fp_dbl(t0, t0); - sm9_z256_fp_dbl(t0, t0); - sm9_z256_fp_neg(t0, t0); + sm9_z256_modp_dbl(t0, t0); + sm9_z256_modp_dbl(t0, t0); + sm9_z256_modp_neg(t0, t0); sm9_z256_copy(r[0], t0); sm9_z256_copy(r[1], t2); @@ -1048,32 +1053,32 @@ void sm9_z256_fp2_inv(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) // r0 = 0 sm9_z256_set_zero(r[0]); // r1 = -(2 * a1)^-1 - sm9_z256_fp_dbl(r[1], a[1]); - sm9_z256_fp_inv(r[1], r[1]); - sm9_z256_fp_neg(r[1], r[1]); + sm9_z256_modp_dbl(r[1], a[1]); + sm9_z256_modp_mont_inv(r[1], r[1]); + sm9_z256_modp_neg(r[1], r[1]); } else if (sm9_z256_is_zero(a[1])) { /* r1 = 0 */ sm9_z256_set_zero(r[1]); /* r0 = a0^-1 */ - sm9_z256_fp_inv(r[0], a[0]); + sm9_z256_modp_mont_inv(r[0], a[0]); } else { sm9_z256_t k, t; // k = (a[0]^2 + 2 * a[1]^2)^-1 - sm9_z256_fp_mont_sqr(k, a[0]); - sm9_z256_fp_mont_sqr(t, a[1]); - sm9_z256_fp_dbl(t, t); - sm9_z256_fp_add(k, k, t); - sm9_z256_fp_inv(k, k); + sm9_z256_modp_mont_sqr(k, a[0]); + sm9_z256_modp_mont_sqr(t, a[1]); + sm9_z256_modp_dbl(t, t); + sm9_z256_modp_add(k, k, t); + sm9_z256_modp_mont_inv(k, k); // r[0] = a[0] * k - sm9_z256_fp_mont_mul(r[0], a[0], k); + sm9_z256_modp_mont_mul(r[0], a[0], k); // r[1] = -a[1] * k - sm9_z256_fp_mont_mul(r[1], a[1], k); - sm9_z256_fp_neg(r[1], r[1]); + sm9_z256_modp_mont_mul(r[1], a[1], k); + sm9_z256_modp_neg(r[1], r[1]); } } @@ -1084,10 +1089,10 @@ void sm9_z256_fp2_div(sm9_z256_fp2_t r, const sm9_z256_fp2_t a, const sm9_z256_f sm9_z256_fp2_mul(r, a, t); } -void sm9_z256_fp2_div2(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) +void sm9_z256_fp2_haf(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) { - sm9_z256_fp_div2(r[0], a[0]); - sm9_z256_fp_div2(r[1], a[1]); + sm9_z256_modp_haf(r[0], a[0]); + sm9_z256_modp_haf(r[1], a[1]); } @@ -1186,10 +1191,10 @@ void sm9_z256_fp4_neg(sm9_z256_fp4_t r, const sm9_z256_fp4_t a) sm9_z256_fp2_neg(r[1], a[1]); } -void sm9_z256_fp4_div2(sm9_z256_fp4_t r, const sm9_z256_fp4_t a) +void sm9_z256_fp4_haf(sm9_z256_fp4_t r, const sm9_z256_fp4_t a) { - sm9_z256_fp2_div2(r[0], a[0]); - sm9_z256_fp2_div2(r[1], a[1]); + sm9_z256_fp2_haf(r[0], a[0]); + sm9_z256_fp2_haf(r[1], a[1]); } void sm9_z256_fp4_a_mul_v(sm9_z256_fp4_t r, sm9_z256_fp4_t a) @@ -1516,7 +1521,7 @@ void sm9_z256_fp12_sqr(sm9_z256_fp12_t r, const sm9_z256_fp12_t a) sm9_z256_fp4_dbl(s2, s2); sm9_z256_fp4_add(s3, s0, s1); - sm9_z256_fp4_div2(s3, s3); + sm9_z256_fp4_haf(s3, s3); sm9_z256_fp4_sub(t, s3, h1); sm9_z256_fp4_sub(h2, t, h0); @@ -1612,7 +1617,7 @@ void sm9_z256_fp12_pow(sm9_z256_fp12_t r, const sm9_z256_fp12_t a, const sm9_z25 void sm9_z256_fp2_conjugate(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) { sm9_z256_copy(r[0], a[0]); - sm9_z256_fp_neg (r[1], a[1]); + sm9_z256_modp_neg (r[1], a[1]); } void sm9_z256_fp2_frobenius(sm9_z256_fp2_t r, const sm9_z256_fp2_t a) @@ -1759,8 +1764,8 @@ void sm9_z256_fp12_frobenius6(sm9_z256_fp12_t r, const sm9_z256_fp12_t x) void sm9_z256_point_from_hex(SM9_Z256_POINT *R, const char hex[65 * 2]) { - sm9_z256_fp_from_hex(R->X, hex); - sm9_z256_fp_from_hex(R->Y, hex + 65); + sm9_z256_modp_from_hex(R->X, hex); + sm9_z256_modp_from_hex(R->Y, hex + 65); sm9_z256_copy(R->Z, SM9_Z256_MODP_MONT_ONE); } @@ -1788,29 +1793,29 @@ void sm9_z256_point_get_xy(const SM9_Z256_POINT *P, sm9_z256_t x, sm9_z256_t y) sm9_z256_copy(y, P->Y); } - sm9_z256_fp_inv(z_inv, P->Z); + sm9_z256_modp_mont_inv(z_inv, P->Z); if (y) - sm9_z256_fp_mont_mul(y, P->Y, z_inv); - sm9_z256_fp_mont_sqr(z_inv, z_inv); - sm9_z256_fp_mont_mul(x, P->X, z_inv); + sm9_z256_modp_mont_mul(y, P->Y, z_inv); + sm9_z256_modp_mont_sqr(z_inv, z_inv); + sm9_z256_modp_mont_mul(x, P->X, z_inv); if (y) - sm9_z256_fp_mont_mul(y, y, z_inv); + sm9_z256_modp_mont_mul(y, y, z_inv); } int sm9_z256_point_equ(const SM9_Z256_POINT *P, const SM9_Z256_POINT *Q) { sm9_z256_t t1, t2, t3, t4; - sm9_z256_fp_mont_sqr(t1, P->Z); - sm9_z256_fp_mont_sqr(t2, Q->Z); - sm9_z256_fp_mont_mul(t3, P->X, t2); - sm9_z256_fp_mont_mul(t4, Q->X, t1); + sm9_z256_modp_mont_sqr(t1, P->Z); + sm9_z256_modp_mont_sqr(t2, Q->Z); + sm9_z256_modp_mont_mul(t3, P->X, t2); + sm9_z256_modp_mont_mul(t4, Q->X, t1); if (!sm9_z256_equ(t3, t4)) { return 0; } - sm9_z256_fp_mont_mul(t1, t1, P->Z); - sm9_z256_fp_mont_mul(t2, t2, Q->Z); - sm9_z256_fp_mont_mul(t3, P->Y, t2); - sm9_z256_fp_mont_mul(t4, Q->Y, t1); + sm9_z256_modp_mont_mul(t1, t1, P->Z); + sm9_z256_modp_mont_mul(t2, t2, Q->Z); + sm9_z256_modp_mont_mul(t3, P->Y, t2); + sm9_z256_modp_mont_mul(t4, Q->Y, t1); return sm9_z256_equ(t3, t4); } @@ -1818,19 +1823,19 @@ int sm9_z256_point_is_on_curve(const SM9_Z256_POINT *P) { sm9_z256_t t0, t1, t2; if (sm9_z256_equ(P->Z, SM9_Z256_MODP_MONT_ONE)) { - sm9_z256_fp_mont_sqr(t0, P->Y); - sm9_z256_fp_mont_sqr(t1, P->X); - sm9_z256_fp_mont_mul(t1, t1, P->X); - sm9_z256_fp_add(t1, t1, SM9_Z256_MODP_MONT_FIVE); + sm9_z256_modp_mont_sqr(t0, P->Y); + sm9_z256_modp_mont_sqr(t1, P->X); + sm9_z256_modp_mont_mul(t1, t1, P->X); + sm9_z256_modp_add(t1, t1, SM9_Z256_MODP_MONT_FIVE); } else { - sm9_z256_fp_mont_sqr(t0, P->X); - sm9_z256_fp_mont_mul(t0, t0, P->X); - sm9_z256_fp_mont_sqr(t1, P->Z); - sm9_z256_fp_mont_sqr(t2, t1); - sm9_z256_fp_mont_mul(t1, t1, t2); - sm9_z256_fp_mont_mul(t1, t1, SM9_Z256_MODP_MONT_FIVE); - sm9_z256_fp_add(t1, t0, t1); - sm9_z256_fp_mont_sqr(t0, P->Y); + sm9_z256_modp_mont_sqr(t0, P->X); + sm9_z256_modp_mont_mul(t0, t0, P->X); + sm9_z256_modp_mont_sqr(t1, P->Z); + sm9_z256_modp_mont_sqr(t2, t1); + sm9_z256_modp_mont_mul(t1, t1, t2); + sm9_z256_modp_mont_mul(t1, t1, SM9_Z256_MODP_MONT_FIVE); + sm9_z256_modp_add(t1, t0, t1); + sm9_z256_modp_mont_sqr(t0, P->Y); } if (sm9_z256_equ(t0, t1) != 1) { error_print(); @@ -1851,20 +1856,20 @@ void sm9_z256_point_dbl(SM9_Z256_POINT *R, const SM9_Z256_POINT *P) return; } - sm9_z256_fp_mont_sqr(T2, X1); - sm9_z256_fp_tri(T2, T2); - sm9_z256_fp_dbl(Y3, Y1); - sm9_z256_fp_mont_mul(Z3, Y3, Z1); - sm9_z256_fp_mont_sqr(Y3, Y3); - sm9_z256_fp_mont_mul(T3, Y3, X1); - sm9_z256_fp_mont_sqr(Y3, Y3); - sm9_z256_fp_div2(Y3, Y3); - sm9_z256_fp_mont_sqr(X3, T2); - sm9_z256_fp_dbl(T1, T3); - sm9_z256_fp_sub(X3, X3, T1); - sm9_z256_fp_sub(T1, T3, X3); - sm9_z256_fp_mont_mul(T1, T1, T2); - sm9_z256_fp_sub(Y3, T1, Y3); + sm9_z256_modp_mont_sqr(T2, X1); + sm9_z256_modp_tri(T2, T2); + sm9_z256_modp_dbl(Y3, Y1); + sm9_z256_modp_mont_mul(Z3, Y3, Z1); + sm9_z256_modp_mont_sqr(Y3, Y3); + sm9_z256_modp_mont_mul(T3, Y3, X1); + sm9_z256_modp_mont_sqr(Y3, Y3); + sm9_z256_modp_haf(Y3, Y3); + sm9_z256_modp_mont_sqr(X3, T2); + sm9_z256_modp_dbl(T1, T3); + sm9_z256_modp_sub(X3, X3, T1); + sm9_z256_modp_sub(T1, T3, X3); + sm9_z256_modp_mont_mul(T1, T1, T2); + sm9_z256_modp_sub(Y3, T1, Y3); sm9_z256_copy(R->X, X3); sm9_z256_copy(R->Y, Y3); @@ -1893,12 +1898,12 @@ void sm9_z256_point_add(SM9_Z256_POINT *R, const SM9_Z256_POINT *P, const SM9_Z2 return; } - sm9_z256_fp_mont_sqr(T1, Z1); - sm9_z256_fp_mont_mul(T2, T1, Z1); - sm9_z256_fp_mont_mul(T1, T1, x2); - sm9_z256_fp_mont_mul(T2, T2, y2); - sm9_z256_fp_sub(T1, T1, X1); - sm9_z256_fp_sub(T2, T2, Y1); + sm9_z256_modp_mont_sqr(T1, Z1); + sm9_z256_modp_mont_mul(T2, T1, Z1); + sm9_z256_modp_mont_mul(T1, T1, x2); + sm9_z256_modp_mont_mul(T2, T2, y2); + sm9_z256_modp_sub(T1, T1, X1); + sm9_z256_modp_sub(T2, T2, Y1); if (sm9_z256_is_zero(T1)) { if (sm9_z256_is_zero(T2)) { @@ -1910,18 +1915,18 @@ void sm9_z256_point_add(SM9_Z256_POINT *R, const SM9_Z256_POINT *P, const SM9_Z2 } } - sm9_z256_fp_mont_mul(Z3, Z1, T1); - sm9_z256_fp_mont_sqr(T3, T1); - sm9_z256_fp_mont_mul(T4, T3, T1); - sm9_z256_fp_mont_mul(T3, T3, X1); - sm9_z256_fp_dbl(T1, T3); - sm9_z256_fp_mont_sqr(X3, T2); - sm9_z256_fp_sub(X3, X3, T1); - sm9_z256_fp_sub(X3, X3, T4); - sm9_z256_fp_sub(T3, T3, X3); - sm9_z256_fp_mont_mul(T3, T3, T2); - sm9_z256_fp_mont_mul(T4, T4, Y1); - sm9_z256_fp_sub(Y3, T3, T4); + sm9_z256_modp_mont_mul(Z3, Z1, T1); + sm9_z256_modp_mont_sqr(T3, T1); + sm9_z256_modp_mont_mul(T4, T3, T1); + sm9_z256_modp_mont_mul(T3, T3, X1); + sm9_z256_modp_dbl(T1, T3); + sm9_z256_modp_mont_sqr(X3, T2); + sm9_z256_modp_sub(X3, X3, T1); + sm9_z256_modp_sub(X3, X3, T4); + sm9_z256_modp_sub(T3, T3, X3); + sm9_z256_modp_mont_mul(T3, T3, T2); + sm9_z256_modp_mont_mul(T4, T4, Y1); + sm9_z256_modp_sub(Y3, T3, T4); sm9_z256_copy(R->X, X3); sm9_z256_copy(R->Y, Y3); @@ -1931,7 +1936,7 @@ void sm9_z256_point_add(SM9_Z256_POINT *R, const SM9_Z256_POINT *P, const SM9_Z2 void sm9_z256_point_neg(SM9_Z256_POINT *R, const SM9_Z256_POINT *P) { sm9_z256_copy(R->X, P->X); - sm9_z256_fp_neg(R->Y, P->Y); + sm9_z256_modp_neg(R->Y, P->Y); sm9_z256_copy(R->Z, P->Z); } @@ -2186,7 +2191,7 @@ void sm9_z256_twist_point_dbl(SM9_Z256_TWIST_POINT *R, const SM9_Z256_TWIST_POIN sm9_z256_fp2_sqr(Y3, Y3); sm9_z256_fp2_mul(T3, Y3, X1); sm9_z256_fp2_sqr(Y3, Y3); - sm9_z256_fp2_div2(Y3, Y3); + sm9_z256_fp2_haf(Y3, Y3); sm9_z256_fp2_sqr(X3, T2); sm9_z256_fp2_dbl(T1, T3); sm9_z256_fp2_sub(X3, X3, T1); @@ -2373,11 +2378,11 @@ void sm9_z256_eval_g_tangent(sm9_z256_fp12_t num, sm9_z256_fp12_t den, const SM9 sm9_z256_fp2_mul(t0, t0, t1); sm9_z256_fp2_mul_fp(t0, t0, xQ); sm9_z256_fp2_tri(t0, t0); - sm9_z256_fp2_div2(a4, t0); + sm9_z256_fp2_haf(a4, t0); sm9_z256_fp2_mul(t1, t1, XP); sm9_z256_fp2_tri(t1, t1); - sm9_z256_fp2_div2(t1, t1); + sm9_z256_fp2_haf(t1, t1); sm9_z256_fp2_sqr(t0, YP); sm9_z256_fp2_sub(a0, t0, t1); } @@ -2583,7 +2588,7 @@ void sm9_z256_pairing(sm9_z256_fp12_t r, const SM9_Z256_TWIST_POINT *Q, const SM } -int sm9_z256_fn_rand(sm9_z256_t r) +int sm9_z256_modn_rand(sm9_z256_t r) { if (sm9_z256_rand_range(r, SM9_Z256_N) != 1) { error_print(); @@ -2595,7 +2600,7 @@ int sm9_z256_fn_rand(sm9_z256_t r) // Mont was not used for mod N -void sm9_z256_fn_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) +void sm9_z256_modn_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) { uint64_t c; c = sm9_z256_add(r, a, b); @@ -2610,7 +2615,7 @@ void sm9_z256_fn_add(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) } } -void sm9_z256_fn_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) +void sm9_z256_modn_sub(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) { uint64_t c; c = sm9_z256_sub(r, a, b); @@ -2654,7 +2659,7 @@ void sm9_z320_mul(uint64_t r[10], const uint64_t a[5], const uint64_t b[5]) const uint64_t SM9_Z256_N_BARRETT_MU[5] = {0x74df4fd4dfc97c2f, 0x9c95d85ec9c073b0, 0x55f73aebdcd1312c, 0x67980e0beb5759a6, 0x1}; -void sm9_z256_fn_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) +void sm9_z256_modn_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) { sm9_z256_t x, y; uint64_t z[8], h[10], s[8]; @@ -2699,7 +2704,7 @@ void sm9_z256_fn_mul(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t b) } } -void sm9_z256_fn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) +void sm9_z256_modn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) { sm9_z256_t t; uint64_t w; @@ -2710,9 +2715,9 @@ void sm9_z256_fn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) for (i = 3; i >= 0; i--) { w = e[i]; for (j = 0; j < 64; j++) { - sm9_z256_fn_mul(t, t, t); + sm9_z256_modn_mul(t, t, t); if (w & 0x8000000000000000) { - sm9_z256_fn_mul(t, t, a); + sm9_z256_modn_mul(t, t, a); } w <<= 1; } @@ -2720,18 +2725,18 @@ void sm9_z256_fn_pow(sm9_z256_t r, const sm9_z256_t a, const sm9_z256_t e) sm9_z256_copy(r, t); } -void sm9_z256_fn_inv(sm9_z256_t r, const sm9_z256_t a) +void sm9_z256_modn_inv(sm9_z256_t r, const sm9_z256_t a) { sm9_z256_t e; sm9_z256_sub(e, SM9_Z256_N, SM9_Z256_TWO); - sm9_z256_fn_pow(r, a, e); + sm9_z256_modn_pow(r, a, e); } const sm9_z256_t SM9_Z256_N_MINUS_ONE_BARRETT_MU = {0x74df4fd4dfc97c31, 0x9c95d85ec9c073b0, 0x55f73aebdcd1312c, 0x67980e0beb5759a6}; // , 0x1}; -void sm9_z256_fn_from_hash(sm9_z256_t h, const uint8_t Ha[40]) +void sm9_z256_modn_from_hash(sm9_z256_t h, const uint8_t Ha[40]) { int i; uint64_t z[8] = {0}; @@ -2757,7 +2762,7 @@ void sm9_z256_fn_from_hash(sm9_z256_t h, const uint8_t Ha[40]) sm9_z256_mul(r, r + 5, SM9_Z256_N_MINUS_ONE); sm9_z256_sub(h, z, r); - sm9_z256_fn_add(h, h, SM9_Z256_ONE); + sm9_z256_modn_add(h, h, SM9_Z256_ONE); } int sm9_z256_point_to_uncompressed_octets(const SM9_Z256_POINT *P, uint8_t octets[65]) @@ -2766,8 +2771,8 @@ int sm9_z256_point_to_uncompressed_octets(const SM9_Z256_POINT *P, uint8_t octet sm9_z256_t y; sm9_z256_point_get_xy(P, x, y); octets[0] = 0x04; - sm9_z256_fp_to_bytes(x, octets + 1); // fp_to_bytes include from_mont - sm9_z256_fp_to_bytes(y, octets + 32 + 1); + sm9_z256_modp_to_bytes(x, octets + 1); // fp_to_bytes include from_mont + sm9_z256_modp_to_bytes(y, octets + 32 + 1); return 1; } @@ -2783,14 +2788,14 @@ int sm9_z256_point_from_uncompressed_octets(SM9_Z256_POINT *P, const uint8_t oct error_print(); return -1; } - sm9_z256_fp_to_mont(P->X, P->X); + sm9_z256_modp_to_mont(P->X, P->X); sm9_z256_from_bytes(P->Y, octets + 32 + 1); if (sm9_z256_cmp(P->X, SM9_Z256_P) >= 0) { error_print(); return -1; } - sm9_z256_fp_to_mont(P->Y, P->Y); + sm9_z256_modp_to_mont(P->Y, P->Y); sm9_z256_copy(P->Z, SM9_Z256_MODP_MONT_ONE); diff --git a/src/sm9_z256_key.c b/src/sm9_z256_key.c index 4cfcd4f7..6e0457f6 100644 --- a/src/sm9_z256_key.c +++ b/src/sm9_z256_key.c @@ -49,7 +49,7 @@ int sm9_z256_hash1(sm9_z256_t h1, const char *id, size_t idlen, uint8_t hid) sm3_update(&ctx, ct2, sizeof(ct2)); sm3_finish(&ctx, Ha + 32); - sm9_z256_fn_from_hash(h1, Ha); + sm9_z256_modn_from_hash(h1, Ha); return 1; } @@ -364,7 +364,7 @@ int sm9_sign_master_key_generate(SM9_SIGN_MASTER_KEY *msk) return -1; } // k = rand(1, n-1) - if (sm9_z256_fn_rand(msk->ks) != 1) { + if (sm9_z256_rand_range(msk->ks, SM9_Z256_N) != 1) { error_print(); return -1; } @@ -376,7 +376,7 @@ int sm9_sign_master_key_generate(SM9_SIGN_MASTER_KEY *msk) int sm9_enc_master_key_generate(SM9_ENC_MASTER_KEY *msk) { // k = rand(1, n-1) - if (sm9_z256_fn_rand(msk->ke) != 1) { + if (sm9_z256_rand_range(msk->ke, SM9_Z256_N) != 1) { error_print(); return -1; } @@ -391,7 +391,7 @@ int sm9_sign_master_key_extract_key(SM9_SIGN_MASTER_KEY *msk, const char *id, si // t1 = H1(ID || hid, N) + ks sm9_z256_hash1(t, id, idlen, SM9_HID_SIGN); - sm9_z256_fn_add(t, t, msk->ks); + sm9_z256_modn_add(t, t, msk->ks); if (sm9_z256_is_zero(t)) { // 这是一个严重问题,意味着整个msk都需要作废了 error_print(); @@ -399,8 +399,8 @@ int sm9_sign_master_key_extract_key(SM9_SIGN_MASTER_KEY *msk, const char *id, si } // t2 = ks * t1^-1 - sm9_z256_fn_inv(t, t); - sm9_z256_fn_mul(t, t, msk->ks); + sm9_z256_modn_inv(t, t); + sm9_z256_modn_mul(t, t, msk->ks); // ds = t2 * P1 sm9_z256_point_mul_generator(&key->ds, t); @@ -416,15 +416,15 @@ int sm9_enc_master_key_extract_key(SM9_ENC_MASTER_KEY *msk, const char *id, size // t1 = H1(ID || hid, N) + ke sm9_z256_hash1(t, id, idlen, SM9_HID_ENC); - sm9_z256_fn_add(t, t, msk->ke); + sm9_z256_modn_add(t, t, msk->ke); if (sm9_z256_is_zero(t)) { error_print(); return -1; } // t2 = ke * t1^-1 - sm9_z256_fn_inv(t, t); - sm9_z256_fn_mul(t, t, msk->ke); + sm9_z256_modn_inv(t, t); + sm9_z256_modn_mul(t, t, msk->ke); // de = t2 * P2 sm9_z256_twist_point_mul_generator(&key->de, t); @@ -440,15 +440,15 @@ int sm9_exch_master_key_extract_key(SM9_EXCH_MASTER_KEY *msk, const char *id, si // t1 = H1(ID || hid, N) + ke sm9_z256_hash1(t, id, idlen, SM9_HID_EXCH); - sm9_z256_fn_add(t, t, msk->ke); + sm9_z256_modn_add(t, t, msk->ke); if (sm9_z256_is_zero(t)) { error_print(); return -1; } // t2 = ke * t1^-1 - sm9_z256_fn_inv(t, t); - sm9_z256_fn_mul(t, t, msk->ke); + sm9_z256_modn_inv(t, t); + sm9_z256_modn_mul(t, t, msk->ke); // de = t2 * P2 sm9_z256_twist_point_mul_generator(&key->de, t); diff --git a/src/sm9_z256_lib.c b/src/sm9_z256_lib.c index 713b1be7..a56188a1 100644 --- a/src/sm9_z256_lib.c +++ b/src/sm9_z256_lib.c @@ -127,7 +127,7 @@ int sm9_do_sign(const SM9_SIGN_KEY *key, const SM3_CTX *sm3_ctx, SM9_SIGNATURE * do { // A2: rand r in [1, N-1] - if (sm9_z256_fn_rand(r) != 1) { + if (sm9_z256_rand_range(r, SM9_Z256_N) != 1) { error_print(); return -1; } @@ -146,10 +146,10 @@ int sm9_do_sign(const SM9_SIGN_KEY *key, const SM3_CTX *sm3_ctx, SM9_SIGNATURE * sm3_finish(&ctx, Ha); sm3_update(&tmp_ctx, ct2, sizeof(ct2)); sm3_finish(&tmp_ctx, Ha + 32); - sm9_z256_fn_from_hash(sig->h, Ha); + sm9_z256_modn_from_hash(sig->h, Ha); // A5: l = (r - h) mod N, if l = 0, goto A2 - sm9_z256_fn_sub(r, r, sig->h); + sm9_z256_modn_sub(r, r, sig->h); } while (sm9_z256_is_zero(r)); @@ -246,7 +246,7 @@ int sm9_do_verify(const SM9_SIGN_MASTER_KEY *mpk, const char *id, size_t idlen, sm3_finish(&ctx, Ha); sm3_update(&tmp_ctx, ct2, sizeof(ct2)); sm3_finish(&tmp_ctx, Ha + 32); - sm9_z256_fn_from_hash(h2, Ha); + sm9_z256_modn_from_hash(h2, Ha); if (sm9_z256_equ(h2, sig->h) != 1) { return 0; } @@ -270,7 +270,7 @@ int sm9_kem_encrypt(const SM9_ENC_MASTER_KEY *mpk, const char *id, size_t idlen, do { // A2: rand r in [1, N-1] - if (sm9_z256_fn_rand(r) != 1) { + if (sm9_z256_rand_range(r, SM9_Z256_N) != 1) { error_print(); return -1; } @@ -531,7 +531,7 @@ int sm9_exch_step_1A(const SM9_EXCH_MASTER_KEY *mpk, const char *idB, size_t idB sm9_z256_point_add(RA, RA, &mpk->Ppube); // A2: rand rA in [1, N-1] - if (sm9_z256_fn_rand(rA) != 1) { + if (sm9_z256_rand_range(rA, SM9_Z256_N) != 1) { error_print(); return -1; } @@ -561,7 +561,8 @@ int sm9_exch_step_1B(const SM9_EXCH_MASTER_KEY *mpk, const char *idA, size_t idA do { // B2: rand rB in [1, N-1] - if (sm9_z256_fn_rand(rB) != 1) { + // FIXME: check rb != 0 + if (sm9_z256_rand_range(rB, SM9_Z256_N) != 1) { error_print(); return -1; } diff --git a/tests/sm9test.c b/tests/sm9test.c index bf646f7a..b61e4793 100644 --- a/tests/sm9test.c +++ b/tests/sm9test.c @@ -22,7 +22,7 @@ #define hex_fp_nsub "7271168367e4cd3397052b4ff8f19699401c4f9167fc4b8a9f64ef75bfb405a9" #define hex_fp_dbl "551de7a0ee24723edcf314ff72f478fac1c7c4e7044238acc3913cfbcdaf7d05" #define hex_fp_tri "248cdb7163e4d7e5606ac9d731a751d591b25db4f925dd9532a20de5c2de98c9" -#define hex_fp_div2 "9df779e83d83d9c517bf85bbd4e833b289e7dfb214ecc1501cf8039cdde8d35f" +#define hex_fp_haf "9df779e83d83d9c517bf85bbd4e833b289e7dfb214ecc1501cf8039cdde8d35f" #define hex_fp_neg "30910c2f8a3f9a597c884b28414d2725301567320b1c5b1790ef2f160ad0e43c" #define hex_fp_mul "9e4d19bb5d94a47352e6f53f4116b2a71b16a1113dc789b26528ee19f46b72e0" #define hex_fp_sqr "46dc2a5b8853234b341d9c57f9c4ca5709e95bbfef25356812e884e4f38cd0d6" @@ -57,21 +57,21 @@ int test_sm9_z256_fp() { sm9_z256_t iv = {0x0fedcba987654321, 0x123456789abcdef0, 0x0fedcba987654321, 0x123456789abcdef0}; sm9_z256_from_hex(r, hex_iv); if (sm9_z256_cmp(r, iv) != 0) goto err; ++j; - sm9_z256_fp_to_mont(x, x); - sm9_z256_fp_to_mont(y, y); + sm9_z256_modp_to_mont(x, x); + sm9_z256_modp_to_mont(y, y); - sm9_z256_fp_add(r, x, y); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_add)) goto err; ++j; - sm9_z256_fp_sub(r, x, y); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_sub)) goto err; ++j; - sm9_z256_fp_sub(r, y, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_nsub)) goto err; ++j; - sm9_z256_fp_dbl(r, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_dbl)) goto err; ++j; - sm9_z256_fp_tri(r, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_tri)) goto err; ++j; - sm9_z256_fp_div2(r, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_div2)) goto err; ++j; - sm9_z256_fp_neg(r, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_neg)) goto err; ++j; - sm9_z256_fp_mont_mul(r, x, y); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_mul)) goto err; ++j; - sm9_z256_fp_mont_sqr(r, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_sqr)) goto err; ++j; - sm9_z256_fp_from_mont(y, y); - sm9_z256_fp_pow(r, x, y); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_pow)) goto err; ++j; - sm9_z256_fp_inv(r, x); sm9_z256_fp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_inv)) goto err; ++j; + sm9_z256_modp_add(r, x, y); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_add)) goto err; ++j; + sm9_z256_modp_sub(r, x, y); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_sub)) goto err; ++j; + sm9_z256_modp_sub(r, y, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_nsub)) goto err; ++j; + sm9_z256_modp_dbl(r, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_dbl)) goto err; ++j; + sm9_z256_modp_tri(r, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_tri)) goto err; ++j; + sm9_z256_modp_haf(r, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_haf)) goto err; ++j; + sm9_z256_modp_neg(r, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_neg)) goto err; ++j; + sm9_z256_modp_mont_mul(r, x, y); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_mul)) goto err; ++j; + sm9_z256_modp_mont_sqr(r, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_sqr)) goto err; ++j; + sm9_z256_modp_from_mont(y, y); + sm9_z256_modp_mont_pow(r, x, y); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_pow)) goto err; ++j; + sm9_z256_modp_mont_inv(r, x); sm9_z256_modp_from_mont(r, r); if (!sm9_z256_equ_hex(r, hex_fp_inv)) goto err; ++j; printf("%s() ok\n", __FUNCTION__); return 1; @@ -100,12 +100,12 @@ int test_sm9_z256_fn() { sm9_z256_from_hex(y, hex_y); sm9_z256_t iv = {0, 0, 0, 0}; if (!sm9_z256_is_zero(iv)) goto err; ++j; - sm9_z256_fn_add(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_add)) goto err; ++j; - sm9_z256_fn_sub(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_sub)) goto err; ++j; - sm9_z256_fn_sub(r, y, x); if (!sm9_z256_equ_hex(r, hex_fn_nsub)) goto err; ++j; - sm9_z256_fn_mul(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_mul)) goto err; ++j; - sm9_z256_fn_pow(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_pow)) goto err; ++j; - sm9_z256_fn_inv(r, x); if (!sm9_z256_equ_hex(r, hex_fn_inv)) goto err; ++j; + sm9_z256_modn_add(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_add)) goto err; ++j; + sm9_z256_modn_sub(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_sub)) goto err; ++j; + sm9_z256_modn_sub(r, y, x); if (!sm9_z256_equ_hex(r, hex_fn_nsub)) goto err; ++j; + sm9_z256_modn_mul(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_mul)) goto err; ++j; + sm9_z256_modn_pow(r, x, y); if (!sm9_z256_equ_hex(r, hex_fn_pow)) goto err; ++j; + sm9_z256_modn_inv(r, x); if (!sm9_z256_equ_hex(r, hex_fn_inv)) goto err; ++j; printf("%s() ok\n", __FUNCTION__); return 1; @@ -128,7 +128,7 @@ err: #define hex_fp2_sqr_u "16bd622a907d7a92e475ed336e8ebca2cc1e38dd2ae69aaf2a96208eba0ee06e-5b52579f25e413c717eb438cc69bc7d0e40a4518be8032dddb7e4385c8a693d4" #define hex_fp2_inv "93ceda7dddd537eb9307a06313598e650a568d931d16ab98ca0a7483c3b502e2-6face8b958e2bdc0771fd9d700f2703f881ef0d13509f16937f0a0c344647175" #define hex_fp2_div "ad68ff7c507f2d4e1cc6cd973c6b821906b9f5937a04fdedc84af1f75f97d00b-8a84a35da11d401c8dca50a572ce7a8c99e7117c45d251f57a2418613dab16bb" -#define hex_fp2_div2 "0ba84d8497422e09335d0693165f7376839b54b7d1a3e45ec2b6e3b5c275f5cb-af07946a8e30f24c1a9a8db2995b2b9bb4f126f1e0ca7b76a3c2ab66d67576a2" +#define hex_fp2_haf "0ba84d8497422e09335d0693165f7376839b54b7d1a3e45ec2b6e3b5c275f5cb-af07946a8e30f24c1a9a8db2995b2b9bb4f126f1e0ca7b76a3c2ab66d67576a2" int test_sm9_z256_fp2() { const SM9_Z256_TWIST_POINT _P2 = { @@ -158,11 +158,11 @@ int test_sm9_z256_fp2() { sm9_z256_fp2_copy(y, Ppubs->X); sm9_z256_from_hex(k, hex_iv); - sm9_z256_fp_to_mont(x[0], x[0]); - sm9_z256_fp_to_mont(x[1], x[1]); - sm9_z256_fp_to_mont(y[0], y[0]); - sm9_z256_fp_to_mont(y[1], y[1]); - sm9_z256_fp_to_mont(k, k); + sm9_z256_modp_to_mont(x[0], x[0]); + sm9_z256_modp_to_mont(x[1], x[1]); + sm9_z256_modp_to_mont(y[0], y[0]); + sm9_z256_modp_to_mont(y[1], y[1]); + sm9_z256_modp_to_mont(k, k); sm9_z256_fp2_t iv2 = {{0xf1fdd299c9bb073c, 0xd632457dd14f49a9, 0x6e492768664a2b72, 0xa39654024e243d80}, {0x0fedcba987654321, 0x123456789abcdef0, 0x0fedcba987654321, 0x123456789abcdef0}}; @@ -180,7 +180,7 @@ int test_sm9_z256_fp2() { sm9_z256_fp2_sqr_u(r, x); sm9_z256_fp2_from_hex(s, hex_fp2_sqr_u); if (!sm9_z256_fp2_equ(r, s)) goto err; ++j; sm9_z256_fp2_inv(r, x); sm9_z256_fp2_from_hex(s, hex_fp2_inv); if (!sm9_z256_fp2_equ(r, s)) goto err; ++j; sm9_z256_fp2_div(r, x, y); sm9_z256_fp2_from_hex(s, hex_fp2_div); if (!sm9_z256_fp2_equ(r, s)) goto err; ++j; - sm9_z256_fp2_div2(r, x); sm9_z256_fp2_from_hex(s, hex_fp2_div2); if (!sm9_z256_fp2_equ(r, s)) goto err; ++j; + sm9_z256_fp2_haf(r, x); sm9_z256_fp2_from_hex(s, hex_fp2_haf); if (!sm9_z256_fp2_equ(r, s)) goto err; ++j; printf("%s() ok\n", __FUNCTION__); return 1; @@ -253,10 +253,10 @@ int test_sm9_z256_fp4() { sm9_z256_fp2_from_hex(y[0], hex_fp2_add); sm9_z256_fp2_from_hex(y[1], hex_fp2_tri); sm9_z256_from_hex(k, hex_iv); - sm9_z256_fp_to_mont(k, k); + sm9_z256_modp_to_mont(k, k); sm9_z256_fp2_copy(q, Ppubs->X); - sm9_z256_fp_to_mont(q[0], q[0]); - sm9_z256_fp_to_mont(q[1], q[1]); + sm9_z256_modp_to_mont(q[0], q[0]); + sm9_z256_modp_to_mont(q[1], q[1]); sm9_z256_fp4_t iv4 = {{{0xf1fdd299c9bb073c, 0xd632457dd14f49a9, 0x6e492768664a2b72, 0xa39654024e243d80}, {0x0fedcba987654321, 0x123456789abcdef0, 0x0fedcba987654321, 0x123456789abcdef0}}, @@ -562,21 +562,21 @@ int test_sm9_z256_pairing() sm9_z256_t k; int j = 1; - sm9_z256_fp_to_mont(P1->X, P1->X); - sm9_z256_fp_to_mont(P1->Y, P1->Y); - sm9_z256_fp_to_mont(P1->Z, P1->Z); - sm9_z256_fp_to_mont(P2->X[0], P2->X[0]); - sm9_z256_fp_to_mont(P2->Y[0], P2->Y[0]); - sm9_z256_fp_to_mont(P2->Z[0], P2->Z[0]); - sm9_z256_fp_to_mont(P2->X[1], P2->X[1]); - sm9_z256_fp_to_mont(P2->Y[1], P2->Y[1]); - sm9_z256_fp_to_mont(P2->Z[1], P2->Z[1]); - sm9_z256_fp_to_mont(Ppubs->X[0], Ppubs->X[0]); - sm9_z256_fp_to_mont(Ppubs->Y[0], Ppubs->Y[0]); - sm9_z256_fp_to_mont(Ppubs->Z[0], Ppubs->Z[0]); - sm9_z256_fp_to_mont(Ppubs->X[1], Ppubs->X[1]); - sm9_z256_fp_to_mont(Ppubs->Y[1], Ppubs->Y[1]); - sm9_z256_fp_to_mont(Ppubs->Z[1], Ppubs->Z[1]); + sm9_z256_modp_to_mont(P1->X, P1->X); + sm9_z256_modp_to_mont(P1->Y, P1->Y); + sm9_z256_modp_to_mont(P1->Z, P1->Z); + sm9_z256_modp_to_mont(P2->X[0], P2->X[0]); + sm9_z256_modp_to_mont(P2->Y[0], P2->Y[0]); + sm9_z256_modp_to_mont(P2->Z[0], P2->Z[0]); + sm9_z256_modp_to_mont(P2->X[1], P2->X[1]); + sm9_z256_modp_to_mont(P2->Y[1], P2->Y[1]); + sm9_z256_modp_to_mont(P2->Z[1], P2->Z[1]); + sm9_z256_modp_to_mont(Ppubs->X[0], Ppubs->X[0]); + sm9_z256_modp_to_mont(Ppubs->Y[0], Ppubs->Y[0]); + sm9_z256_modp_to_mont(Ppubs->Z[0], Ppubs->Z[0]); + sm9_z256_modp_to_mont(Ppubs->X[1], Ppubs->X[1]); + sm9_z256_modp_to_mont(Ppubs->Y[1], Ppubs->Y[1]); + sm9_z256_modp_to_mont(Ppubs->Z[1], Ppubs->Z[1]); sm9_z256_pairing(r, Ppubs, P1); sm9_z256_fp12_from_hex(s, hex_pairing1); if (!sm9_z256_fp12_equ(r, s)) goto err; ++j; @@ -647,9 +647,9 @@ int test_sm9_z256_ciphertext() }; SM9_Z256_POINT *P1 = &_P1; - sm9_z256_fp_to_mont(P1->X, P1->X); - sm9_z256_fp_to_mont(P1->Y, P1->Y); - sm9_z256_fp_to_mont(P1->Z, P1->Z); + sm9_z256_modp_to_mont(P1->X, P1->X); + sm9_z256_modp_to_mont(P1->Y, P1->Y); + sm9_z256_modp_to_mont(P1->Z, P1->Z); SM9_Z256_POINT C1; uint8_t c2[SM9_MAX_PLAINTEXT_SIZE];