ECC curves y^2 = x^3 + ax + b

.travis.yml

@@ -20,7 +20,7 @@ before_script:
   - curl http://ftp.de.debian.org/debian/pool/main/l/lcov/lcov_1.11.orig.tar.gz | tar xz
   - export PATH=$PATH:`pwd`/lcov-1.11/bin
   - curl -s https://packagecloud.io/install/repositories/libtom/packages/script.deb.sh | sudo bash
-  - sudo apt-get install libtfm-dev=0.13-5
+  - sudo apt-get install libtfm-dev=0.13-5 libtommath-dev=1.0-5
 
 matrix:
   fast_finish: true

demos/timing.c

@@ -947,28 +947,28 @@ static void time_ecc(void)
    unsigned long i, w, x, y, z;
    int           err, stat;
    static unsigned long sizes[] = {
-#ifdef LTC_ECC112
+#ifdef LTC_ECC_SECP112R1
 112/8,
 #endif
-#ifdef LTC_ECC128
+#ifdef LTC_ECC_SECP128R1
 128/8,
 #endif
-#ifdef LTC_ECC160
+#ifdef LTC_ECC_SECP160R1
 160/8,
 #endif
-#ifdef LTC_ECC192
+#ifdef LTC_ECC_SECP192R1
 192/8,
 #endif
-#ifdef LTC_ECC224
+#ifdef LTC_ECC_SECP224R1
 224/8,
 #endif
-#ifdef LTC_ECC256
+#ifdef LTC_ECC_SECP256R1
 256/8,
 #endif
-#ifdef LTC_ECC384
+#ifdef LTC_ECC_SECP384R1
 384/8,
 #endif
-#ifdef LTC_ECC521
+#ifdef LTC_ECC_SECP512R1
 521/8,
 #endif
 100000};

demos/tv_gen.c

@@ -663,7 +663,7 @@ void ecc_gen(void)
 {
    FILE         *out;
    unsigned char str[512];
-   void          *k, *order, *modulus;
+   void          *k, *order, *modulus, *a;
    ecc_point    *G, *R;
    int           x;
 
@@ -674,26 +674,28 @@ void ecc_gen(void)
    mp_init(&k);
    mp_init(&order);
    mp_init(&modulus);
+   mp_init(&a);
 
-   for (x = 0; ltc_ecc_sets[x].size != 0; x++) {
-        fprintf(out, "ECC-%d\n", ltc_ecc_sets[x].size*8);
+   for (x = 0; ltc_ecc_curves[x].prime != NULL; x++) {
+        fprintf(out, "%s\n", ltc_ecc_curves[x].OID);
         mp_set(k, 1);
 
-        mp_read_radix(order,   (char *)ltc_ecc_sets[x].order, 16);
-        mp_read_radix(modulus, (char *)ltc_ecc_sets[x].prime, 16);
-        mp_read_radix(G->x,    (char *)ltc_ecc_sets[x].Gx,    16);
-        mp_read_radix(G->y,    (char *)ltc_ecc_sets[x].Gy,    16);
+        mp_read_radix(order,   (char *)ltc_ecc_curves[x].order, 16);
+        mp_read_radix(modulus, (char *)ltc_ecc_curves[x].prime, 16);
+        mp_read_radix(a,       (char *)ltc_ecc_curves[x].A,     16);
+        mp_read_radix(G->x,    (char *)ltc_ecc_curves[x].Gx,    16);
+        mp_read_radix(G->y,    (char *)ltc_ecc_curves[x].Gy,    16);
         mp_set(G->z, 1);
 
         while (mp_cmp(k, order) == LTC_MP_LT) {
-            ltc_mp.ecc_ptmul(k, G, R, modulus, 1);
+            ltc_mp.ecc_ptmul(k, G, R, a, modulus, 1);
             mp_tohex(k,    (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->x, (char*)str); fprintf(out, "%s, ", (char*)str);
             mp_tohex(R->y, (char*)str); fprintf(out, "%s\n", (char*)str);
             mp_mul_d(k, 3, k);
         }
    }
-   mp_clear_multi(k, order, modulus, NULL);
+   mp_clear_multi(k, order, modulus, a, NULL);
    ltc_ecc_del_point(G);
    ltc_ecc_del_point(R);
    fclose(out);

src/headers/tomcrypt_custom.h

@@ -503,14 +503,40 @@
 #ifdef LTC_MECC
 /* Supported ECC Key Sizes */
 #ifndef LTC_NO_CURVES
-   #define LTC_ECC112
-   #define LTC_ECC128
-   #define LTC_ECC160
-   #define LTC_ECC192
-   #define LTC_ECC224
-   #define LTC_ECC256
-   #define LTC_ECC384
-   #define LTC_ECC521
+   #define LTC_ECC_BRAINPOOLP160R1
+   #define LTC_ECC_BRAINPOOLP160T1
+   #define LTC_ECC_BRAINPOOLP192R1
+   #define LTC_ECC_BRAINPOOLP192T1
+   #define LTC_ECC_BRAINPOOLP224R1
+   #define LTC_ECC_BRAINPOOLP224T1
+   #define LTC_ECC_BRAINPOOLP256R1
+   #define LTC_ECC_BRAINPOOLP256T1
+   #define LTC_ECC_BRAINPOOLP320R1
+   #define LTC_ECC_BRAINPOOLP320T1
+   #define LTC_ECC_BRAINPOOLP384R1
+   #define LTC_ECC_BRAINPOOLP384T1
+   #define LTC_ECC_BRAINPOOLP512R1
+   #define LTC_ECC_BRAINPOOLP512T1
+   #define LTC_ECC_PRIME192V2
+   #define LTC_ECC_PRIME192V3
+   #define LTC_ECC_PRIME239V1
+   #define LTC_ECC_PRIME239V2
+   #define LTC_ECC_PRIME239V3
+   #define LTC_ECC_SECP112R1
+   #define LTC_ECC_SECP112R2
+   #define LTC_ECC_SECP128R1
+   #define LTC_ECC_SECP128R2
+   #define LTC_ECC_SECP160K1
+   #define LTC_ECC_SECP160R1
+   #define LTC_ECC_SECP160R2
+   #define LTC_ECC_SECP192K1
+   #define LTC_ECC_SECP192R1
+   #define LTC_ECC_SECP224K1
+   #define LTC_ECC_SECP224R1
+   #define LTC_ECC_SECP256K1
+   #define LTC_ECC_SECP256R1
+   #define LTC_ECC_SECP384R1
+   #define LTC_ECC_SECP521R1
 #endif
 #endif
 
@@ -627,6 +653,40 @@
    #endif
 #endif
 
+/* ECC backwards compatibility */
+#if !defined(LTC_ECC_SECP112R1) && defined(LTC_ECC112)
+#define LTC_ECC_SECP112R1
+#undef LTC_ECC112
+#endif
+#if !defined(LTC_ECC_SECP128R1) && defined(LTC_ECC128)
+#define LTC_ECC_SECP128R1
+#undef LTC_ECC128
+#endif
+#if !defined(LTC_ECC_SECP160R1) && defined(LTC_ECC160)
+#define LTC_ECC_SECP160R1
+#undef LTC_ECC160
+#endif
+#if !defined(LTC_ECC_SECP192R1) && defined(LTC_ECC192)
+#define LTC_ECC_SECP192R1
+#undef LTC_ECC192
+#endif
+#if !defined(LTC_ECC_SECP224R1) && defined(LTC_ECC224)
+#define LTC_ECC_SECP224R1
+#undef LTC_ECC224
+#endif
+#if !defined(LTC_ECC_SECP256R1) && defined(LTC_ECC256)
+#define LTC_ECC_SECP256R1
+#undef LTC_ECC256
+#endif
+#if !defined(LTC_ECC_SECP384R1) && defined(LTC_ECC384)
+#define LTC_ECC_SECP384R1
+#undef LTC_ECC384
+#endif
+#if !defined(LTC_ECC_SECP512R1) && defined(LTC_ECC521)
+#define LTC_ECC_SECP521R1
+#undef LTC_ECC521
+#endif
+
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */
 /* commit time: $Format:%ai$ */

src/headers/tomcrypt_math.h

@@ -246,6 +246,14 @@ typedef struct {
    */
    int (*sqr)(void *a, void *b);
 
+   /** Square root (mod prime)
+     @param a    The integer to compute square root mod prime from
+     @param b    The prime
+     @param c    The destination
+     @return CRYPT_OK on success
+   */
+   int (*sqrtmod_prime)(void *a, void *b, void *c);
+
    /** Divide an integer
      @param a    The dividend
      @param b    The divisor
@@ -366,42 +374,48 @@ typedef struct {
        @param k   The integer to multiply the point by
        @param G   The point to multiply
        @param R   The destination for kG
+       @param a   ECC curve parameter a
        @param modulus  The modulus for the field
        @param map Boolean indicated whether to map back to affine or not
                   (can be ignored if you work in affine only)
        @return CRYPT_OK on success
    */
    int (*ecc_ptmul)(     void *k,
-                    ecc_point *G,
-                    ecc_point *R,
-                         void *modulus,
-                          int  map);
+                    const ecc_point *G,
+                          ecc_point *R,
+                               void *a,
+                               void *modulus,
+                                int  map);
 
    /** ECC GF(p) point addition
        @param P    The first point
        @param Q    The second point
        @param R    The destination of P + Q
+       @param ma   The curve parameter "a" in montgomery form
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
-   int (*ecc_ptadd)(ecc_point *P,
-                    ecc_point *Q,
-                    ecc_point *R,
-                         void *modulus,
-                         void *mp);
+   int (*ecc_ptadd)(const ecc_point *P,
+                    const ecc_point *Q,
+                          ecc_point *R,
+                               void *ma,
+                               void *modulus,
+                               void *mp);
 
    /** ECC GF(p) point double
        @param P    The first point
        @param R    The destination of 2P
+       @param ma   The curve parameter "a" in montgomery form
        @param modulus  The modulus
        @param mp   The "b" value from montgomery_setup()
        @return CRYPT_OK on success
    */
-   int (*ecc_ptdbl)(ecc_point *P,
-                    ecc_point *R,
-                         void *modulus,
-                         void *mp);
+   int (*ecc_ptdbl)(const ecc_point *P,
+                          ecc_point *R,
+                               void *ma,
+                               void *modulus,
+                               void *mp);
 
    /** ECC mapping from projective to affine,
        currently uses (x,y,z) => (x/z^2, y/z^3, 1)
@@ -421,13 +435,15 @@ typedef struct {
        @param B        Second point to multiply
        @param kB       What to multiple B by
        @param C        [out] Destination point (can overlap with A or B)
+       @param ma       The curve parameter "a" in montgomery form
        @param modulus  Modulus for curve
        @return CRYPT_OK on success
    */
-   int (*ecc_mul2add)(ecc_point *A, void *kA,
-                      ecc_point *B, void *kB,
-                      ecc_point *C,
-                           void *modulus);
+   int (*ecc_mul2add)(const ecc_point *A, void *kA,
+                      const ecc_point *B, void *kB,
+                            ecc_point *C,
+                                 void *ma,
+                                 void *modulus);
 
 /* ---- (optional) rsa optimized math (for internal CRT) ---- */
 
@@ -547,6 +563,7 @@ extern const ltc_math_descriptor gmp_desc;
 #define mp_mul(a, b, c)              ltc_mp.mul(a, b, c)
 #define mp_mul_d(a, b, c)            ltc_mp.muli(a, b, c)
 #define mp_sqr(a, b)                 ltc_mp.sqr(a, b)
+#define mp_sqrtmod_prime(a, b, c)    ltc_mp.sqrtmod_prime(a, b, c)
 #define mp_div(a, b, c, d)           ltc_mp.mpdiv(a, b, c, d)
 #define mp_div_2(a, b)               ltc_mp.div_2(a, b)
 #define mp_mod(a, b, c)              ltc_mp.mpdiv(a, b, NULL, c)

src/headers/tomcrypt_pk.h

@@ -17,6 +17,10 @@ enum public_key_type {
 
    /* Indicates standard output formats that can be read e.g. by OpenSSL or GnuTLS */
    PK_STD         = 0x1000,
+   /* Indicates compressed public ECC key */
+   PK_COMPRESSED  = 0x2000,
+   /* Indicates ECC key with the curve specified by OID */
+   PK_CURVEOID    = 0x4000
 };
 
 int rand_prime(void *N, long len, prng_state *prng, int wprng);
@@ -38,6 +42,8 @@ typedef struct Oid {
 } oid_st;
 
 int pk_get_oid(int pk, oid_st *st);
+int pk_oid_str_to_num(const char *OID, unsigned long *oid, unsigned long *oidlen);
+int pk_oid_num_to_str(const unsigned long *oid, unsigned long oidlen, char *OID, unsigned long *outlen);
 #endif /* LTC_SOURCE */
 
 /* ---- RSA ---- */
@@ -252,17 +258,14 @@ int dh_check_pubkey(const dh_key *key);
 /* max private key size */
 #define ECC_MAXSIZE  66
 
-/** Structure defines a NIST GF(p) curve */
+/** Structure defines a GF(p) curve */
 typedef struct {
-   /** The size of the curve in octets */
-   int size;
-
-   /** name of curve */
-   const char *name;
-
    /** The prime that defines the field the curve is in (encoded in hex) */
    const char *prime;
 
+   /** The fields A param (hex) */
+   const char *A;
+
    /** The fields B param (hex) */
    const char *B;
 
@@ -274,7 +277,13 @@ typedef struct {
 
    /** The y co-ordinate of the base point on the curve (hex) */
    const char *Gy;
-} ltc_ecc_set_type;
+
+   /** The co-factor */
+   unsigned long cofactor;
+
+   /** The OID */
+   const char *OID;
+} ltc_ecc_curve;
 
 /** A point on a ECC curve, stored in Jacbobian format such that (x,y,z) => (x/z^2, y/z^3, 1) when interpretted as affine */
 typedef struct {
@@ -288,18 +297,36 @@ typedef struct {
     void *z;
 } ecc_point;
 
+/** ECC key's domain parameters */
+typedef struct {
+   /** The size of the curve in octets */
+   int size;
+   /** The prime that defines the field the curve is in */
+   void *prime;
+   /** The fields A param */
+   void *A;
+   /** The fields B param */
+   void *B;
+   /** The order of the curve */
+   void *order;
+   /** The base point G on the curve */
+   ecc_point base;
+   /** The co-factor */
+   unsigned long cofactor;
+   /** The OID */
+   unsigned long oid[16];
+   unsigned long oidlen;
+} ltc_ecc_dp;
+
 /** An ECC key */
 typedef struct {
     /** Type of key, PK_PRIVATE or PK_PUBLIC */
     int type;
 
-    /** Index into the ltc_ecc_sets[] for the parameters of this curve; if -1, then this key is using user supplied curve in dp */
-    int idx;
-
-    /** pointer to domain parameters; either points to NIST curves (identified by idx >= 0) or user supplied curve */
-    const ltc_ecc_set_type *dp;
+    /** Structure with domain parameters */
+    ltc_ecc_dp dp;
 
-    /** The public key */
+    /** Structure with the public key */
     ecc_point pubkey;
 
     /** The private key */
@@ -307,69 +334,90 @@ typedef struct {
 } ecc_key;
 
 /** the ECC params provided */
-extern const ltc_ecc_set_type ltc_ecc_sets[];
+extern const ltc_ecc_curve ltc_ecc_curves[];
 
 int  ecc_test(void);
 void ecc_sizes(int *low, int *high);
-int  ecc_get_size(ecc_key *key);
+int  ecc_get_size(const ecc_key *key);
+
+int  ecc_get_curve(const char* name_or_oid, const ltc_ecc_curve** cu);
+int  ecc_set_dp(const ltc_ecc_curve *cu, ecc_key *key);
+int  ecc_generate_key(prng_state *prng, int wprng, ecc_key *key);
+int  ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key *key);
+int  ecc_get_key(unsigned char *out, unsigned long *outlen, int type, const ecc_key *key);
+int  ecc_get_oid_str(char *out, unsigned long *outlen, const ecc_key *key);
 
 int  ecc_make_key(prng_state *prng, int wprng, int keysize, ecc_key *key);
-int  ecc_make_key_ex(prng_state *prng, int wprng, ecc_key *key, const ltc_ecc_set_type *dp);
+int  ecc_make_key_ex(prng_state *prng, int wprng, ecc_key *key, const ltc_ecc_curve *cu);
 void ecc_free(ecc_key *key);
 
-int  ecc_export(unsigned char *out, unsigned long *outlen, int type, ecc_key *key);
+int  ecc_export(unsigned char *out, unsigned long *outlen, int type, const ecc_key *key);
 int  ecc_import(const unsigned char *in, unsigned long inlen, ecc_key *key);
-int  ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_set_type *dp);
+int  ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_curve *cu);
 
-int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen);
+int ecc_ansi_x963_export(const ecc_key *key, unsigned char *out, unsigned long *outlen);
 int ecc_ansi_x963_import(const unsigned char *in, unsigned long inlen, ecc_key *key);
-int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, ltc_ecc_set_type *dp);
+int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_curve *cu);
 
-int  ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
+int  ecc_shared_secret(const ecc_key *private_key, const ecc_key *public_key,
                        unsigned char *out, unsigned long *outlen);
 
 int  ecc_encrypt_key(const unsigned char *in,   unsigned long inlen,
                            unsigned char *out,  unsigned long *outlen,
                            prng_state *prng, int wprng, int hash,
-                           ecc_key *key);
+                           const ecc_key *key);
 
 int  ecc_decrypt_key(const unsigned char *in,  unsigned long  inlen,
                            unsigned char *out, unsigned long *outlen,
-                           ecc_key *key);
+                           const ecc_key *key);
 
 int ecc_sign_hash_rfc7518(const unsigned char *in,  unsigned long inlen,
                                 unsigned char *out, unsigned long *outlen,
-                                prng_state *prng, int wprng, ecc_key *key);
+                                prng_state *prng, int wprng, const ecc_key *key);
 
 int  ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
                          unsigned char *out, unsigned long *outlen,
-                         prng_state *prng, int wprng, ecc_key *key);
+                         prng_state *prng, int wprng, const ecc_key *key);
 
 int ecc_verify_hash_rfc7518(const unsigned char *sig,  unsigned long siglen,
                             const unsigned char *hash, unsigned long hashlen,
-                            int *stat, ecc_key *key);
+                            int *stat, const ecc_key *key);
 
 int  ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                      const unsigned char *hash, unsigned long hashlen,
-                     int *stat, ecc_key *key);
+                     int *stat, const ecc_key *key);
+
+
+#ifdef LTC_SOURCE
+/* INTERNAL ONLY - it should be later moved to src/headers/tomcrypt_internal.h */
+
+int ecc_set_dp_from_mpis(void *a, void *b, void *prime, void *order, void *gx, void *gy, unsigned long cofactor, ecc_key *key);
+int ecc_copy_dp(const ecc_key *srckey, ecc_key *key);
+int ecc_set_dp_by_size(int size, ecc_key *key);
 
 /* low level functions */
 ecc_point *ltc_ecc_new_point(void);
 void       ltc_ecc_del_point(ecc_point *p);
-int        ltc_ecc_is_valid_idx(int n);
+int        ltc_ecc_set_point_xyz(ltc_mp_digit x, ltc_mp_digit y, ltc_mp_digit z, ecc_point *p);
+int        ltc_ecc_copy_point(const ecc_point *src, ecc_point *dst);
+int        ltc_ecc_is_point(const ltc_ecc_dp *dp, void *x, void *y);
+int        ltc_ecc_is_point_at_infinity(const ecc_point *P, void *modulus, int *retval);
+int        ltc_ecc_import_point(const unsigned char *in, unsigned long inlen, void *prime, void *a, void *b, void *x, void *y);
+int        ltc_ecc_export_point(unsigned char *out, unsigned long *outlen, void *x, void *y, unsigned long size, int compressed);
+int        ltc_ecc_verify_key(const ecc_key *key);
 
 /* point ops (mp == montgomery digit) */
 #if !defined(LTC_MECC_ACCEL) || defined(LTM_DESC) || defined(GMP_DESC)
 /* R = 2P */
-int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void *mp);
+int ltc_ecc_projective_dbl_point(const ecc_point *P, ecc_point *R, void *ma, void *modulus, void *mp);
 
 /* R = P + Q */
-int ltc_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void *modulus, void *mp);
+int ltc_ecc_projective_add_point(const ecc_point *P, const ecc_point *Q, ecc_point *R, void *ma, void *modulus, void *mp);
 #endif
 
 #if defined(LTC_MECC_FP)
 /* optimized point multiplication using fixed point cache (HAC algorithm 14.117) */
-int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
+int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
 
 /* functions for saving/loading/freeing/adding to fixed point cache */
 int ltc_ecc_fp_save_state(unsigned char **out, unsigned long *outlen);
@@ -382,20 +430,23 @@ void ltc_ecc_fp_tablelock(int lock);
 #endif
 
 /* R = kG */
-int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map);
+int ltc_ecc_mulmod(void *k, const ecc_point *G, ecc_point *R, void *a, void *modulus, int map);
 
 #ifdef LTC_ECC_SHAMIR
 /* kA*A + kB*B = C */
-int ltc_ecc_mul2add(ecc_point *A, void *kA,
-                    ecc_point *B, void *kB,
-                    ecc_point *C,
-                         void *modulus);
+int ltc_ecc_mul2add(const ecc_point *A, void *kA,
+                    const ecc_point *B, void *kB,
+                          ecc_point *C,
+                               void *ma,
+                               void *modulus);
 
 #ifdef LTC_MECC_FP
 /* Shamir's trick with optimized point multiplication using fixed point cache */
-int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
-                       ecc_point *B, void *kB,
-                       ecc_point *C, void *modulus);
+int ltc_ecc_fp_mul2add(const ecc_point *A, void *kA,
+                       const ecc_point *B, void *kB,
+                             ecc_point *C,
+                                  void *ma,
+                                  void *modulus);
 #endif
 
 #endif
@@ -404,6 +455,8 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
 /* map P to affine from projective */
 int ltc_ecc_map(ecc_point *P, void *modulus, void *mp);
 
+#endif /* LTC_SOURCE */
+
 #endif
 
 #ifdef LTC_MDSA

src/math/fp/ltc_ecc_fp_mulmod.c

@@ -668,7 +668,7 @@ static int _add_entry(int idx, ecc_point *g)
  * The algorithm builds patterns in increasing bit order by first making all
  * single bit input patterns, then all two bit input patterns and so on
  */
-static int _build_lut(int idx, void *modulus, void *mp, void *mu)
+static int _build_lut(int idx, void *a, void *modulus, void *mp, void *mu)
 {
    unsigned x, y, err, bitlen, lut_gap;
    void    *tmp;
@@ -707,7 +707,7 @@ static int _build_lut(int idx, void *modulus, void *mp, void *mu)
 
       /* now double it bitlen/FP_LUT times */
       for (y = 0; y < lut_gap; y++) {
-          if ((err = ltc_mp.ecc_ptdbl(fp_cache[idx].LUT[1<<x], fp_cache[idx].LUT[1<<x], modulus, mp)) != CRYPT_OK) {
+          if ((err = ltc_mp.ecc_ptdbl(fp_cache[idx].LUT[1<<x], fp_cache[idx].LUT[1<<x], a, modulus, mp)) != CRYPT_OK) {
              goto ERR;
           }
       }
@@ -720,7 +720,7 @@ static int _build_lut(int idx, void *modulus, void *mp, void *mu)
 
            /* perform the add */
            if ((err = ltc_mp.ecc_ptadd(fp_cache[idx].LUT[lut_orders[y].terma], fp_cache[idx].LUT[lut_orders[y].termb],
-                                       fp_cache[idx].LUT[y], modulus, mp)) != CRYPT_OK) {
+                                       fp_cache[idx].LUT[y], a, modulus, mp)) != CRYPT_OK) {
               goto ERR;
            }
        }
@@ -775,7 +775,7 @@ DONE:
 }
 
 /* perform a fixed point ECC mulmod */
-static int _accel_fp_mul(int idx, void *k, ecc_point *R, void *modulus, void *mp, int map)
+static int _accel_fp_mul(int idx, void *k, ecc_point *R, void *a, void *modulus, void *mp, int map)
 {
    unsigned char kb[128];
    int      x;
@@ -868,14 +868,14 @@ static int _accel_fp_mul(int idx, void *k, ecc_point *R, void *modulus, void *mp
 
        /* double if not first */
        if (!first) {
-          if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK) {
+          if ((err = ltc_mp.ecc_ptdbl(R, R, a, modulus, mp)) != CRYPT_OK) {
              return err;
           }
        }
 
        /* add if not first, otherwise copy */
        if (!first && z) {
-          if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx].LUT[z], R, modulus, mp)) != CRYPT_OK) {
+          if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx].LUT[z], R, a, modulus, mp)) != CRYPT_OK) {
              return err;
           }
        } else if (z) {
@@ -900,7 +900,7 @@ static int _accel_fp_mul(int idx, void *k, ecc_point *R, void *modulus, void *mp
 /* perform a fixed point ECC mulmod */
 static int _accel_fp_mul2add(int idx1, int idx2,
                             void *kA, void *kB,
-                            ecc_point *R, void *modulus, void *mp)
+                            ecc_point *R, void *a, void *modulus, void *mp)
 {
    unsigned char kb[2][128];
    int      x;
@@ -1056,7 +1056,7 @@ static int _accel_fp_mul2add(int idx1, int idx2,
 
        /* double if not first */
        if (!first) {
-          if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK) {
+          if ((err = ltc_mp.ecc_ptdbl(R, R, a, modulus, mp)) != CRYPT_OK) {
              return err;
           }
        }
@@ -1064,12 +1064,12 @@ static int _accel_fp_mul2add(int idx1, int idx2,
        /* add if not first, otherwise copy */
        if (!first) {
           if (zA) {
-             if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx1].LUT[zA], R, modulus, mp)) != CRYPT_OK) {
+             if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx1].LUT[zA], R, a, modulus, mp)) != CRYPT_OK) {
                 return err;
              }
           }
           if (zB) {
-             if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, modulus, mp)) != CRYPT_OK) {
+             if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, a, modulus, mp)) != CRYPT_OK) {
                 return err;
              }
           }
@@ -1082,7 +1082,7 @@ static int _accel_fp_mul2add(int idx1, int idx2,
           }
           if (zB && first == 0) {
              if (zB) {
-                if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, modulus, mp)) != CRYPT_OK) {
+                if ((err = ltc_mp.ecc_ptadd(R, fp_cache[idx2].LUT[zB], R, a, modulus, mp)) != CRYPT_OK) {
                    return err;
                 }
              }
@@ -1110,7 +1110,9 @@ static int _accel_fp_mul2add(int idx1, int idx2,
 */
 int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
                        ecc_point *B, void *kB,
-                       ecc_point *C, void *modulus)
+                       ecc_point *C,
+                            void *a,
+                            void *modulus)
 {
    int  idx1, idx2, err;
    void *mp, *mu;
@@ -1166,7 +1168,7 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
          }
 
          /* build the LUT */
-         if ((err = _build_lut(idx1, modulus, mp, mu)) != CRYPT_OK) {
+         if ((err = _build_lut(idx1, a, modulus, mp, mu)) != CRYPT_OK) {
              goto LBL_ERR;;
          }
       }
@@ -1187,7 +1189,7 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
          }
 
          /* build the LUT */
-         if ((err = _build_lut(idx2, modulus, mp, mu)) != CRYPT_OK) {
+         if ((err = _build_lut(idx2, a, modulus, mp, mu)) != CRYPT_OK) {
              goto LBL_ERR;;
          }
       }
@@ -1198,9 +1200,9 @@ int ltc_ecc_fp_mul2add(ecc_point *A, void *kA,
             /* compute mp */
             if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { goto LBL_ERR; }
          }
-         err = _accel_fp_mul2add(idx1, idx2, kA, kB, C, modulus, mp);
+         err = _accel_fp_mul2add(idx1, idx2, kA, kB, C, a, modulus, mp);
       } else {
-         err = ltc_ecc_mul2add(A, kA, B, kB, C, modulus);
+         err = ltc_ecc_mul2add(A, kA, B, kB, C, a, modulus);
       }
 LBL_ERR:
     LTC_MUTEX_UNLOCK(&ltc_ecc_fp_lock);
@@ -1218,11 +1220,12 @@ LBL_ERR:
     @param k        The multiplicand
     @param G        Base point to multiply
     @param R        [out] Destination of product
+    @param a        ECC curve parameter a
     @param modulus  The modulus for the curve
     @param map      [boolean] If non-zero maps the point back to affine co-ordinates, otherwise it's left in jacobian-montgomery form
     @return CRYPT_OK if successful
 */
-int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
+int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *a, void *modulus, int map)
 {
    int   idx, err;
    void *mp, *mu;
@@ -1264,7 +1267,7 @@ int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int ma
          }
 
          /* build the LUT */
-         if ((err = _build_lut(idx, modulus, mp, mu)) != CRYPT_OK) {
+         if ((err = _build_lut(idx, a, modulus, mp, mu)) != CRYPT_OK) {
              goto LBL_ERR;;
          }
       }
@@ -1274,9 +1277,9 @@ int ltc_ecc_fp_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int ma
             /* compute mp */
             if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) { goto LBL_ERR; }
          }
-         err = _accel_fp_mul(idx, k, R, modulus, mp, map);
+         err = _accel_fp_mul(idx, k, R, a, modulus, mp, map);
       } else {
-         err = ltc_ecc_mulmod(k, G, R, modulus, map);
+         err = ltc_ecc_mulmod(k, G, R, a, modulus, map);
       }
 LBL_ERR:
     LTC_MUTEX_UNLOCK(&ltc_ecc_fp_lock);
@@ -1363,7 +1366,7 @@ ltc_ecc_fp_add_point(ecc_point *g, void *modulus, int lock)
    }
 
    /* build the LUT */
-   if ((err = _build_lut(idx, modulus, mp, mu)) != CRYPT_OK) {
+   if ((err = _build_lut(idx, a, modulus, mp, mu)) != CRYPT_OK) {
        goto LBL_ERR;
    }
    fp_cache[idx].lru_count = 2;

src/math/gmp_desc.c

@@ -286,6 +286,119 @@ static int sqr(void *a, void *b)
    return CRYPT_OK;
 }
 
+/* sqrtmod_prime */
+static int sqrtmod_prime(void *n, void *prime, void *ret)
+{
+   int res, legendre, i;
+   mpz_t t1, C, Q, S, Z, M, T, R, two;
+
+   LTC_ARGCHK(n     != NULL);
+   LTC_ARGCHK(prime != NULL);
+   LTC_ARGCHK(ret   != NULL);
+
+   /* first handle the simple cases */
+   if (mpz_cmp_ui(((__mpz_struct *)n), 0) == 0) {
+      mpz_set_ui(ret, 0);
+      return CRYPT_OK;
+   }
+   if (mpz_cmp_ui(((__mpz_struct *)prime), 2) == 0)     return CRYPT_ERROR; /* prime must be odd */
+   legendre = mpz_legendre(n, prime);
+   if (legendre == -1)                                  return CRYPT_ERROR; /* quadratic non-residue mod prime */
+
+   mpz_init(t1); mpz_init(C); mpz_init(Q);
+   mpz_init(S);  mpz_init(Z); mpz_init(M);
+   mpz_init(T);  mpz_init(R); mpz_init(two);
+
+   /* SPECIAL CASE: if prime mod 4 == 3
+    * compute directly: res = n^(prime+1)/4 mod prime
+    * Handbook of Applied Cryptography algorithm 3.36
+    */
+   i = mpz_mod_ui(t1, prime, 4); /* t1 is ignored here */
+   if (i == 3) {
+      mpz_add_ui(t1, prime, 1);
+      mpz_fdiv_q_2exp(t1, t1, 2);
+      mpz_powm(ret, n, t1, prime);
+      res = CRYPT_OK;
+      goto cleanup;
+   }
+
+   /* NOW: Tonelli-Shanks algorithm */
+
+   /* factor out powers of 2 from prime-1, defining Q and S as: prime-1 = Q*2^S */
+   mpz_set(Q, prime);
+   mpz_sub_ui(Q, Q, 1);
+   /* Q = prime - 1 */
+   mpz_set_ui(S, 0);
+   /* S = 0 */
+   while (mpz_even_p(Q)) {
+      mpz_fdiv_q_2exp(Q, Q, 1);
+      /* Q = Q / 2 */
+      mpz_add_ui(S, S, 1);
+      /* S = S + 1 */
+   }
+
+   /* find a Z such that the Legendre symbol (Z|prime) == -1 */
+   mpz_set_ui(Z, 2);
+   /* Z = 2 */
+   while(1) {
+      legendre = mpz_legendre(Z, prime);
+      if (legendre == -1) break;
+      mpz_add_ui(Z, Z, 1);
+      /* Z = Z + 1 */
+   }
+
+   mpz_powm(C, Z, Q, prime);
+   /* C = Z ^ Q mod prime */
+   mpz_add_ui(t1, Q, 1);
+   mpz_fdiv_q_2exp(t1, t1, 1);
+   /* t1 = (Q + 1) / 2 */
+   mpz_powm(R, n, t1, prime);
+   /* R = n ^ ((Q + 1) / 2) mod prime */
+   mpz_powm(T, n, Q, prime);
+   /* T = n ^ Q mod prime */
+   mpz_set(M, S);
+   /* M = S */
+   mpz_set_ui(two, 2);
+
+   while (1) {
+      mpz_set(t1, T);
+      i = 0;
+      while (1) {
+         if (mpz_cmp_ui(((__mpz_struct *)t1), 1) == 0) break;
+         mpz_powm(t1, t1, two, prime);
+         i++;
+      }
+      if (i == 0) {
+         mpz_set(ret, R);
+         res = CRYPT_OK;
+         goto cleanup;
+      }
+      mpz_sub_ui(t1, M, i);
+      mpz_sub_ui(t1, t1, 1);
+      mpz_powm(t1, two, t1, prime);
+      /* t1 = 2 ^ (M - i - 1) */
+      mpz_powm(t1, C, t1, prime);
+      /* t1 = C ^ (2 ^ (M - i - 1)) mod prime */
+      mpz_mul(C, t1, t1);
+      mpz_mod(C, C, prime);
+      /* C = (t1 * t1) mod prime */
+      mpz_mul(R, R, t1);
+      mpz_mod(R, R, prime);
+      /* R = (R * t1) mod prime */
+      mpz_mul(T, T, C);
+      mpz_mod(T, T, prime);
+      /* T = (T * C) mod prime */
+      mpz_set_ui(M, i);
+      /* M = i */
+   }
+
+cleanup:
+   mpz_clear(t1); mpz_clear(C); mpz_clear(Q);
+   mpz_clear(S);  mpz_clear(Z); mpz_clear(M);
+   mpz_clear(T);  mpz_clear(R); mpz_clear(two);
+   return res;
+}
+
 /* div */
 static int divide(void *a, void *b, void *c, void *d)
 {
@@ -493,6 +606,7 @@ const ltc_math_descriptor gmp_desc = {
    &mul,
    &muli,
    &sqr,
+   &sqrtmod_prime,
    &divide,
    &div_2,
    &modi,

src/math/ltm_desc.c

@@ -257,6 +257,15 @@ static int sqr(void *a, void *b)
    return mpi_to_ltc_error(mp_sqr(a, b));
 }
 
+/* sqrtmod_prime */
+static int sqrtmod_prime(void *a, void *b, void *c)
+{
+   LTC_ARGCHK(a != NULL);
+   LTC_ARGCHK(b != NULL);
+   LTC_ARGCHK(c != NULL);
+   return mpi_to_ltc_error(mp_sqrtmod_prime(a, b, c));
+}
+
 /* div */
 static int divide(void *a, void *b, void *c, void *d)
 {
@@ -452,6 +461,7 @@ const ltc_math_descriptor ltm_desc = {
    &mul,
    &muli,
    &sqr,
+   &sqrtmod_prime,
    &divide,
    &div_2,
    &modi,

src/math/rand_bn.c

@@ -8,7 +8,7 @@
  */
 #include "tomcrypt.h"
 
-#ifdef LTC_MDSA
+#if defined(LTC_MDSA) || defined(LTC_MECC)
 /**
   Generate a random number N with given bitlength (note: MSB can be 0)
 */

src/math/tfm_desc.c

@@ -265,6 +265,8 @@ static int sqr(void *a, void *b)
    return CRYPT_OK;
 }
 
+/* sqrtmod_prime - NOT SUPPORTED */
+
 /* div */
 static int divide(void *a, void *b, void *c, void *d)
 {
@@ -424,10 +426,11 @@ static int isprime(void *a, int b, int *c)
 
 #if defined(LTC_MECC) && defined(LTC_MECC_ACCEL)
 
-static int tfm_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void *Mp)
+static int tfm_ecc_projective_dbl_point(const ecc_point *P, ecc_point *R, void *ma, void *modulus, void *Mp)
 {
    fp_int t1, t2;
    fp_digit mp;
+   int err, inf;
 
    LTC_ARGCHK(P       != NULL);
    LTC_ARGCHK(R       != NULL);
@@ -445,6 +448,15 @@ static int tfm_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulu
       fp_copy(P->z, R->z);
    }
 
+   if ((err = ltc_ecc_is_point_at_infinity(P, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* if P is point at infinity >> Result = point at infinity */
+      ltc_mp.set_int(R->x, 1);
+      ltc_mp.set_int(R->y, 1);
+      ltc_mp.set_int(R->z, 0);
+      return CRYPT_OK;
+   }
+
    /* t1 = Z * Z */
    fp_sqr(R->z, &t1);
    fp_montgomery_reduce(&t1, modulus, mp);
@@ -457,28 +469,56 @@ static int tfm_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulu
       fp_sub(R->z, modulus, R->z);
    }
 
-   /* &t2 = X - T1 */
-   fp_sub(R->x, &t1, &t2);
-   if (fp_cmp_d(&t2, 0) == FP_LT) {
-      fp_add(&t2, modulus, &t2);
-   }
-   /* T1 = X + T1 */
-   fp_add(&t1, R->x, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
-   /* T2 = T1 * T2 */
-   fp_mul(&t1, &t2, &t2);
-   fp_montgomery_reduce(&t2, modulus, mp);
-   /* T1 = 2T2 */
-   fp_add(&t2, &t2, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
-   }
-   /* T1 = T1 + T2 */
-   fp_add(&t1, &t2, &t1);
-   if (fp_cmp(&t1, modulus) != FP_LT) {
-      fp_sub(&t1, modulus, &t1);
+   if (ma == NULL) { /* special case for curves with a == -3 (10% faster than general case) */
+      /* T2 = X - T1 */
+      fp_sub(R->x, &t1, &t2);
+      if (fp_cmp_d(&t2, 0) == LTC_MP_LT) {
+         fp_add(&t2, modulus, &t2);
+      }
+      /* T1 = X + T1 */
+      fp_add(&t1, R->x, &t1);
+      if (fp_cmp(&t1, modulus) != FP_LT) {
+         fp_sub(&t1, modulus, &t1);
+      }
+      /* T2 = T1 * T2 */
+      fp_mul(&t1, &t2, &t2);
+      fp_montgomery_reduce(&t2, modulus, mp);
+      /* T1 = 2T2 */
+      fp_add(&t2, &t2, &t1);
+      if (fp_cmp(&t1, modulus) != FP_LT) {
+         fp_sub(&t1, modulus, &t1);
+      }
+      /* T1 = T1 + T2 */
+      fp_add(&t1, &t2, &t1);
+      if (fp_cmp(&t1, modulus) != FP_LT) {
+         fp_sub(&t1, modulus, &t1);
+      }
+   }
+   else {
+      /* T2 = T1 * T1 */
+      fp_sqr(&t1, &t2);
+      fp_montgomery_reduce(&t2, modulus, mp);
+      /* T1 = T2 * a */
+      fp_mul(&t2, ma, &t1);
+      fp_montgomery_reduce(&t1, modulus, mp);
+      /* T2 = X * X */
+      fp_sqr(R->x, &t2);
+      fp_montgomery_reduce(&t2, modulus, mp);
+      /* T1 = T1 + T2 */
+      fp_add(&t1, &t2, &t1);
+      if (fp_cmp(&t1, modulus) != FP_LT) {
+         fp_sub(&t1, modulus, &t1);
+      }
+      /* T1 = T1 + T2 */
+      fp_add(&t1, &t2, &t1);
+      if (fp_cmp(&t1, modulus) != FP_LT) {
+         fp_sub(&t1, modulus, &t1);
+      }
+      /* T1 = T1 + T2 */
+      fp_add(&t1, &t2, &t1);
+      if (fp_cmp(&t1, modulus) != FP_LT) {
+         fp_sub(&t1, modulus, &t1);
+      }
    }
 
    /* Y = 2Y */
@@ -541,10 +581,11 @@ static int tfm_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulu
    @param Mp       The "b" value from montgomery_setup()
    @return CRYPT_OK on success
 */
-static int tfm_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void *modulus, void *Mp)
+static int tfm_ecc_projective_add_point(const ecc_point *P, const ecc_point *Q, ecc_point *R, void *ma, void *modulus, void *Mp)
 {
    fp_int  t1, t2, x, y, z;
    fp_digit mp;
+   int err, inf;
 
    LTC_ARGCHK(P       != NULL);
    LTC_ARGCHK(Q       != NULL);
@@ -560,12 +601,30 @@ static int tfm_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R
    fp_init(&y);
    fp_init(&z);
 
+   if ((err = ltc_ecc_is_point_at_infinity(P, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* P is point at infinity >> Result = Q */
+      ltc_mp.copy(Q->x, R->x);
+      ltc_mp.copy(Q->y, R->y);
+      ltc_mp.copy(Q->z, R->z);
+      return CRYPT_OK;
+   }
+
+   if ((err = ltc_ecc_is_point_at_infinity(Q, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* Q is point at infinity >> Result = P */
+      ltc_mp.copy(P->x, R->x);
+      ltc_mp.copy(P->y, R->y);
+      ltc_mp.copy(P->z, R->z);
+      return CRYPT_OK;
+   }
+
    /* should we dbl instead? */
    fp_sub(modulus, Q->y, &t1);
    if ( (fp_cmp(P->x, Q->x) == FP_EQ) &&
         (Q->z != NULL && fp_cmp(P->z, Q->z) == FP_EQ) &&
         (fp_cmp(P->y, Q->y) == FP_EQ || fp_cmp(P->y, &t1) == FP_EQ)) {
-        return tfm_ecc_projective_dbl_point(P, R, modulus, Mp);
+        return tfm_ecc_projective_dbl_point(P, R, ma, modulus, Mp);
    }
 
    fp_copy(P->x, &x);
@@ -741,6 +800,7 @@ const ltc_math_descriptor tfm_desc = {
    &mul,
    &muli,
    &sqr,
+   NULL, /* TODO: &sqrtmod_prime */
    &divide,
    &div_2,
    &modi,

src/misc/crypt/crypt_sizes.c

@@ -245,7 +245,7 @@ static const crypt_size _crypt_sizes[] = {
     _SZ_STRINGIFY_T(dh_key),
 #endif
 #ifdef LTC_MECC
-    _SZ_STRINGIFY_T(ltc_ecc_set_type),
+    _SZ_STRINGIFY_T(ltc_ecc_curve),
     _SZ_STRINGIFY_T(ecc_point),
     _SZ_STRINGIFY_T(ecc_key),
 #endif

src/misc/pk_oid_str.c

@@ -0,0 +1,82 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+int pk_oid_str_to_num(const char *OID, unsigned long *oid, unsigned long *oidlen)
+{
+   unsigned long i, j, limit;
+
+   LTC_ARGCHK(oid != NULL);
+   LTC_ARGCHK(oidlen != NULL);
+
+   limit = *oidlen;
+   *oidlen = 0; /* make sure that we return zero oidlen on error */
+   for (i = 0; i < limit; i++) oid[i] = 0;
+
+   if ((OID == NULL) || (strlen(OID) == 0)) return CRYPT_OK;
+
+   for (i = 0, j = 0; i < strlen(OID); i++) {
+      if (OID[i] == '.') {
+         if (++j >= limit) return CRYPT_ERROR;
+      }
+      else if ((OID[i] >= '0') && (OID[i] <= '9')) {
+         oid[j] = oid[j] * 10 + (OID[i] - '0');
+      }
+      else {
+         return CRYPT_ERROR;
+      }
+   }
+   if (j == 0) return CRYPT_ERROR;
+   *oidlen = j + 1;
+   return CRYPT_OK;
+}
+
+int pk_oid_num_to_str(const unsigned long *oid, unsigned long oidlen, char *OID, unsigned long *outlen)
+{
+   int i;
+   unsigned long j, k;
+   char tmp[256] = { 0 };
+   unsigned long tmpsz = sizeof(tmp);
+
+   LTC_ARGCHK(oid != NULL);
+   LTC_ARGCHK(OID != NULL);
+   LTC_ARGCHK(outlen != NULL);
+
+   for (i = oidlen - 1, k = 0; i >= 0; i--) {
+      j = oid[i];
+      if (j == 0) {
+         tmp[k] = '0';
+         if (++k >= tmpsz) return CRYPT_ERROR;
+      }
+      else {
+         while (j > 0) {
+            tmp[k] = '0' + (j % 10);
+            if (++k >= tmpsz) return CRYPT_ERROR;
+            j /= 10;
+         }
+      }
+      if (i > 0) {
+        tmp[k] = '.';
+        if (++k >= tmpsz) return CRYPT_ERROR;
+      }
+   }
+   if (*outlen < k + 1) {
+      *outlen = k + 1;
+      return CRYPT_BUFFER_OVERFLOW;
+   }
+   for (j = 0; j < k; j++) OID[j] = tmp[k - j - 1];
+   OID[k] = '\0';
+   *outlen = k; /* the length without terminating NUL byte */
+   return CRYPT_OK;
+}
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -21,99 +16,424 @@
 
 #ifdef LTC_MECC
 
-/* This holds the key settings.  ***MUST*** be organized by size from smallest to largest. */
-const ltc_ecc_set_type ltc_ecc_sets[] = {
-#ifdef LTC_ECC112
+/* This array holds the curve parameters.
+ * Curves (prime field only) are taken from:
+ *   - http://www.secg.org/collateral/sec2_final.pdf (named: SECP*)
+ *   - http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf (named: NISTP*)
+ *   - ANS X9.62 (named: PRIMEP*)
+ *   - http://www.ecc-brainpool.org/download/Domain-parameters.pdf (named: BRAINPOOLP*)
+ */
+const ltc_ecc_curve ltc_ecc_curves[] = {
+#ifdef LTC_ECC_SECP112R1
+{
+   /* prime    */ "DB7C2ABF62E35E668076BEAD208B",
+   /* A        */ "DB7C2ABF62E35E668076BEAD2088",
+   /* B        */ "659EF8BA043916EEDE8911702B22",
+   /* order    */ "DB7C2ABF62E35E7628DFAC6561C5",
+   /* Gx       */ "09487239995A5EE76B55F9C2F098",
+   /* Gy       */ "A89CE5AF8724C0A23E0E0FF77500",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.6"
+},
+#endif
+#ifdef LTC_ECC_SECP112R2
+{
+   /* prime    */ "DB7C2ABF62E35E668076BEAD208B",
+   /* A        */ "6127C24C05F38A0AAAF65C0EF02C",
+   /* B        */ "51DEF1815DB5ED74FCC34C85D709",
+   /* order    */ "36DF0AAFD8B8D7597CA10520D04B",
+   /* Gx       */ "4BA30AB5E892B4E1649DD0928643",
+   /* Gy       */ "ADCD46F5882E3747DEF36E956E97",
+   /* cofactor */ 4,
+   /* OID      */ "1.3.132.0.7"
+},
+#endif
+#ifdef LTC_ECC_SECP128R1
+{
+   /* prime    */ "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
+   /* A        */ "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFC",
+   /* B        */ "E87579C11079F43DD824993C2CEE5ED3",
+   /* order    */ "FFFFFFFE0000000075A30D1B9038A115",
+   /* Gx       */ "161FF7528B899B2D0C28607CA52C5B86",
+   /* Gy       */ "CF5AC8395BAFEB13C02DA292DDED7A83",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.28"
+},
+#endif
+#ifdef LTC_ECC_SECP128R2
+{
+   /* prime    */ "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
+   /* A        */ "D6031998D1B3BBFEBF59CC9BBFF9AEE1",
+   /* B        */ "5EEEFCA380D02919DC2C6558BB6D8A5D",
+   /* order    */ "3FFFFFFF7FFFFFFFBE0024720613B5A3",
+   /* Gx       */ "7B6AA5D85E572983E6FB32A7CDEBC140",
+   /* Gy       */ "27B6916A894D3AEE7106FE805FC34B44",
+   /* cofactor */ 4,
+   /* OID      */ "1.3.132.0.29"
+},
+#endif
+#ifdef LTC_ECC_SECP160R1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC",
+   /* B        */ "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
+   /* order    */ "0100000000000000000001F4C8F927AED3CA752257",
+   /* Gx       */ "4A96B5688EF573284664698968C38BB913CBFC82",
+   /* Gy       */ "23A628553168947D59DCC912042351377AC5FB32",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.8"
+},
+#endif
+#ifdef LTC_ECC_SECP160R2
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC70",
+   /* B        */ "B4E134D3FB59EB8BAB57274904664D5AF50388BA",
+   /* order    */ "0100000000000000000000351EE786A818F3A1A16B",
+   /* Gx       */ "52DCB034293A117E1F4FF11B30F7199D3144CE6D",
+   /* Gy       */ "FEAFFEF2E331F296E071FA0DF9982CFEA7D43F2E",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.30"
+},
+#endif
+#ifdef LTC_ECC_SECP160K1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFAC73",
+   /* A        */ "0000000000000000000000000000000000000000",
+   /* B        */ "0000000000000000000000000000000000000007",
+   /* order    */ "0100000000000000000001B8FA16DFAB9ACA16B6B3",
+   /* Gx       */ "3B4C382CE37AA192A4019E763036F4F5DD4D7EBB",
+   /* Gy       */ "938CF935318FDCED6BC28286531733C3F03C4FEE",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.9"
+},
+#endif
+#ifdef LTC_ECC_SECP192R1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
+   /* B        */ "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
+   /* Gx       */ "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
+   /* Gy       */ "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.1"
+},
+#endif
+#ifdef LTC_ECC_PRIME192V2
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
+   /* B        */ "CC22D6DFB95C6B25E49C0D6364A4E5980C393AA21668D953",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFE5FB1A724DC80418648D8DD31",
+   /* Gx       */ "EEA2BAE7E1497842F2DE7769CFE9C989C072AD696F48034A",
+   /* Gy       */ "6574D11D69B6EC7A672BB82A083DF2F2B0847DE970B2DE15",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.2"
+},
+#endif
+#ifdef LTC_ECC_PRIME192V3
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC",
+   /* B        */ "22123DC2395A05CAA7423DAECCC94760A7D462256BD56916",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFF7A62D031C83F4294F640EC13",
+   /* Gx       */ "7D29778100C65A1DA1783716588DCE2B8B4AEE8E228F1896",
+   /* Gy       */ "38A90F22637337334B49DCB66A6DC8F9978ACA7648A943B0",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.3"
+},
+#endif
+#ifdef LTC_ECC_SECP192K1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFEE37",
+   /* A        */ "000000000000000000000000000000000000000000000000",
+   /* B        */ "000000000000000000000000000000000000000000000003",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFE26F2FC170F69466A74DEFD8D",
+   /* Gx       */ "DB4FF10EC057E9AE26B07D0280B7F4341DA5D1B1EAE06C7D",
+   /* Gy       */ "9B2F2F6D9C5628A7844163D015BE86344082AA88D95E2F9D",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.31"
+},
+#endif
+#ifdef LTC_ECC_SECP224R1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE",
+   /* B        */ "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
+   /* Gx       */ "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
+   /* Gy       */ "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.33"
+},
+#endif
+#ifdef LTC_ECC_SECP224K1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFE56D",
+   /* A        */ "00000000000000000000000000000000000000000000000000000000",
+   /* B        */ "00000000000000000000000000000000000000000000000000000005",
+   /* order    */ "010000000000000000000000000001DCE8D2EC6184CAF0A971769FB1F7",
+   /* Gx       */ "A1455B334DF099DF30FC28A169A467E9E47075A90F7E650EB6B7A45C",
+   /* Gy       */ "7E089FED7FBA344282CAFBD6F7E319F7C0B0BD59E2CA4BDB556D61A5",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.32"
+},
+#endif
+#ifdef LTC_ECC_SECP256R1
+{
+   /* prime    */ "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
+   /* A        */ "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
+   /* B        */ "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
+   /* order    */ "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
+   /* Gx       */ "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
+   /* Gy       */ "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.7"
+},
+#endif
+#ifdef LTC_ECC_SECP256K1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F",
+   /* A        */ "0000000000000000000000000000000000000000000000000000000000000000",
+   /* B        */ "0000000000000000000000000000000000000000000000000000000000000007",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141",
+   /* Gx       */ "79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798",
+   /* Gy       */ "483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.10"
+},
+#endif
+#ifdef LTC_ECC_SECP384R1
+{
+   /* prime    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
+   /* A        */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
+   /* B        */ "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
+   /* order    */ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
+   /* Gx       */ "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
+   /* Gy       */ "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.34"
+},
+#endif
+#ifdef LTC_ECC_SECP521R1
+{
+   /* prime    */ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
+   /* A        */ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC",
+   /* B        */ "0051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
+   /* order    */ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
+   /* Gx       */ "00C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
+   /* Gy       */ "011839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.132.0.35"
+},
+#endif
+#ifdef LTC_ECC_PRIME239V1
+{
+   /* prime    */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
+   /* A        */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
+   /* B        */ "6B016C3BDCF18941D0D654921475CA71A9DB2FB27D1D37796185C2942C0A",
+   /* order    */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF9E5E9A9F5D9071FBD1522688909D0B",
+   /* Gx       */ "0FFA963CDCA8816CCC33B8642BEDF905C3D358573D3F27FBBD3B3CB9AAAF",
+   /* Gy       */ "7DEBE8E4E90A5DAE6E4054CA530BA04654B36818CE226B39FCCB7B02F1AE",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.4"
+},
+#endif
+#ifdef LTC_ECC_PRIME239V2
+{
+   /* prime    */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
+   /* A        */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
+   /* B        */ "617FAB6832576CBBFED50D99F0249C3FEE58B94BA0038C7AE84C8C832F2C",
+   /* order    */ "7FFFFFFFFFFFFFFFFFFFFFFF800000CFA7E8594377D414C03821BC582063",
+   /* Gx       */ "38AF09D98727705120C921BB5E9E26296A3CDCF2F35757A0EAFD87B830E7",
+   /* Gy       */ "5B0125E4DBEA0EC7206DA0FC01D9B081329FB555DE6EF460237DFF8BE4BA",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.5"
+},
+#endif
+#ifdef LTC_ECC_PRIME239V3
+{
+   /* prime    */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFF",
+   /* A        */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFFFFFFFF8000000000007FFFFFFFFFFC",
+   /* B        */ "255705FA2A306654B1F4CB03D6A750A30C250102D4988717D9BA15AB6D3E",
+   /* order    */ "7FFFFFFFFFFFFFFFFFFFFFFF7FFFFF975DEB41B3A6057C3C432146526551",
+   /* Gx       */ "6768AE8E18BB92CFCF005C949AA2C6D94853D0E660BBF854B1C9505FE95A",
+   /* Gy       */ "1607E6898F390C06BC1D552BAD226F3B6FCFE48B6E818499AF18E3ED6CF3",
+   /* cofactor */ 1,
+   /* OID      */ "1.2.840.10045.3.1.6"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP160R1
+{
+   /* prime    */ "E95E4A5F737059DC60DFC7AD95B3D8139515620F",
+   /* A        */ "340E7BE2A280EB74E2BE61BADA745D97E8F7C300",
+   /* B        */ "1E589A8595423412134FAA2DBDEC95C8D8675E58",
+   /* order    */ "E95E4A5F737059DC60DF5991D45029409E60FC09",
+   /* Gx       */ "BED5AF16EA3F6A4F62938C4631EB5AF7BDBCDBC3",
+   /* Gy       */ "1667CB477A1A8EC338F94741669C976316DA6321",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.1"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP192R1
+{
+   /* prime    */ "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297",
+   /* A        */ "6A91174076B1E0E19C39C031FE8685C1CAE040E5C69A28EF",
+   /* B        */ "469A28EF7C28CCA3DC721D044F4496BCCA7EF4146FBF25C9",
+   /* order    */ "C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1",
+   /* Gx       */ "C0A0647EAAB6A48753B033C56CB0F0900A2F5C4853375FD6",
+   /* Gy       */ "14B690866ABD5BB88B5F4828C1490002E6773FA2FA299B8F",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.3"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP224R1
+{
+   /* prime    */ "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF",
+   /* A        */ "68A5E62CA9CE6C1C299803A6C1530B514E182AD8B0042A59CAD29F43",
+   /* B        */ "2580F63CCFE44138870713B1A92369E33E2135D266DBB372386C400B",
+   /* order    */ "D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F",
+   /* Gx       */ "0D9029AD2C7E5CF4340823B2A87DC68C9E4CE3174C1E6EFDEE12C07D",
+   /* Gy       */ "58AA56F772C0726F24C6B89E4ECDAC24354B9E99CAA3F6D3761402CD",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.5"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP256R1
+{
+   /* prime    */ "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
+   /* A        */ "7D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9",
+   /* B        */ "26DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B6",
+   /* order    */ "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
+   /* Gx       */ "8BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262",
+   /* Gy       */ "547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.7"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP320R1
+{
+   /* prime    */ "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27",
+   /* A        */ "3EE30B568FBAB0F883CCEBD46D3F3BB8A2A73513F5EB79DA66190EB085FFA9F492F375A97D860EB4",
+   /* B        */ "520883949DFDBC42D3AD198640688A6FE13F41349554B49ACC31DCCD884539816F5EB4AC8FB1F1A6",
+   /* order    */ "D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311",
+   /* Gx       */ "43BD7E9AFB53D8B85289BCC48EE5BFE6F20137D10A087EB6E7871E2A10A599C710AF8D0D39E20611",
+   /* Gy       */ "14FDD05545EC1CC8AB4093247F77275E0743FFED117182EAA9C77877AAAC6AC7D35245D1692E8EE1",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.9"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP384R1
+{
+   /* prime    */ "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
+   /* A        */ "7BC382C63D8C150C3C72080ACE05AFA0C2BEA28E4FB22787139165EFBA91F90F8AA5814A503AD4EB04A8C7DD22CE2826",
+   /* B        */ "04A8C7DD22CE28268B39B55416F0447C2FB77DE107DCD2A62E880EA53EEB62D57CB4390295DBC9943AB78696FA504C11",
+   /* order    */ "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
+   /* Gx       */ "1D1C64F068CF45FFA2A63A81B7C13F6B8847A3E77EF14FE3DB7FCAFE0CBD10E8E826E03436D646AAEF87B2E247D4AF1E",
+   /* Gy       */ "8ABE1D7520F9C2A45CB1EB8E95CFD55262B70B29FEEC5864E19C054FF99129280E4646217791811142820341263C5315",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.11"
+},
+#endif
+#ifdef LTC_ECC_BRAINPOOLP512R1
 {
-        14,
-        "SECP112R1",
-        "DB7C2ABF62E35E668076BEAD208B",
-        "659EF8BA043916EEDE8911702B22",
-        "DB7C2ABF62E35E7628DFAC6561C5",
-        "09487239995A5EE76B55F9C2F098",
-        "A89CE5AF8724C0A23E0E0FF77500"
+   /* prime    */ "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
+   /* A        */ "7830A3318B603B89E2327145AC234CC594CBDD8D3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CA",
+   /* B        */ "3DF91610A83441CAEA9863BC2DED5D5AA8253AA10A2EF1C98B9AC8B57F1117A72BF2C7B9E7C1AC4D77FC94CADC083E67984050B75EBAE5DD2809BD638016F723",
+   /* order    */ "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
+   /* Gx       */ "81AEE4BDD82ED9645A21322E9C4C6A9385ED9F70B5D916C1B43B62EEF4D0098EFF3B1F78E2D0D48D50D1687B93B97D5F7C6D5047406A5E688B352209BCB9F822",
+   /* Gy       */ "7DDE385D566332ECC0EABFA9CF7822FDF209F70024A57B1AA000C55B881F8111B2DCDE494A5F485E5BCA4BD88A2763AED1CA2B2FA8F0540678CD1E0F3AD80892",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.13"
 },
 #endif
-#ifdef LTC_ECC128
+#ifdef LTC_ECC_BRAINPOOLP160T1
 {
-        16,
-        "SECP128R1",
-        "FFFFFFFDFFFFFFFFFFFFFFFFFFFFFFFF",
-        "E87579C11079F43DD824993C2CEE5ED3",
-        "FFFFFFFE0000000075A30D1B9038A115",
-        "161FF7528B899B2D0C28607CA52C5B86",
-        "CF5AC8395BAFEB13C02DA292DDED7A83",
+   /* prime    */ "E95E4A5F737059DC60DFC7AD95B3D8139515620F",
+   /* A        */ "E95E4A5F737059DC60DFC7AD95B3D8139515620C",
+   /* B        */ "7A556B6DAE535B7B51ED2C4D7DAA7A0B5C55F380",
+   /* order    */ "E95E4A5F737059DC60DF5991D45029409E60FC09",
+   /* Gx       */ "B199B13B9B34EFC1397E64BAEB05ACC265FF2378",
+   /* Gy       */ "ADD6718B7C7C1961F0991B842443772152C9E0AD",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.2"
 },
 #endif
-#ifdef LTC_ECC160
+#ifdef LTC_ECC_BRAINPOOLP192T1
 {
-        20,
-        "SECP160R1",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF",
-        "1C97BEFC54BD7A8B65ACF89F81D4D4ADC565FA45",
-        "0100000000000000000001F4C8F927AED3CA752257",
-        "4A96B5688EF573284664698968C38BB913CBFC82",
-        "23A628553168947D59DCC912042351377AC5FB32",
+   /* prime    */ "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86297",
+   /* A        */ "C302F41D932A36CDA7A3463093D18DB78FCE476DE1A86294",
+   /* B        */ "13D56FFAEC78681E68F9DEB43B35BEC2FB68542E27897B79",
+   /* order    */ "C302F41D932A36CDA7A3462F9E9E916B5BE8F1029AC4ACC1",
+   /* Gx       */ "3AE9E58C82F63C30282E1FE7BBF43FA72C446AF6F4618129",
+   /* Gy       */ "097E2C5667C2223A902AB5CA449D0084B7E5B3DE7CCC01C9",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.4"
 },
 #endif
-#ifdef LTC_ECC192
+#ifdef LTC_ECC_BRAINPOOLP224T1
 {
-        24,
-        "ECC-192",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF",
-        "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1",
-        "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831",
-        "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012",
-        "7192B95FFC8DA78631011ED6B24CDD573F977A11E794811",
+   /* prime    */ "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FF",
+   /* A        */ "D7C134AA264366862A18302575D1D787B09F075797DA89F57EC8C0FC",
+   /* B        */ "4B337D934104CD7BEF271BF60CED1ED20DA14C08B3BB64F18A60888D",
+   /* order    */ "D7C134AA264366862A18302575D0FB98D116BC4B6DDEBCA3A5A7939F",
+   /* Gx       */ "6AB1E344CE25FF3896424E7FFE14762ECB49F8928AC0C76029B4D580",
+   /* Gy       */ "0374E9F5143E568CD23F3F4D7C0D4B1E41C8CC0D1C6ABD5F1A46DB4C",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.6"
 },
 #endif
-#ifdef LTC_ECC224
+#ifdef LTC_ECC_BRAINPOOLP256T1
 {
-        28,
-        "ECC-224",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001",
-        "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D",
-        "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21",
-        "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34",
+   /* prime    */ "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377",
+   /* A        */ "A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5374",
+   /* B        */ "662C61C430D84EA4FE66A7733D0B76B7BF93EBC4AF2F49256AE58101FEE92B04",
+   /* order    */ "A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7",
+   /* Gx       */ "A3E8EB3CC1CFE7B7732213B23A656149AFA142C47AAFBC2B79A191562E1305F4",
+   /* Gy       */ "2D996C823439C56D7F7B22E14644417E69BCB6DE39D027001DABE8F35B25C9BE",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.8"
 },
 #endif
-#ifdef LTC_ECC256
+#ifdef LTC_ECC_BRAINPOOLP320T1
 {
-        32,
-        "ECC-256",
-        "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
-        "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
-        "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
-        "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
-        "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
+   /* prime    */ "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E27",
+   /* A        */ "D35E472036BC4FB7E13C785ED201E065F98FCFA6F6F40DEF4F92B9EC7893EC28FCD412B1F1B32E24",
+   /* B        */ "A7F561E038EB1ED560B3D147DB782013064C19F27ED27C6780AAF77FB8A547CEB5B4FEF422340353",
+   /* order    */ "D35E472036BC4FB7E13C785ED201E065F98FCFA5B68F12A32D482EC7EE8658E98691555B44C59311",
+   /* Gx       */ "925BE9FB01AFC6FB4D3E7D4990010F813408AB106C4F09CB7EE07868CC136FFF3357F624A21BED52",
+   /* Gy       */ "63BA3A7A27483EBF6671DBEF7ABB30EBEE084E58A0B077AD42A5A0989D1EE71B1B9BC0455FB0D2C3",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.10"
 },
 #endif
-#ifdef LTC_ECC384
+#ifdef LTC_ECC_BRAINPOOLP384T1
 {
-        48,
-        "ECC-384",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
-        "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
-        "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
-        "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
-        "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
+   /* prime    */ "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC53",
+   /* A        */ "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B412B1DA197FB71123ACD3A729901D1A71874700133107EC50",
+   /* B        */ "7F519EADA7BDA81BD826DBA647910F8C4B9346ED8CCDC64E4B1ABD11756DCE1D2074AA263B88805CED70355A33B471EE",
+   /* order    */ "8CB91E82A3386D280F5D6F7E50E641DF152F7109ED5456B31F166E6CAC0425A7CF3AB6AF6B7FC3103B883202E9046565",
+   /* Gx       */ "18DE98B02DB9A306F2AFCD7235F72A819B80AB12EBD653172476FECD462AABFFC4FF191B946A5F54D8D0AA2F418808CC",
+   /* Gy       */ "25AB056962D30651A114AFD2755AD336747F93475B7A1FCA3B88F2B6A208CCFE469408584DC2B2912675BF5B9E582928",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.12"
 },
 #endif
-#ifdef LTC_ECC521
+#ifdef LTC_ECC_BRAINPOOLP512T1
 {
-        66,
-        "ECC-521",
-        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
-        "51953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573DF883D2C34F1EF451FD46B503F00",
-        "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5C9B8899C47AEBB6FB71E91386409",
-        "C6858E06B70404E9CD9E3ECB662395B4429C648139053FB521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B3C1856A429BF97E7E31C2E5BD66",
-        "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C7086A272C24088BE94769FD16650",
+   /* prime    */ "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F3",
+   /* A        */ "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA703308717D4D9B009BC66842AECDA12AE6A380E62881FF2F2D82C68528AA6056583A48F0",
+   /* B        */ "7CBBBCF9441CFAB76E1890E46884EAE321F70C0BCB4981527897504BEC3E36A62BCDFA2304976540F6450085F2DAE145C22553B465763689180EA2571867423E",
+   /* order    */ "AADD9DB8DBE9C48B3FD4E6AE33C9FC07CB308DB3B3C9D20ED6639CCA70330870553E5C414CA92619418661197FAC10471DB1D381085DDADDB58796829CA90069",
+   /* Gx       */ "640ECE5C12788717B9C1BA06CBC2A6FEBA85842458C56DDE9DB1758D39C0313D82BA51735CDB3EA499AA77A7D6943A64F7A3F25FE26F06B51BAA2696FA9035DA",
+   /* Gy       */ "5B534BD595F5AF0FA2C892376C84ACE1BB4E3019B71634C01131159CAE03CEE9D9932184BEEF216BD71DF2DADF86A627306ECFF96DBB8BACE198B61E00F8B332",
+   /* cofactor */ 1,
+   /* OID      */ "1.3.36.3.3.2.8.1.1.14"
 },
 #endif
 {
-   0,
-   NULL, NULL, NULL, NULL, NULL, NULL
+   NULL, NULL, NULL, NULL, NULL, NULL, 0, NULL
 }
 };
 

src/pk/ecc/ecc_ansi_x963_export.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -27,47 +22,9 @@
   @param outlen  [in/out]  Length of destination and final output size
   Return CRYPT_OK on success
 */
-int ecc_ansi_x963_export(ecc_key *key, unsigned char *out, unsigned long *outlen)
+int ecc_ansi_x963_export(const ecc_key *key, unsigned char *out, unsigned long *outlen)
 {
-   unsigned char buf[ECC_BUF_SIZE];
-   unsigned long numlen, xlen, ylen;
-
-   LTC_ARGCHK(key    != NULL);
-   LTC_ARGCHK(outlen != NULL);
-
-   if (ltc_ecc_is_valid_idx(key->idx) == 0) {
-      return CRYPT_INVALID_ARG;
-   }
-   numlen = key->dp->size;
-   xlen = mp_unsigned_bin_size(key->pubkey.x);
-   ylen = mp_unsigned_bin_size(key->pubkey.y);
-
-   if (xlen > numlen || ylen > numlen || sizeof(buf) < numlen) {
-      return CRYPT_BUFFER_OVERFLOW;
-   }
-
-   if (*outlen < (1 + 2*numlen)) {
-      *outlen = 1 + 2*numlen;
-      return CRYPT_BUFFER_OVERFLOW;
-   }
-
-   LTC_ARGCHK(out    != NULL);
-
-   /* store byte 0x04 */
-   out[0] = 0x04;
-
-   /* pad and store x */
-   zeromem(buf, sizeof(buf));
-   mp_to_unsigned_bin(key->pubkey.x, buf + (numlen - xlen));
-   XMEMCPY(out+1, buf, numlen);
-
-   /* pad and store y */
-   zeromem(buf, sizeof(buf));
-   mp_to_unsigned_bin(key->pubkey.y, buf + (numlen - ylen));
-   XMEMCPY(out+1+numlen, buf, numlen);
-
-   *outlen = 1 + 2*numlen;
-   return CRYPT_OK;
+   return ecc_get_key(out, outlen, PK_PUBLIC, key);
 }
 
 #endif

src/pk/ecc/ecc_ansi_x963_import.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -31,9 +26,9 @@ int ecc_ansi_x963_import(const unsigned char *in, unsigned long inlen, ecc_key *
    return ecc_ansi_x963_import_ex(in, inlen, key, NULL);
 }
 
-int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, ltc_ecc_set_type *dp)
+int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_curve *cu)
 {
-   int x, err;
+   int err;
 
    LTC_ARGCHK(in  != NULL);
    LTC_ARGCHK(key != NULL);
@@ -43,56 +38,21 @@ int ecc_ansi_x963_import_ex(const unsigned char *in, unsigned long inlen, ecc_ke
       return CRYPT_INVALID_ARG;
    }
 
-   /* init key */
-   if (mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL) != CRYPT_OK) {
-      return CRYPT_MEM;
-   }
-
-   /* check for 4, 6 or 7 */
-   if (in[0] != 4 && in[0] != 6 && in[0] != 7) {
-      err = CRYPT_INVALID_PACKET;
-      goto error;
+   /* initialize key->dp */
+   if (cu == NULL) {
+      /* this case works only for uncompressed public keys  */
+      if ((err = ecc_set_dp_by_size((inlen-1)>>1, key)) != CRYPT_OK)                { return err; }
    }
-
-   /* read data */
-   if ((err = mp_read_unsigned_bin(key->pubkey.x, (unsigned char *)in+1, (inlen-1)>>1)) != CRYPT_OK) {
-      goto error;
-   }
-
-   if ((err = mp_read_unsigned_bin(key->pubkey.y, (unsigned char *)in+1+((inlen-1)>>1), (inlen-1)>>1)) != CRYPT_OK) {
-      goto error;
+   else {
+      /* this one works for both compressed / uncompressed pubkeys */
+      if ((err = ecc_set_dp(cu, key)) != CRYPT_OK)                                  { return err; }
    }
-   if ((err = mp_set(key->pubkey.z, 1)) != CRYPT_OK) { goto error; }
 
-   if (dp == NULL) {
-     /* determine the idx */
-      for (x = 0; ltc_ecc_sets[x].size != 0; x++) {
-         if ((unsigned)ltc_ecc_sets[x].size >= ((inlen-1)>>1)) {
-            break;
-         }
-      }
-      if (ltc_ecc_sets[x].size == 0) {
-         err = CRYPT_INVALID_PACKET;
-         goto error;
-      }
-      /* set the idx */
-      key->idx  = x;
-      key->dp = &ltc_ecc_sets[x];
-   } else {
-      if (((inlen-1)>>1) != (unsigned long) dp->size) {
-         err = CRYPT_INVALID_PACKET;
-         goto error;
-      }
-      key->idx = -1;
-      key->dp  = dp;
-   }
-   key->type = PK_PUBLIC;
+   /* load public key */
+   if ((err = ecc_set_key((unsigned char *)in, inlen, PK_PUBLIC, key)) != CRYPT_OK) { return err; }
 
    /* we're done */
    return CRYPT_OK;
-error:
-   mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL);
-   return err;
 }
 
 #endif

src/pk/ecc/ecc_decrypt_key.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -32,7 +27,7 @@
 */
 int ecc_decrypt_key(const unsigned char *in,  unsigned long  inlen,
                           unsigned char *out, unsigned long *outlen,
-                          ecc_key *key)
+                          const ecc_key *key)
 {
    unsigned char *ecc_shared, *skey, *pub_expt;
    unsigned long  x, y;
@@ -90,9 +85,8 @@ int ecc_decrypt_key(const unsigned char *in,  unsigned long  inlen,
    }
 
    /* import ECC key from packet */
-   if ((err = ecc_import(decode[1].data, decode[1].size, &pubkey)) != CRYPT_OK) {
-      goto LBL_ERR;
-   }
+   if ((err = ecc_copy_dp(key, &pubkey)) != CRYPT_OK) { goto LBL_ERR; }
+   if ((err = ecc_set_key(decode[1].data, decode[1].size, PK_PUBLIC, &pubkey)) != CRYPT_OK) { goto LBL_ERR; }
 
    /* make shared key */
    x = ECC_BUF_SIZE;

src/pk/ecc/ecc_encrypt_key.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -36,7 +31,7 @@
 int ecc_encrypt_key(const unsigned char *in,   unsigned long inlen,
                           unsigned char *out,  unsigned long *outlen,
                           prng_state *prng, int wprng, int hash,
-                          ecc_key *key)
+                          const ecc_key *key)
 {
     unsigned char *pub_expt, *ecc_shared, *skey;
     ecc_key        pubkey;
@@ -48,11 +43,6 @@ int ecc_encrypt_key(const unsigned char *in,   unsigned long inlen,
     LTC_ARGCHK(outlen  != NULL);
     LTC_ARGCHK(key     != NULL);
 
-    /* check that wprng/cipher/hash are not invalid */
-    if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
-       return err;
-    }
-
     if ((err = hash_is_valid(hash)) != CRYPT_OK) {
        return err;
     }
@@ -62,9 +52,8 @@ int ecc_encrypt_key(const unsigned char *in,   unsigned long inlen,
     }
 
     /* make a random key and export the public copy */
-    if ((err = ecc_make_key_ex(prng, wprng, &pubkey, key->dp)) != CRYPT_OK) {
-       return err;
-    }
+    if ((err = ecc_copy_dp(key, &pubkey)) != CRYPT_OK) { return err; }
+    if ((err = ecc_generate_key(prng, wprng, &pubkey)) != CRYPT_OK) { return err; }
 
     pub_expt   = XMALLOC(ECC_BUF_SIZE);
     ecc_shared = XMALLOC(ECC_BUF_SIZE);
@@ -84,7 +73,14 @@ int ecc_encrypt_key(const unsigned char *in,   unsigned long inlen,
     }
 
     pubkeysize = ECC_BUF_SIZE;
-    if ((err = ecc_export(pub_expt, &pubkeysize, PK_PUBLIC, &pubkey)) != CRYPT_OK) {
+    if (ltc_mp.sqrtmod_prime != NULL) {
+       /* PK_COMPRESSED requires sqrtmod_prime */
+       err = ecc_get_key(pub_expt, &pubkeysize, PK_PUBLIC|PK_COMPRESSED, &pubkey);
+    }
+    else {
+       err = ecc_get_key(pub_expt, &pubkeysize, PK_PUBLIC, &pubkey);
+    }
+    if (err != CRYPT_OK) {
        ecc_free(&pubkey);
        goto LBL_ERR;
     }

src/pk/ecc/ecc_export.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -29,7 +24,7 @@
   @param key     The key to export
   @return CRYPT_OK if successful
 */
-int ecc_export(unsigned char *out, unsigned long *outlen, int type, ecc_key *key)
+int ecc_export(unsigned char *out, unsigned long *outlen, int type, const ecc_key *key)
 {
    int           err;
    unsigned char flags[1];
@@ -44,12 +39,8 @@ int ecc_export(unsigned char *out, unsigned long *outlen, int type, ecc_key *key
       return CRYPT_PK_TYPE_MISMATCH;
    }
 
-   if (ltc_ecc_is_valid_idx(key->idx) == 0) {
-      return CRYPT_INVALID_ARG;
-   }
-
    /* we store the NIST byte size */
-   key_size = key->dp->size;
+   key_size = key->dp.size;
 
    if (type == PK_PRIVATE) {
        flags[0] = 1;

src/pk/ecc/ecc_free.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -28,7 +23,12 @@
 void ecc_free(ecc_key *key)
 {
    LTC_ARGCHKVD(key != NULL);
-   mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL);
+
+   mp_cleanup_multi(&key->dp.prime, &key->dp.order,
+                    &key->dp.A, &key->dp.B,
+                    &key->dp.base.x, &key->dp.base.y, &key->dp.base.z,
+                    &key->pubkey.x, &key->pubkey.y, &key->pubkey.z,
+                    &key->k, NULL);
 }
 
 #endif

src/pk/ecc/ecc_get_curve.c

@@ -0,0 +1,254 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+static const struct {
+   const char *OID;
+   const char *names[6];
+} _curve_names[] = {
+#ifdef LTC_ECC_SECP112R1
+   {
+      "1.3.132.0.6", { "SECP112R1", "ECC-112", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP112R2
+   {
+      "1.3.132.0.7", { "SECP112R2", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP128R1
+   {
+      "1.3.132.0.28", { "SECP128R1", "ECC-128", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP128R2
+   {
+      "1.3.132.0.29", { "SECP128R2", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP160R1
+   {
+      "1.3.132.0.8", { "SECP160R1", "ECC-160", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP160R2
+   {
+      "1.3.132.0.30", { "SECP160R2", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP160K1
+   {
+      "1.3.132.0.9", { "SECP160K1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP192R1
+   {
+      "1.2.840.10045.3.1.1", { "SECP192R1", "NISTP192", "PRIME192V1", "ECC-192", "P-192", NULL }
+   },
+#endif
+#ifdef LTC_ECC_PRIME192V2
+   {
+      "1.2.840.10045.3.1.2", { "PRIME192V2", NULL }
+   },
+#endif
+#ifdef LTC_ECC_PRIME192V3
+   {
+      "1.2.840.10045.3.1.3", { "PRIME192V3", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP192K1
+   {
+      "1.3.132.0.31", { "SECP192K1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP224R1
+   {
+      "1.3.132.0.33", { "SECP224R1", "NISTP224", "ECC-224", "P-224", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP224K1
+   {
+      "1.3.132.0.32", { "SECP224K1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP256R1
+   {
+      "1.2.840.10045.3.1.7", { "SECP256R1", "NISTP256", "PRIME256V1", "ECC-256", "P-256", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP256K1
+   {
+      "1.3.132.0.10", { "SECP256K1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP384R1
+   {
+      "1.3.132.0.34", { "SECP384R1", "NISTP384", "ECC-384", "P-384", NULL }
+   },
+#endif
+#ifdef LTC_ECC_SECP521R1
+   {
+      "1.3.132.0.35", { "SECP521R1", "NISTP521", "ECC-521", "P-521", NULL }
+   },
+#endif
+#ifdef LTC_ECC_PRIME239V1
+   {
+      "1.2.840.10045.3.1.4", { "PRIME239V1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_PRIME239V2
+   {
+      "1.2.840.10045.3.1.5", { "PRIME239V2", NULL }
+   },
+#endif
+#ifdef LTC_ECC_PRIME239V3
+   {
+      "1.2.840.10045.3.1.6", { "PRIME239V3", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP160R1
+   {
+      "1.3.36.3.3.2.8.1.1.1", { "BRAINPOOLP160R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP192R1
+   {
+      "1.3.36.3.3.2.8.1.1.3", { "BRAINPOOLP192R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP224R1
+   {
+      "1.3.36.3.3.2.8.1.1.5", { "BRAINPOOLP224R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP256R1
+   {
+      "1.3.36.3.3.2.8.1.1.7", { "BRAINPOOLP256R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP320R1
+   {
+      "1.3.36.3.3.2.8.1.1.9", { "BRAINPOOLP320R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP384R1
+   {
+      "1.3.36.3.3.2.8.1.1.11", { "BRAINPOOLP384R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP512R1
+   {
+      "1.3.36.3.3.2.8.1.1.13", { "BRAINPOOLP512R1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP160T1
+   {
+      "1.3.36.3.3.2.8.1.1.2", { "BRAINPOOLP160T1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP192T1
+   {
+      "1.3.36.3.3.2.8.1.1.4", { "BRAINPOOLP192T1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP224T1
+   {
+      "1.3.36.3.3.2.8.1.1.6", { "BRAINPOOLP224T1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP256T1
+   {
+      "1.3.36.3.3.2.8.1.1.8", { "BRAINPOOLP256T1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP320T1
+   {
+      "1.3.36.3.3.2.8.1.1.10", { "BRAINPOOLP320T1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP384T1
+   {
+      "1.3.36.3.3.2.8.1.1.12", { "BRAINPOOLP384T1", NULL }
+   },
+#endif
+#ifdef LTC_ECC_BRAINPOOLP512T1
+   {
+      "1.3.36.3.3.2.8.1.1.14", { "BRAINPOOLP512T1", NULL }
+   },
+#endif
+   {
+      NULL, { NULL }
+   }
+};
+
+/* case-insensitive match + ignore '-', '_', ' ' */
+static int _name_match(const char *left, const char *right)
+{
+   char lc_r, lc_l;
+
+   while ((*left != '\0') && (*right != '\0')) {
+      while ((*left  == ' ') || (*left  == '-') || (*left  == '_')) left++;
+      while ((*right == ' ') || (*right == '-') || (*right == '_')) right++;
+      if (*left == '\0' || *right == '\0') break;
+      lc_r = *right;
+      lc_l = *left;
+      if ((lc_r >= 'A') && (lc_r <= 'Z')) lc_r += 32;
+      if ((lc_l >= 'A') && (lc_l <= 'Z')) lc_l += 32;
+      if (lc_l != lc_r) return 0;
+      left++;
+      right++;
+   }
+
+   if ((*left == '\0') && (*right == '\0'))
+      return 1;
+   else
+      return 0;
+}
+
+int ecc_get_curve(const char *name_or_oid, const ltc_ecc_curve **cu)
+{
+   int i, j;
+   const char *OID = NULL;
+
+   LTC_ARGCHK(cu != NULL);
+   LTC_ARGCHK(name_or_oid != NULL);
+
+   *cu = NULL;
+
+   for (i = 0; _curve_names[i].OID != NULL && !OID; i++) {
+      if (XSTRCMP(_curve_names[i].OID, name_or_oid) == 0) {
+         OID = _curve_names[i].OID;
+      }
+      for (j = 0; _curve_names[i].names[j] != NULL && !OID; j++) {
+         if (_name_match(_curve_names[i].names[j], name_or_oid)) {
+            OID = _curve_names[i].OID;
+         }
+      }
+   }
+
+   if (OID != NULL) {
+      for (i = 0; ltc_ecc_curves[i].prime != NULL; i++) {
+         if (XSTRCMP(ltc_ecc_curves[i].OID, OID) == 0) {
+            *cu = &ltc_ecc_curves[i];
+            return CRYPT_OK;
+         }
+      }
+   }
+
+   return CRYPT_INVALID_ARG; /* not found */
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc_get_key.c

@@ -0,0 +1,60 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+/** Export raw public or private key (public keys = ANS X9.63 compressed or uncompressed; private keys = raw bytes)
+  @param out    [out] destination of export
+  @param outlen [in/out]  Length of destination and final output size
+  @param type   PK_PRIVATE, PK_PUBLIC or PK_PUBLIC|PK_COMPRESSED
+  @param key    Key to export
+  Return        CRYPT_OK on success
+*/
+
+int ecc_get_key(unsigned char *out, unsigned long *outlen, int type, const ecc_key *key)
+{
+   unsigned long size, ksize;
+   int err, compressed;
+
+   LTC_ARGCHK(key    != NULL);
+   LTC_ARGCHK(out    != NULL);
+   LTC_ARGCHK(outlen != NULL);
+
+   size = key->dp.size;
+   compressed = type & PK_COMPRESSED ? 1 : 0;
+   type &= ~PK_COMPRESSED;
+
+   if (type == PK_PUBLIC) {
+      if ((err = ltc_ecc_export_point(out, outlen, key->pubkey.x, key->pubkey.y, size, compressed)) != CRYPT_OK) {
+         return err;
+      }
+   }
+   else if (type == PK_PRIVATE) {
+      if (key->type != PK_PRIVATE)                                                return CRYPT_PK_TYPE_MISMATCH;
+      *outlen = size;
+      if (size > *outlen)                                                         return CRYPT_BUFFER_OVERFLOW;
+      if ((ksize = mp_unsigned_bin_size(key->k)) > size)                          return CRYPT_BUFFER_OVERFLOW;
+      /* pad and store k */
+      if ((err = mp_to_unsigned_bin(key->k, out + (size - ksize))) != CRYPT_OK)   return err;
+      zeromem(out, size - ksize);
+   }
+   else {
+      return CRYPT_INVALID_ARG;
+   }
+
+   return CRYPT_OK;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc_get_oid_str.c

@@ -0,0 +1,32 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+/** Extract OID as a string from ECC key
+  @param out    [out] destination buffer
+  @param outlen [in/out] Length of destination buffer and final output size (without terminating NUL byte)
+  @param key    The ECC key
+  Return        CRYPT_OK on success
+*/
+
+int ecc_get_oid_str(char *out, unsigned long *outlen, const ecc_key *key)
+{
+   LTC_ARGCHK(key != NULL);
+
+   return pk_oid_num_to_str(key->dp.oid, key->dp.oidlen, out, outlen);
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc_get_size.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -26,13 +21,12 @@
   @param key    The key to get the size of
   @return The size (octets) of the key or INT_MAX on error
 */
-int ecc_get_size(ecc_key *key)
+int ecc_get_size(const ecc_key *key)
 {
-   LTC_ARGCHK(key != NULL);
-   if (ltc_ecc_is_valid_idx(key->idx))
-      return key->dp->size;
-   else
-      return INT_MAX; /* large value known to cause it to fail when passed to ecc_make_key() */
+   if (key == NULL) {
+      return INT_MAX;
+   }
+   return key->dp.size;
 }
 
 #endif

src/pk/ecc/ecc_import.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -21,54 +16,6 @@
 
 #ifdef LTC_MECC
 
-static int _is_point(ecc_key *key)
-{
-   void *prime, *b, *t1, *t2;
-   int err;
-
-   if ((err = mp_init_multi(&prime, &b, &t1, &t2, NULL)) != CRYPT_OK) {
-      return err;
-   }
-
-   /* load prime and b */
-   if ((err = mp_read_radix(prime, key->dp->prime, 16)) != CRYPT_OK)                          { goto error; }
-   if ((err = mp_read_radix(b, key->dp->B, 16)) != CRYPT_OK)                                  { goto error; }
-
-   /* compute y^2 */
-   if ((err = mp_sqr(key->pubkey.y, t1)) != CRYPT_OK)                                         { goto error; }
-
-   /* compute x^3 */
-   if ((err = mp_sqr(key->pubkey.x, t2)) != CRYPT_OK)                                         { goto error; }
-   if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK)                                             { goto error; }
-   if ((err = mp_mul(key->pubkey.x, t2, t2)) != CRYPT_OK)                                     { goto error; }
-
-   /* compute y^2 - x^3 */
-   if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK)                                                { goto error; }
-
-   /* compute y^2 - x^3 + 3x */
-   if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
-   if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
-   if ((err = mp_add(t1, key->pubkey.x, t1)) != CRYPT_OK)                                     { goto error; }
-   if ((err = mp_mod(t1, prime, t1)) != CRYPT_OK)                                             { goto error; }
-   while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
-      if ((err = mp_add(t1, prime, t1)) != CRYPT_OK)                                          { goto error; }
-   }
-   while (mp_cmp(t1, prime) != LTC_MP_LT) {
-      if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK)                                          { goto error; }
-   }
-
-   /* compare to b */
-   if (mp_cmp(t1, b) != LTC_MP_EQ) {
-      err = CRYPT_INVALID_PACKET;
-   } else {
-      err = CRYPT_OK;
-   }
-
-error:
-   mp_clear_multi(prime, b, t1, t2, NULL);
-   return err;
-}
-
 /**
   Import an ECC key from a binary packet
   @param in      The packet to import
@@ -86,10 +33,10 @@ int ecc_import(const unsigned char *in, unsigned long inlen, ecc_key *key)
   @param in      The packet to import
   @param inlen   The length of the packet
   @param key     [out] The destination of the import
-  @param dp      pointer to user supplied params; must be the same as the params used when exporting
+  @param cu      pointer to user supplied params; must be the same as the params used when exporting
   @return CRYPT_OK if successful, upon error all allocated memory will be freed
 */
-int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_set_type *dp)
+int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, const ltc_ecc_curve *cu)
 {
    unsigned long key_size;
    unsigned char flags[1];
@@ -99,18 +46,20 @@ int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, co
    LTC_ARGCHK(key != NULL);
    LTC_ARGCHK(ltc_mp.name != NULL);
 
-   /* init key */
-   if (mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, NULL) != CRYPT_OK) {
-      return CRYPT_MEM;
-   }
-
    /* find out what type of key it is */
-   err = der_decode_sequence_multi(in, inlen, LTC_ASN1_BIT_STRING, 1UL, flags,
-                                              LTC_ASN1_EOL,        0UL, NULL);
+   err = der_decode_sequence_multi(in, inlen, LTC_ASN1_BIT_STRING,    1UL, flags,
+                                              LTC_ASN1_SHORT_INTEGER, 1UL, &key_size,
+                                              LTC_ASN1_EOL,           0UL, NULL);
    if (err != CRYPT_OK && err != CRYPT_INPUT_TOO_LONG) {
-      goto done;
+      return err;
    }
 
+   /* allocate & initialize the key */
+   if (cu == NULL) {
+      if ((err = ecc_set_dp_by_size(key_size, key)) != CRYPT_OK) { goto done; }
+   } else {
+      if ((err = ecc_set_dp(cu, key)) != CRYPT_OK)               { goto done; }
+   }
 
    if (flags[0] == 1) {
       /* private key */
@@ -141,30 +90,17 @@ int ecc_import_ex(const unsigned char *in, unsigned long inlen, ecc_key *key, co
       goto done;
    }
 
-   if (dp == NULL) {
-     /* find the idx */
-     for (key->idx = 0; ltc_ecc_sets[key->idx].size && (unsigned long)ltc_ecc_sets[key->idx].size != key_size; ++key->idx);
-     if (ltc_ecc_sets[key->idx].size == 0) {
-       err = CRYPT_INVALID_PACKET;
-       goto done;
-     }
-     key->dp = &ltc_ecc_sets[key->idx];
-   } else {
-     key->idx = -1;
-     key->dp = dp;
-   }
    /* set z */
    if ((err = mp_set(key->pubkey.z, 1)) != CRYPT_OK) { goto done; }
 
-   /* is it a point on the curve?  */
-   if ((err = _is_point(key)) != CRYPT_OK) {
-      goto done;
-   }
+   /* point on the curve + other checks */
+   if ((err = ltc_ecc_verify_key(key)) != CRYPT_OK)  { goto done; }
 
    /* we're good */
    return CRYPT_OK;
+
 done:
-   mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL);
+   ecc_free(key);
    return err;
 }
 #endif

src/pk/ecc/ecc_make_key.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -31,93 +26,53 @@
 */
 int ecc_make_key(prng_state *prng, int wprng, int keysize, ecc_key *key)
 {
-   int x, err;
+   int err;
 
-   /* find key size */
-   for (x = 0; (keysize > ltc_ecc_sets[x].size) && (ltc_ecc_sets[x].size != 0); x++);
-   keysize = ltc_ecc_sets[x].size;
+   if ((err = ecc_set_dp_by_size(keysize, key)) != CRYPT_OK)   { return err; }
+   if ((err = ecc_generate_key(prng, wprng, key)) != CRYPT_OK) { return err; }
+   return CRYPT_OK;
+}
 
-   if (keysize > ECC_MAXSIZE || ltc_ecc_sets[x].size == 0) {
-      return CRYPT_INVALID_KEYSIZE;
-   }
-   err = ecc_make_key_ex(prng, wprng, key, &ltc_ecc_sets[x]);
-   key->idx = x;
-   return err;
+int ecc_make_key_ex(prng_state *prng, int wprng, ecc_key *key, const ltc_ecc_curve *cu)
+{
+   int err;
+   if ((err = ecc_set_dp(cu, key)) != CRYPT_OK)                { return err; }
+   if ((err = ecc_generate_key(prng, wprng, key)) != CRYPT_OK) { return err; }
+   return CRYPT_OK;
 }
 
-int ecc_make_key_ex(prng_state *prng, int wprng, ecc_key *key, const ltc_ecc_set_type *dp)
+int ecc_generate_key(prng_state *prng, int wprng, ecc_key *key)
 {
    int            err;
-   ecc_point     *base;
-   void          *prime, *order;
-   unsigned char *buf;
-   int            keysize;
 
-   LTC_ARGCHK(key         != NULL);
    LTC_ARGCHK(ltc_mp.name != NULL);
-   LTC_ARGCHK(dp          != NULL);
-
-   /* good prng? */
-   if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
-      return err;
-   }
-
-   key->idx = -1;
-   key->dp  = dp;
-   keysize  = dp->size;
-
-   /* allocate ram */
-   base = NULL;
-   buf  = XMALLOC(ECC_MAXSIZE);
-   if (buf == NULL) {
-      return CRYPT_MEM;
-   }
-
-   /* make up random string */
-   if (prng_descriptor[wprng].read(buf, (unsigned long)keysize, prng) != (unsigned long)keysize) {
-      err = CRYPT_ERROR_READPRNG;
-      goto ERR_BUF;
-   }
-
-   /* setup the key variables */
-   if ((err = mp_init_multi(&key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k, &prime, &order, NULL)) != CRYPT_OK) {
-      goto ERR_BUF;
-   }
-   base = ltc_ecc_new_point();
-   if (base == NULL) {
-      err = CRYPT_MEM;
-      goto errkey;
+   LTC_ARGCHK(key         != NULL);
+   LTC_ARGCHK(key->dp.size > 0);
+
+   /* ECC key pair generation according to FIPS-186-4 (B.4.2 Key Pair Generation by Testing Candidates):
+    * the generated private key k should be the range [1, order-1]
+    *  a/ N = bitlen(order)
+    *  b/ generate N random bits and convert them into big integer k
+    *  c/ if k not in [1, order-1] go to b/
+    *  e/ Q = k*G
+    */
+   if ((err = rand_bn_upto(key->k, key->dp.order, prng, wprng)) != CRYPT_OK) {
+      goto error;
    }
 
-   /* read in the specs for this key */
-   if ((err = mp_read_radix(prime,   (char *)key->dp->prime, 16)) != CRYPT_OK)                  { goto errkey; }
-   if ((err = mp_read_radix(order,   (char *)key->dp->order, 16)) != CRYPT_OK)                  { goto errkey; }
-   if ((err = mp_read_radix(base->x, (char *)key->dp->Gx, 16)) != CRYPT_OK)                     { goto errkey; }
-   if ((err = mp_read_radix(base->y, (char *)key->dp->Gy, 16)) != CRYPT_OK)                     { goto errkey; }
-   if ((err = mp_set(base->z, 1)) != CRYPT_OK)                                                  { goto errkey; }
-   if ((err = mp_read_unsigned_bin(key->k, (unsigned char *)buf, keysize)) != CRYPT_OK)         { goto errkey; }
-
-   /* the key should be smaller than the order of base point */
-   if (mp_cmp(key->k, order) != LTC_MP_LT) {
-       if((err = mp_mod(key->k, order, key->k)) != CRYPT_OK)                                    { goto errkey; }
-   }
    /* make the public key */
-   if ((err = ltc_mp.ecc_ptmul(key->k, base, &key->pubkey, prime, 1)) != CRYPT_OK)              { goto errkey; }
+   if ((err = ltc_mp.ecc_ptmul(key->k, &key->dp.base, &key->pubkey, key->dp.A, key->dp.prime, 1)) != CRYPT_OK) {
+      goto error;
+   }
    key->type = PK_PRIVATE;
 
-   /* free up ram */
+   /* success */
    err = CRYPT_OK;
    goto cleanup;
-errkey:
-   mp_clear_multi(key->pubkey.x, key->pubkey.y, key->pubkey.z, key->k, NULL);
+
+error:
+   ecc_free(key);
 cleanup:
-   ltc_ecc_del_point(base);
-   mp_clear_multi(prime, order, NULL);
-ERR_BUF:
-#ifdef LTC_CLEAN_STACK
-   zeromem(buf, ECC_MAXSIZE);
-#endif
-   XFREE(buf);
    return err;
 }
 

src/pk/ecc/ecc_set_dp.c

@@ -0,0 +1,90 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+int ecc_set_dp(const ltc_ecc_curve *curve, ecc_key *key)
+{
+   int err;
+
+   LTC_ARGCHK(key != NULL);
+   LTC_ARGCHK(curve != NULL);
+
+   if ((err = mp_init_multi(&key->dp.prime, &key->dp.order, &key->dp.A, &key->dp.B,
+                            &key->dp.base.x, &key->dp.base.y, &key->dp.base.z,
+                            &key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
+                            NULL)) != CRYPT_OK) {
+      return err;
+   }
+
+   /* A, B, order, prime, Gx, Gy */
+   if ((err = mp_read_radix(key->dp.prime, curve->prime, 16)) != CRYPT_OK) { goto error; }
+   if ((err = mp_read_radix(key->dp.order, curve->order, 16)) != CRYPT_OK) { goto error; }
+   if ((err = mp_read_radix(key->dp.A, curve->A, 16)) != CRYPT_OK)         { goto error; }
+   if ((err = mp_read_radix(key->dp.B, curve->B, 16)) != CRYPT_OK)         { goto error; }
+   if ((err = mp_read_radix(key->dp.base.x, curve->Gx, 16)) != CRYPT_OK)   { goto error; }
+   if ((err = mp_read_radix(key->dp.base.y, curve->Gy, 16)) != CRYPT_OK)   { goto error; }
+   if ((err = mp_set(key->dp.base.z, 1)) != CRYPT_OK)                      { goto error; }
+   /* cofactor & size */
+   key->dp.cofactor = curve->cofactor;
+   key->dp.size = mp_unsigned_bin_size(key->dp.prime);
+   /* OID string >> unsigned long oid[16] + oidlen */
+   key->dp.oidlen = 16;
+   if ((err = pk_oid_str_to_num(curve->OID, key->dp.oid, &key->dp.oidlen)) != CRYPT_OK) { goto error; }
+   /* success */
+   return CRYPT_OK;
+
+error:
+   ecc_free(key);
+   return err;
+}
+
+int ecc_set_dp_by_size(int size, ecc_key *key)
+{
+   const ltc_ecc_curve *cu = NULL;
+   int err = CRYPT_ERROR;
+
+   /* for compatibility with libtomcrypt-1.17 the sizes below must match the specific curves */
+   if (size <= 14) {
+      err = ecc_get_curve("SECP112R1", &cu);
+   }
+   else if (size <= 16) {
+      err = ecc_get_curve("SECP128R1", &cu);
+   }
+   else if (size <= 20) {
+      err = ecc_get_curve("SECP160R1", &cu);
+   }
+   else if (size <= 24) {
+      err = ecc_get_curve("SECP192R1", &cu);
+   }
+   else if (size <= 28) {
+      err = ecc_get_curve("SECP224R1", &cu);
+   }
+   else if (size <= 32) {
+      err = ecc_get_curve("SECP256R1", &cu);
+   }
+   else if (size <= 48) {
+      err = ecc_get_curve("SECP384R1", &cu);
+   }
+   else if (size <= 66) {
+      err = ecc_get_curve("SECP521R1", &cu);
+   }
+
+   if (err == CRYPT_OK && cu != NULL) return ecc_set_dp(cu, key);
+
+   return CRYPT_INVALID_ARG;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc_set_dp_internal.c

@@ -0,0 +1,129 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+static int _ecc_cmp_hex_bn(const char *left_hex, void *right_bn, void *tmp_bn)
+{
+   if (mp_read_radix(tmp_bn, left_hex, 16) != CRYPT_OK) return 0;
+   if (mp_cmp(tmp_bn, right_bn) != LTC_MP_EQ)           return 0;
+   return 1;
+}
+
+static void _ecc_oid_lookup(ecc_key *key)
+{
+   void *bn;
+   const ltc_ecc_curve *curve;
+
+   key->dp.oidlen = 0;
+   if (mp_init(&bn) != CRYPT_OK) return;
+   for (curve = ltc_ecc_curves; curve->prime != NULL; curve++) {
+      if (_ecc_cmp_hex_bn(curve->prime, key->dp.prime,  bn) != 1) continue;
+      if (_ecc_cmp_hex_bn(curve->order, key->dp.order,  bn) != 1) continue;
+      if (_ecc_cmp_hex_bn(curve->A,     key->dp.A,      bn) != 1) continue;
+      if (_ecc_cmp_hex_bn(curve->B,     key->dp.B,      bn) != 1) continue;
+      if (_ecc_cmp_hex_bn(curve->Gx,    key->dp.base.x, bn) != 1) continue;
+      if (_ecc_cmp_hex_bn(curve->Gy,    key->dp.base.y, bn) != 1) continue;
+      if (key->dp.cofactor != curve->cofactor)                    continue;
+      break; /* found */
+   }
+   mp_clear(bn);
+   if (curve->prime && curve->OID) {
+      key->dp.oidlen = 16; /* size of key->dp.oid */
+      pk_oid_str_to_num(curve->OID, key->dp.oid, &key->dp.oidlen);
+   }
+}
+
+int ecc_copy_dp(const ecc_key *srckey, ecc_key *key)
+{
+   unsigned long i;
+   int err;
+
+   LTC_ARGCHK(key != NULL);
+   LTC_ARGCHK(srckey != NULL);
+
+   if ((err = mp_init_multi(&key->dp.prime, &key->dp.order, &key->dp.A, &key->dp.B,
+                            &key->dp.base.x, &key->dp.base.y, &key->dp.base.z,
+                            &key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
+                            NULL)) != CRYPT_OK) {
+      return err;
+   }
+
+   /* A, B, order, prime, Gx, Gy */
+   if ((err = mp_copy(srckey->dp.prime,  key->dp.prime )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(srckey->dp.order,  key->dp.order )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(srckey->dp.A,      key->dp.A     )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(srckey->dp.B,      key->dp.B     )) != CRYPT_OK) { goto error; }
+   if ((err = ltc_ecc_copy_point(&srckey->dp.base, &key->dp.base)) != CRYPT_OK) { goto error; }
+   /* cofactor & size */
+   key->dp.cofactor = srckey->dp.cofactor;
+   key->dp.size     = srckey->dp.size;
+   /* OID */
+   if (srckey->dp.oidlen > 0) {
+     key->dp.oidlen = srckey->dp.oidlen;
+     for (i = 0; i < key->dp.oidlen; i++) key->dp.oid[i] = srckey->dp.oid[i];
+   }
+   else {
+     _ecc_oid_lookup(key); /* try to find OID in ltc_ecc_curves */
+   }
+   /* success */
+   return CRYPT_OK;
+
+error:
+   ecc_free(key);
+   return err;
+}
+
+int ecc_set_dp_from_mpis(void *a, void *b, void *prime, void *order, void *gx, void *gy, unsigned long cofactor, ecc_key *key)
+{
+   int err;
+
+   LTC_ARGCHK(key   != NULL);
+   LTC_ARGCHK(a     != NULL);
+   LTC_ARGCHK(b     != NULL);
+   LTC_ARGCHK(prime != NULL);
+   LTC_ARGCHK(order != NULL);
+   LTC_ARGCHK(gx    != NULL);
+   LTC_ARGCHK(gy    != NULL);
+
+   if ((err = mp_init_multi(&key->dp.prime, &key->dp.order, &key->dp.A, &key->dp.B,
+                            &key->dp.base.x, &key->dp.base.y, &key->dp.base.z,
+                            &key->pubkey.x, &key->pubkey.y, &key->pubkey.z, &key->k,
+                            NULL)) != CRYPT_OK) {
+      return err;
+   }
+
+   /* A, B, order, prime, Gx, Gy */
+   if ((err = mp_copy(prime, key->dp.prime )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(order, key->dp.order )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(a,     key->dp.A     )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(b,     key->dp.B     )) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(gx,    key->dp.base.x)) != CRYPT_OK) { goto error; }
+   if ((err = mp_copy(gy,    key->dp.base.y)) != CRYPT_OK) { goto error; }
+   if ((err = mp_set(key->dp.base.z, 1)) != CRYPT_OK)      { goto error; }
+   /* cofactor & size */
+   key->dp.cofactor = cofactor;
+   key->dp.size = mp_unsigned_bin_size(prime);
+   /* try to find OID in ltc_ecc_curves */
+   _ecc_oid_lookup(key);
+   /* success */
+   return CRYPT_OK;
+
+error:
+   ecc_free(key);
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc_set_key.c

@@ -0,0 +1,67 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+int ecc_set_key(const unsigned char *in, unsigned long inlen, int type, ecc_key *key)
+{
+   int err;
+   void *prime, *a, *b;
+
+   LTC_ARGCHK(key != NULL);
+   LTC_ARGCHK(in != NULL);
+   LTC_ARGCHK(inlen > 0);
+
+   prime = key->dp.prime;
+   a     = key->dp.A;
+   b     = key->dp.B;
+
+   if (type == PK_PRIVATE && inlen <= (unsigned long)key->dp.size) {
+      /* load private key */
+      if ((err = mp_read_unsigned_bin(key->k, (unsigned char *)in, inlen)) != CRYPT_OK) {
+         goto error;
+      }
+      if (mp_iszero(key->k)) {
+         err = CRYPT_INVALID_PACKET;
+         goto error;
+      }
+      /* compute public key */
+      if ((err = ltc_mp.ecc_ptmul(key->k, &key->dp.base, &key->pubkey, a, prime, 1)) != CRYPT_OK)         { goto error; }
+      key->type = type;
+   }
+   else if (type == PK_PUBLIC) {
+      /* load public key */
+      if ((err = ltc_ecc_import_point(in, inlen, prime, a, b, key->pubkey.x, key->pubkey.y)) != CRYPT_OK) { goto error; }
+      if ((err = mp_set(key->pubkey.z, 1)) != CRYPT_OK)                                                   { goto error; }
+      key->type = type;
+   }
+   else {
+      err = CRYPT_INVALID_PACKET;
+      goto error;
+   }
+
+   /* point on the curve + other checks */
+   if ((err = ltc_ecc_verify_key(key)) != CRYPT_OK) {
+      goto error;
+   }
+
+   return CRYPT_OK;
+
+error:
+   ecc_free(key);
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ecc_shared_secret.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -29,12 +24,12 @@
   @param outlen           [in/out] The max size and resulting size of the shared secret
   @return CRYPT_OK if successful
 */
-int ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
+int ecc_shared_secret(const ecc_key *private_key, const ecc_key *public_key,
                       unsigned char *out, unsigned long *outlen)
 {
    unsigned long  x;
    ecc_point     *result;
-   void          *prime;
+   void          *prime, *a;
    int            err;
 
    LTC_ARGCHK(private_key != NULL);
@@ -47,27 +42,16 @@ int ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
       return CRYPT_PK_NOT_PRIVATE;
    }
 
-   if (ltc_ecc_is_valid_idx(private_key->idx) == 0 || ltc_ecc_is_valid_idx(public_key->idx) == 0) {
-      return CRYPT_INVALID_ARG;
-   }
-
-   if (XSTRCMP(private_key->dp->name, public_key->dp->name) != 0) {
-      return CRYPT_PK_TYPE_MISMATCH;
-   }
-
    /* make new point */
    result = ltc_ecc_new_point();
    if (result == NULL) {
       return CRYPT_MEM;
    }
 
-   if ((err = mp_init(&prime)) != CRYPT_OK) {
-      ltc_ecc_del_point(result);
-      return err;
-   }
+   prime = private_key->dp.prime;
+   a     = private_key->dp.A;
 
-   if ((err = mp_read_radix(prime, (char *)private_key->dp->prime, 16)) != CRYPT_OK)                               { goto done; }
-   if ((err = ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, prime, 1)) != CRYPT_OK)                { goto done; }
+   if ((err = ltc_mp.ecc_ptmul(private_key->k, &public_key->pubkey, result, a, prime, 1)) != CRYPT_OK)   { goto done; }
 
    x = (unsigned long)mp_unsigned_bin_size(prime);
    if (*outlen < x) {
@@ -76,12 +60,11 @@ int ecc_shared_secret(ecc_key *private_key, ecc_key *public_key,
       goto done;
    }
    zeromem(out, x);
-   if ((err = mp_to_unsigned_bin(result->x, out + (x - mp_unsigned_bin_size(result->x))))   != CRYPT_OK)           { goto done; }
+   if ((err = mp_to_unsigned_bin(result->x, out + (x - mp_unsigned_bin_size(result->x))))   != CRYPT_OK) { goto done; }
 
    err     = CRYPT_OK;
    *outlen = x;
 done:
-   mp_clear(prime);
    ltc_ecc_del_point(result);
    return err;
 }

src/pk/ecc/ecc_sign_hash.c

@@ -18,7 +18,7 @@
 
 static int _ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
                                 unsigned char *out, unsigned long *outlen,
-                                prng_state *prng, int wprng, ecc_key *key, int sigformat)
+                                prng_state *prng, int wprng, const ecc_key *key, int sigformat)
 {
    ecc_key       pubkey;
    void          *r, *s, *e, *p;
@@ -36,22 +36,13 @@ static int _ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
       return CRYPT_PK_NOT_PRIVATE;
    }
 
-   /* is the IDX valid ?  */
-   if (ltc_ecc_is_valid_idx(key->idx) != 1) {
-      return CRYPT_PK_INVALID_TYPE;
-   }
-
-   if ((err = prng_is_valid(wprng)) != CRYPT_OK) {
-      return err;
-   }
-
    /* init the bignums */
-   if ((err = mp_init_multi(&r, &s, &p, &e, NULL)) != CRYPT_OK) {
+   if ((err = mp_init_multi(&r, &s, &e, NULL)) != CRYPT_OK) {
       return err;
    }
-   if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK)              { goto errnokey; }
 
    /* get the hash and load it as a bignum into 'e' */
+   p = key->dp.order;
    pbits = mp_count_bits(p);
    pbytes = (pbits+7) >> 3;
    if (pbits > inlen*8) {
@@ -72,12 +63,11 @@ static int _ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
 
    /* make up a key and export the public copy */
    do {
-      if ((err = ecc_make_key_ex(prng, wprng, &pubkey, key->dp)) != CRYPT_OK) {
-         goto errnokey;
-      }
+      if ((err = ecc_copy_dp(key, &pubkey)) != CRYPT_OK)                   { goto errnokey; }
+      if ((err = ecc_generate_key(prng, wprng, &pubkey)) != CRYPT_OK)      { goto errnokey; }
 
       /* find r = x1 mod n */
-      if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK)                          { goto error; }
+      if ((err = mp_mod(pubkey.pubkey.x, p, r)) != CRYPT_OK)               { goto error; }
 
       if (mp_iszero(r) == LTC_MP_YES) {
          ecc_free(&pubkey);
@@ -121,7 +111,7 @@ static int _ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
 error:
    ecc_free(&pubkey);
 errnokey:
-   mp_clear_multi(r, s, p, e, NULL);
+   mp_clear_multi(r, s, e, NULL);
    return err;
 }
 
@@ -138,7 +128,7 @@ errnokey:
 */
 int ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
                         unsigned char *out, unsigned long *outlen,
-                        prng_state *prng, int wprng, ecc_key *key)
+                        prng_state *prng, int wprng, const ecc_key *key)
 {
    return _ecc_sign_hash(in, inlen, out, outlen, prng, wprng, key, 0);
 }
@@ -156,7 +146,7 @@ int ecc_sign_hash(const unsigned char *in,  unsigned long inlen,
 */
 int ecc_sign_hash_rfc7518(const unsigned char *in,  unsigned long inlen,
                                 unsigned char *out, unsigned long *outlen,
-                                prng_state *prng, int wprng, ecc_key *key)
+                                prng_state *prng, int wprng, const ecc_key *key)
 {
    return _ecc_sign_hash(in, inlen, out, outlen, prng, wprng, key, 1);
 }

src/pk/ecc/ecc_sizes.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -23,20 +18,25 @@
 
 void ecc_sizes(int *low, int *high)
 {
- int i;
- LTC_ARGCHKVD(low  != NULL);
- LTC_ARGCHKVD(high != NULL);
-
- *low = INT_MAX;
- *high = 0;
- for (i = 0; ltc_ecc_sets[i].size != 0; i++) {
-     if (ltc_ecc_sets[i].size < *low)  {
-        *low  = ltc_ecc_sets[i].size;
-     }
-     if (ltc_ecc_sets[i].size > *high) {
-        *high = ltc_ecc_sets[i].size;
-     }
- }
+  int i, size;
+  void *prime;
+
+  LTC_ARGCHKVD(low  != NULL);
+  LTC_ARGCHKVD(high != NULL);
+
+  *low = INT_MAX;
+  *high = 0;
+
+  if (mp_init(&prime) == CRYPT_OK) {
+    for (i = 0; ltc_ecc_curves[i].prime != NULL; i++) {
+       if (mp_read_radix(prime, ltc_ecc_curves[i].prime, 16) == CRYPT_OK) {
+         size = mp_unsigned_bin_size(prime);
+         if (size < *low)  *low  = size;
+         if (size > *high) *high = size;
+       }
+    }
+    mp_clear(prime);
+  }
 }
 
 #endif

src/pk/ecc/ecc_test.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -21,68 +16,12 @@
 
 #ifdef LTC_MECC
 
-/**
-  Perform on the ECC system
-  @return CRYPT_OK if successful
-*/
 int ecc_test(void)
 {
-   void     *modulus, *order;
-   ecc_point  *G, *GG;
-   int i, err, primality;
-
-   if ((err = mp_init_multi(&modulus, &order, NULL)) != CRYPT_OK) {
-      return err;
-   }
-
-   G   = ltc_ecc_new_point();
-   GG  = ltc_ecc_new_point();
-   if (G == NULL || GG == NULL) {
-      mp_clear_multi(modulus, order, NULL);
-      ltc_ecc_del_point(G);
-      ltc_ecc_del_point(GG);
-      return CRYPT_MEM;
-   }
-
-   for (i = 0; ltc_ecc_sets[i].size; i++) {
-       #if 0
-          printf("Testing %d\n", ltc_ecc_sets[i].size);
-       #endif
-       if ((err = mp_read_radix(modulus, (char *)ltc_ecc_sets[i].prime, 16)) != CRYPT_OK)   { goto done; }
-       if ((err = mp_read_radix(order, (char *)ltc_ecc_sets[i].order, 16)) != CRYPT_OK)     { goto done; }
-
-       /* is prime actually prime? */
-       if ((err = mp_prime_is_prime(modulus, 8, &primality)) != CRYPT_OK)                   { goto done; }
-       if (primality == 0) {
-          err = CRYPT_FAIL_TESTVECTOR;
-          goto done;
-       }
-
-       /* is order prime ? */
-       if ((err = mp_prime_is_prime(order, 8, &primality)) != CRYPT_OK)                     { goto done; }
-       if (primality == 0) {
-          err = CRYPT_FAIL_TESTVECTOR;
-          goto done;
-       }
-
-       if ((err = mp_read_radix(G->x, (char *)ltc_ecc_sets[i].Gx, 16)) != CRYPT_OK)         { goto done; }
-       if ((err = mp_read_radix(G->y, (char *)ltc_ecc_sets[i].Gy, 16)) != CRYPT_OK)         { goto done; }
-       mp_set(G->z, 1);
-
-       /* then we should have G == (order + 1)G */
-       if ((err = mp_add_d(order, 1, order)) != CRYPT_OK)                                   { goto done; }
-       if ((err = ltc_mp.ecc_ptmul(order, G, GG, modulus, 1)) != CRYPT_OK)                  { goto done; }
-       if (mp_cmp(G->x, GG->x) != LTC_MP_EQ || mp_cmp(G->y, GG->y) != LTC_MP_EQ) {
-          err = CRYPT_FAIL_TESTVECTOR;
-          goto done;
-       }
-   }
-   err = CRYPT_OK;
-done:
-   ltc_ecc_del_point(GG);
-   ltc_ecc_del_point(G);
-   mp_clear_multi(order, modulus, NULL);
-   return err;
+   /* the main ECC tests are in tests/ecc_test.c
+    * this function is kept just for API compatibility
+    */
+   return CRYPT_NOP;
 }
 
 #endif

src/pk/ecc/ecc_verify_hash.c

@@ -18,11 +18,11 @@
 
 static int _ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                             const unsigned char *hash, unsigned long hashlen,
-                            int *stat, ecc_key *key, int sigformat)
+                            int *stat, const ecc_key *key, int sigformat)
 {
-   ecc_point    *mG, *mQ;
-   void          *r, *s, *v, *w, *u1, *u2, *e, *p, *m;
-   void          *mp;
+   ecc_point    *mG = NULL, *mQ = NULL;
+   void          *r, *s, *v, *w, *u1, *u2, *e, *p, *m, *a, *a_plus3 = NULL, *mu = NULL, *ma = NULL;
+   void          *mp = NULL;
    int           err;
    unsigned long pbits, pbytes, i, shift_right;
    unsigned char ch, buf[MAXBLOCKSIZE];
@@ -34,16 +34,17 @@ static int _ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
 
    /* default to invalid signature */
    *stat = 0;
-   mp    = NULL;
 
-   /* is the IDX valid ?  */
-   if (ltc_ecc_is_valid_idx(key->idx) != 1) {
-      return CRYPT_PK_INVALID_TYPE;
+   /* allocate ints */
+   if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &e, &a_plus3, NULL)) != CRYPT_OK) {
+      return err;
    }
 
-   /* allocate ints */
-   if ((err = mp_init_multi(&r, &s, &v, &w, &u1, &u2, &p, &e, &m, NULL)) != CRYPT_OK) {
-      return CRYPT_MEM;
+   p = key->dp.order;
+   m = key->dp.prime;
+   a = key->dp.A;
+   if ((err = mp_add_d(a, 3, a_plus3)) != CRYPT_OK) {
+      goto error;
    }
 
    /* allocate points */
@@ -72,14 +73,9 @@ static int _ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                                      LTC_ASN1_EOL, 0UL, NULL)) != CRYPT_OK)                             { goto error; }
    }
 
-   /* get the order */
-   if ((err = mp_read_radix(p, (char *)key->dp->order, 16)) != CRYPT_OK)                                { goto error; }
-
-   /* get the modulus */
-   if ((err = mp_read_radix(m, (char *)key->dp->prime, 16)) != CRYPT_OK)                                { goto error; }
-
    /* check for zero */
-   if (mp_iszero(r) || mp_iszero(s) || mp_cmp(r, p) != LTC_MP_LT || mp_cmp(s, p) != LTC_MP_LT) {
+   if (mp_cmp_d(r, 0) != LTC_MP_GT || mp_cmp_d(s, 0) != LTC_MP_GT ||
+       mp_cmp(r, p) != LTC_MP_LT || mp_cmp(s, p) != LTC_MP_LT) {
       err = CRYPT_INVALID_PACKET;
       goto error;
    }
@@ -113,30 +109,32 @@ static int _ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
    if ((err = mp_mulmod(r, w, p, u2)) != CRYPT_OK)                                                      { goto error; }
 
    /* find mG and mQ */
-   if ((err = mp_read_radix(mG->x, (char *)key->dp->Gx, 16)) != CRYPT_OK)                               { goto error; }
-   if ((err = mp_read_radix(mG->y, (char *)key->dp->Gy, 16)) != CRYPT_OK)                               { goto error; }
-   if ((err = mp_set(mG->z, 1)) != CRYPT_OK)                                                            { goto error; }
+   if ((err = ltc_ecc_copy_point(&key->dp.base, mG)) != CRYPT_OK)                                       { goto error; }
+   if ((err = ltc_ecc_copy_point(&key->pubkey, mQ)) != CRYPT_OK)                                        { goto error; }
+
+   /* find the montgomery mp */
+   if ((err = mp_montgomery_setup(m, &mp)) != CRYPT_OK)                                                 { goto error; }
 
-   if ((err = mp_copy(key->pubkey.x, mQ->x)) != CRYPT_OK)                                               { goto error; }
-   if ((err = mp_copy(key->pubkey.y, mQ->y)) != CRYPT_OK)                                               { goto error; }
-   if ((err = mp_copy(key->pubkey.z, mQ->z)) != CRYPT_OK)                                               { goto error; }
+   /* for curves with a == -3 keep ma == NULL */
+   if (mp_cmp(a_plus3, m) != LTC_MP_EQ) {
+      if ((err = mp_init_multi(&mu, &ma, NULL)) != CRYPT_OK)                                            { goto error; }
+      if ((err = mp_montgomery_normalization(mu, m)) != CRYPT_OK)                                       { goto error; }
+      if ((err = mp_mulmod(a, mu, m, ma)) != CRYPT_OK)                                                  { goto error; }
+   }
 
    /* compute u1*mG + u2*mQ = mG */
    if (ltc_mp.ecc_mul2add == NULL) {
-      if ((err = ltc_mp.ecc_ptmul(u1, mG, mG, m, 0)) != CRYPT_OK)                                       { goto error; }
-      if ((err = ltc_mp.ecc_ptmul(u2, mQ, mQ, m, 0)) != CRYPT_OK)                                       { goto error; }
-
-      /* find the montgomery mp */
-      if ((err = mp_montgomery_setup(m, &mp)) != CRYPT_OK)                                              { goto error; }
+      if ((err = ltc_mp.ecc_ptmul(u1, mG, mG, a, m, 0)) != CRYPT_OK)                                    { goto error; }
+      if ((err = ltc_mp.ecc_ptmul(u2, mQ, mQ, a, m, 0)) != CRYPT_OK)                                    { goto error; }
 
       /* add them */
-      if ((err = ltc_mp.ecc_ptadd(mQ, mG, mG, m, mp)) != CRYPT_OK)                                      { goto error; }
+      if ((err = ltc_mp.ecc_ptadd(mQ, mG, mG, ma, m, mp)) != CRYPT_OK)                                  { goto error; }
 
       /* reduce */
       if ((err = ltc_mp.ecc_map(mG, m, mp)) != CRYPT_OK)                                                { goto error; }
    } else {
       /* use Shamir's trick to compute u1*mG + u2*mQ using half of the doubles */
-      if ((err = ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, m)) != CRYPT_OK)                                { goto error; }
+      if ((err = ltc_mp.ecc_mul2add(mG, u1, mQ, u2, mG, ma, m)) != CRYPT_OK)                            { goto error; }
    }
 
    /* v = X_x1 mod n */
@@ -150,9 +148,11 @@ static int _ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
    /* clear up and return */
    err = CRYPT_OK;
 error:
-   ltc_ecc_del_point(mG);
-   ltc_ecc_del_point(mQ);
-   mp_clear_multi(r, s, v, w, u1, u2, p, e, m, NULL);
+   if (mG != NULL) ltc_ecc_del_point(mG);
+   if (mQ != NULL) ltc_ecc_del_point(mQ);
+   if (mu != NULL) mp_clear(mu);
+   if (ma != NULL) mp_clear(ma);
+   mp_clear_multi(r, s, v, w, u1, u2, e, a_plus3, NULL);
    if (mp != NULL) {
       mp_montgomery_free(mp);
    }
@@ -171,7 +171,7 @@ error:
 */
 int ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
                     const unsigned char *hash, unsigned long hashlen,
-                    int *stat, ecc_key *key)
+                    int *stat, const ecc_key *key)
 {
    return _ecc_verify_hash(sig, siglen, hash, hashlen, stat, key, 0);
 }
@@ -188,7 +188,7 @@ int ecc_verify_hash(const unsigned char *sig,  unsigned long siglen,
 */
 int ecc_verify_hash_rfc7518(const unsigned char *sig,  unsigned long siglen,
                             const unsigned char *hash, unsigned long hashlen,
-                            int *stat, ecc_key *key)
+                            int *stat, const ecc_key *key)
 {
    return _ecc_verify_hash(sig, siglen, hash, hashlen, stat, key, 1);
 }

src/pk/ecc/ltc_ecc_export_point.c

@@ -0,0 +1,63 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+int ltc_ecc_export_point(unsigned char *out, unsigned long *outlen, void *x, void *y, unsigned long size, int compressed)
+{
+   int err;
+   unsigned char buf[ECC_BUF_SIZE];
+   unsigned long xsize, ysize;
+
+   if (size > sizeof(buf)) return CRYPT_BUFFER_OVERFLOW;
+   if ((xsize = mp_unsigned_bin_size(x)) > size) return CRYPT_BUFFER_OVERFLOW;
+   if ((ysize = mp_unsigned_bin_size(y)) > size) return CRYPT_BUFFER_OVERFLOW;
+
+   if(compressed) {
+      if (*outlen < (1 + size)) {
+         *outlen = 1 + size;
+         return CRYPT_BUFFER_OVERFLOW;
+      }
+      /* store first byte */
+      out[0] = mp_isodd(y) ? 0x03 : 0x02;
+      /* pad and store x */
+      zeromem(buf, sizeof(buf));
+      if ((err = mp_to_unsigned_bin(x, buf + (size - xsize))) != CRYPT_OK) return err;
+      XMEMCPY(out+1, buf, size);
+      /* adjust outlen */
+      *outlen = 1 + size;
+   }
+   else {
+      if (*outlen < (1 + 2*size)) {
+         *outlen = 1 + 2*size;
+         return CRYPT_BUFFER_OVERFLOW;
+      }
+      /* store byte 0x04 */
+      out[0] = 0x04;
+      /* pad and store x */
+      zeromem(buf, sizeof(buf));
+      if ((err = mp_to_unsigned_bin(x, buf + (size - xsize))) != CRYPT_OK) return err;
+      XMEMCPY(out+1, buf, size);
+      /* pad and store y */
+      zeromem(buf, sizeof(buf));
+      if ((err = mp_to_unsigned_bin(y, buf + (size - ysize))) != CRYPT_OK) return err;
+      XMEMCPY(out+1+size, buf, size);
+      /* adjust outlen */
+      *outlen = 1 + 2*size;
+   }
+   return CRYPT_OK;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ltc_ecc_import_point.c

@@ -0,0 +1,71 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+int ltc_ecc_import_point(const unsigned char *in, unsigned long inlen, void *prime, void *a, void *b, void *x, void *y)
+{
+   int err;
+   unsigned long size;
+   void *t1, *t2;
+
+   /* init key + temporary numbers */
+   if (mp_init_multi(&t1, &t2, NULL) != CRYPT_OK) {
+      return CRYPT_MEM;
+   }
+
+   size = mp_unsigned_bin_size(prime);
+
+   if (in[0] == 0x04 && (inlen&1) && ((inlen-1)>>1) == size) {
+      /* read uncompressed point */
+      /* load x */
+      if ((err = mp_read_unsigned_bin(x, (unsigned char *)in+1, size)) != CRYPT_OK)      { goto cleanup; }
+      /* load y */
+      if ((err = mp_read_unsigned_bin(y, (unsigned char *)in+1+size, size)) != CRYPT_OK) { goto cleanup; }
+   }
+   else if ((in[0] == 0x02 || in[0] == 0x03) && (inlen-1) == size && ltc_mp.sqrtmod_prime != NULL) {
+      /* read compressed point - BEWARE: requires sqrtmod_prime */
+      /* load x */
+      if ((err = mp_read_unsigned_bin(x, (unsigned char *)in+1, size)) != CRYPT_OK)      { goto cleanup; }
+      /* compute x^3 */
+      if ((err = mp_sqr(x, t1)) != CRYPT_OK)                                             { goto cleanup; }
+      if ((err = mp_mulmod(t1, x, prime, t1)) != CRYPT_OK)                               { goto cleanup; }
+      /* compute x^3 + a*x */
+      if ((err = mp_mulmod(a, x, prime, t2)) != CRYPT_OK)                                { goto cleanup; }
+      if ((err = mp_add(t1, t2, t1)) != CRYPT_OK)                                        { goto cleanup; }
+      /* compute x^3 + a*x + b */
+      if ((err = mp_add(t1, b, t1)) != CRYPT_OK)                                         { goto cleanup; }
+      /* compute sqrt(x^3 + a*x + b) */
+      if ((err = mp_sqrtmod_prime(t1, prime, t2)) != CRYPT_OK)                           { goto cleanup; }
+      /* adjust y */
+      if ((mp_isodd(t2) && in[0] == 0x03) || (!mp_isodd(t2) && in[0] == 0x02)) {
+         if ((err = mp_mod(t2, prime, y)) != CRYPT_OK)                                   { goto cleanup; }
+      }
+      else {
+         if ((err = mp_submod(prime, t2, prime, y)) != CRYPT_OK)                         { goto cleanup; }
+      }
+   }
+   else {
+      err = CRYPT_INVALID_PACKET;
+      goto cleanup;
+   }
+
+   err = CRYPT_OK;
+cleanup:
+   mp_clear_multi(t1, t2, NULL);
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ltc_ecc_is_point.c

@@ -0,0 +1,72 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+/** Returns whether [x,y] is a point on curve defined by dp
+  @param dp     curve parameters
+  @param x      x point coordinate
+  @param y      y point coordinate
+  @return CRYPT_OK if valid
+*/
+
+int ltc_ecc_is_point(const ltc_ecc_dp *dp, void *x, void *y)
+{
+  void *prime, *a, *b, *t1, *t2;
+  int err;
+
+  prime = dp->prime;
+  b     = dp->B;
+  a     = dp->A;
+
+  if ((err = mp_init_multi(&t1, &t2, NULL)) != CRYPT_OK)  return err;
+
+  /* compute y^2 */
+  if ((err = mp_sqr(y, t1)) != CRYPT_OK)                  goto cleanup;
+
+  /* compute x^3 */
+  if ((err = mp_sqr(x, t2)) != CRYPT_OK)                  goto cleanup;
+  if ((err = mp_mod(t2, prime, t2)) != CRYPT_OK)          goto cleanup;
+  if ((err = mp_mul(x, t2, t2)) != CRYPT_OK)              goto cleanup;
+
+  /* compute y^2 - x^3 */
+  if ((err = mp_sub(t1, t2, t1)) != CRYPT_OK)             goto cleanup;
+
+  /* compute y^2 - x^3 - a*x */
+  if ((err = mp_submod(prime, a, prime, t2)) != CRYPT_OK) goto cleanup;
+  if ((err = mp_mulmod(t2, x, prime, t2)) != CRYPT_OK)    goto cleanup;
+  if ((err = mp_addmod(t1, t2, prime, t1)) != CRYPT_OK)   goto cleanup;
+
+  /* adjust range (0, prime) */
+  while (mp_cmp_d(t1, 0) == LTC_MP_LT) {
+     if ((err = mp_add(t1, prime, t1)) != CRYPT_OK)       goto cleanup;
+  }
+  while (mp_cmp(t1, prime) != LTC_MP_LT) {
+     if ((err = mp_sub(t1, prime, t1)) != CRYPT_OK)       goto cleanup;
+  }
+
+  /* compare to b */
+  if (mp_cmp(t1, b) != LTC_MP_EQ) {
+     err = CRYPT_INVALID_PACKET;
+  } else {
+     err = CRYPT_OK;
+  }
+
+cleanup:
+  mp_clear_multi(t1, t2, NULL);
+  return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ltc_ecc_is_point_at_infinity.c

@@ -0,0 +1,62 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+#ifdef LTC_MECC
+
+/* http://crypto.stackexchange.com/questions/41468/point-at-infinity-for-jacobian-coordinates
+ * a point at infinity is any point (x,y,0) such that y^2 == x^3, except (0,0,0)
+ */
+
+int ltc_ecc_is_point_at_infinity(const ecc_point *P, void *modulus, int *retval)
+{
+   int err;
+   void  *x3, *y2;
+
+   /* trivial case */
+   if (!mp_iszero(P->z)) {
+      *retval = 0;
+      return CRYPT_OK;
+   }
+
+   /* point (0,0,0) is not at infinity */
+   if (mp_iszero(P->x) && mp_iszero(P->y)) {
+      *retval = 0;
+      return CRYPT_OK;
+   }
+
+   /* initialize */
+   if ((err = mp_init_multi(&x3, &y2, NULL))      != CRYPT_OK)   goto done;
+
+   /* compute y^2 */
+   if ((err = mp_mulmod(P->y, P->y, modulus, y2)) != CRYPT_OK)   goto cleanup;
+
+   /* compute x^3 */
+   if ((err = mp_mulmod(P->x, P->x, modulus, x3)) != CRYPT_OK)   goto cleanup;
+   if ((err = mp_mulmod(P->x, x3, modulus, x3))   != CRYPT_OK)   goto cleanup;
+
+   /* test y^2 == x^3 */
+   err = CRYPT_OK;
+   if ((mp_cmp(x3, y2) == LTC_MP_EQ) && !mp_iszero(y2))
+      *retval = 1;
+   else
+      *retval = 0;
+
+cleanup:
+   mp_clear_multi(x3, y2, NULL);
+done:
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

src/pk/ecc/ltc_ecc_is_valid_idx.c

@@ -1,44 +0,0 @@
-/* LibTomCrypt, modular cryptographic library -- Tom St Denis
- *
- * LibTomCrypt is a library that provides various cryptographic
- * algorithms in a highly modular and flexible manner.
- *
- * The library is free for all purposes without any express
- * guarantee it works.
- */
-
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
-#include "tomcrypt.h"
-
-/**
-  @file ltc_ecc_is_valid_idx.c
-  ECC Crypto, Tom St Denis
-*/
-
-#ifdef LTC_MECC
-
-/** Returns whether an ECC idx is valid or not
-  @param n   The idx number to check
-  @return 1 if valid, 0 if not
-*/
-int ltc_ecc_is_valid_idx(int n)
-{
-   int x;
-
-   for (x = 0; ltc_ecc_sets[x].size != 0; x++);
-   /* -1 is a valid index --- indicating that the domain params were supplied by the user */
-   if ((n >= -1) && (n < x)) {
-      return 1;
-   }
-   return 0;
-}
-
-#endif
-/* ref:         $Format:%D$ */
-/* git commit:  $Format:%H$ */
-/* commit time: $Format:%ai$ */
-

src/pk/ecc/ltc_ecc_map.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -37,6 +32,10 @@ int ltc_ecc_map(ecc_point *P, void *modulus, void *mp)
    LTC_ARGCHK(modulus != NULL);
    LTC_ARGCHK(mp      != NULL);
 
+   if (mp_iszero(P->z)) {
+      return ltc_ecc_set_point_xyz(0, 0, 1, P);
+   }
+
    if ((err = mp_init_multi(&t1, &t2, NULL)) != CRYPT_OK) {
       return err;
    }

src/pk/ecc/ltc_ecc_mul2add.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -28,17 +23,20 @@
   @param kA       What to multiple A by
   @param B        Second point to multiply
   @param kB       What to multiple B by
-  @param C        [out] Destination point (can overlap with A or B
+  @param C        [out] Destination point (can overlap with A or B)
+  @param ma       ECC curve parameter a in montgomery form
   @param modulus  Modulus for curve
   @return CRYPT_OK on success
 */
-int ltc_ecc_mul2add(ecc_point *A, void *kA,
-                    ecc_point *B, void *kB,
-                    ecc_point *C,
-                         void *modulus)
+int ltc_ecc_mul2add(const ecc_point *A, void *kA,
+                    const ecc_point *B, void *kB,
+                          ecc_point *C,
+                               void *ma,
+                               void *modulus)
 {
   ecc_point     *precomp[16];
-  unsigned       bitbufA, bitbufB, lenA, lenB, len, x, y, nA, nB, nibble;
+  unsigned       bitbufA, bitbufB, lenA, lenB, len, nA, nB, nibble;
+  unsigned       x, y;
   unsigned char *tA, *tB;
   int            err, first;
   void          *mp, *mu;
@@ -112,17 +110,17 @@ int ltc_ecc_mul2add(ecc_point *A, void *kA,
   if ((err = mp_mulmod(B->z, mu, modulus, precomp[1<<2]->z)) != CRYPT_OK)                                      { goto ERR_MU; }
 
   /* precomp [i,0](A + B) table */
-  if ((err = ltc_mp.ecc_ptdbl(precomp[1], precomp[2], modulus, mp)) != CRYPT_OK)                               { goto ERR_MU; }
-  if ((err = ltc_mp.ecc_ptadd(precomp[1], precomp[2], precomp[3], modulus, mp)) != CRYPT_OK)                   { goto ERR_MU; }
+  if ((err = ltc_mp.ecc_ptdbl(precomp[1], precomp[2], ma, modulus, mp)) != CRYPT_OK)                           { goto ERR_MU; }
+  if ((err = ltc_mp.ecc_ptadd(precomp[1], precomp[2], precomp[3], ma, modulus, mp)) != CRYPT_OK)               { goto ERR_MU; }
 
   /* precomp [0,i](A + B) table */
-  if ((err = ltc_mp.ecc_ptdbl(precomp[1<<2], precomp[2<<2], modulus, mp)) != CRYPT_OK)                         { goto ERR_MU; }
-  if ((err = ltc_mp.ecc_ptadd(precomp[1<<2], precomp[2<<2], precomp[3<<2], modulus, mp)) != CRYPT_OK)          { goto ERR_MU; }
+  if ((err = ltc_mp.ecc_ptdbl(precomp[1<<2], precomp[2<<2], ma, modulus, mp)) != CRYPT_OK)                     { goto ERR_MU; }
+  if ((err = ltc_mp.ecc_ptadd(precomp[1<<2], precomp[2<<2], precomp[3<<2], ma, modulus, mp)) != CRYPT_OK)      { goto ERR_MU; }
 
   /* precomp [i,j](A + B) table (i != 0, j != 0) */
   for (x = 1; x < 4; x++) {
      for (y = 1; y < 4; y++) {
-        if ((err = ltc_mp.ecc_ptadd(precomp[x], precomp[(y<<2)], precomp[x+(y<<2)], modulus, mp)) != CRYPT_OK) { goto ERR_MU; }
+        if ((err = ltc_mp.ecc_ptadd(precomp[x], precomp[(y<<2)], precomp[x+(y<<2)], ma, modulus, mp)) != CRYPT_OK) { goto ERR_MU; }
      }
   }
 
@@ -156,8 +154,8 @@ int ltc_ecc_mul2add(ecc_point *A, void *kA,
      /* double twice, only if this isn't the first */
      if (first == 0) {
         /* double twice */
-        if ((err = ltc_mp.ecc_ptdbl(C, C, modulus, mp)) != CRYPT_OK)                  { goto ERR_MU; }
-        if ((err = ltc_mp.ecc_ptdbl(C, C, modulus, mp)) != CRYPT_OK)                  { goto ERR_MU; }
+        if ((err = ltc_mp.ecc_ptdbl(C, C, ma, modulus, mp)) != CRYPT_OK)              { goto ERR_MU; }
+        if ((err = ltc_mp.ecc_ptdbl(C, C, ma, modulus, mp)) != CRYPT_OK)              { goto ERR_MU; }
      }
 
      /* if not both zero */
@@ -165,12 +163,10 @@ int ltc_ecc_mul2add(ecc_point *A, void *kA,
         if (first == 1) {
            /* if first, copy from table */
            first = 0;
-           if ((err = mp_copy(precomp[nA + (nB<<2)]->x, C->x)) != CRYPT_OK)           { goto ERR_MU; }
-           if ((err = mp_copy(precomp[nA + (nB<<2)]->y, C->y)) != CRYPT_OK)           { goto ERR_MU; }
-           if ((err = mp_copy(precomp[nA + (nB<<2)]->z, C->z)) != CRYPT_OK)           { goto ERR_MU; }
+           if ((err = ltc_ecc_copy_point(precomp[nA + (nB<<2)], C)) != CRYPT_OK)      { goto ERR_MU; }
         } else {
            /* if not first, add from table */
-           if ((err = ltc_mp.ecc_ptadd(C, precomp[nA + (nB<<2)], C, modulus, mp)) != CRYPT_OK) { goto ERR_MU; }
+           if ((err = ltc_mp.ecc_ptadd(C, precomp[nA + (nB<<2)], C, ma, modulus, mp)) != CRYPT_OK) { goto ERR_MU; }
         }
      }
   }

src/pk/ecc/ltc_ecc_mulmod.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -34,11 +29,11 @@
    @param map      Boolean whether to map back to affine or not (1==map, 0 == leave in projective)
    @return CRYPT_OK on success
 */
-int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
+int ltc_ecc_mulmod(void *k, const ecc_point *G, ecc_point *R, void *a, void *modulus, int map)
 {
    ecc_point *tG, *M[8];
-   int        i, j, err;
-   void       *mu, *mp;
+   int        i, j, err, inf;
+   void       *mp = NULL, *mu = NULL, *ma = NULL, *a_plus3 = NULL;
    ltc_mp_digit buf;
    int        first, bitbuf, bitcpy, bitcnt, mode, digidx;
 
@@ -47,18 +42,23 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
    LTC_ARGCHK(R       != NULL);
    LTC_ARGCHK(modulus != NULL);
 
-   /* init montgomery reduction */
-   if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) {
-      return err;
-   }
-   if ((err = mp_init(&mu)) != CRYPT_OK) {
-      mp_montgomery_free(mp);
-      return err;
+   if ((err = ltc_ecc_is_point_at_infinity(G, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* return the point at infinity */
+      return ltc_ecc_set_point_xyz(1, 1, 0, R);
    }
-   if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) {
-      mp_montgomery_free(mp);
-      mp_clear(mu);
-      return err;
+
+   /* init montgomery reduction */
+   if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK)        { goto error; }
+   if ((err = mp_init(&mu)) != CRYPT_OK)                             { goto error; }
+   if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) { goto error; }
+
+   /* for curves with a == -3 keep ma == NULL */
+   if ((err = mp_init(&a_plus3)) != CRYPT_OK)                        { goto error; }
+   if ((err = mp_add_d(a, 3, a_plus3)) != CRYPT_OK)                  { goto error; }
+   if (mp_cmp(a_plus3, modulus) != LTC_MP_EQ) {
+      if ((err = mp_init(&ma)) != CRYPT_OK)                          { goto error; }
+      if ((err = mp_mulmod(a, mu, modulus, ma)) != CRYPT_OK)         { goto error; }
    }
 
   /* alloc ram for window temps */
@@ -68,9 +68,8 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
          for (j = 0; j < i; j++) {
              ltc_ecc_del_point(M[j]);
          }
-         mp_montgomery_free(mp);
-         mp_clear(mu);
-         return CRYPT_MEM;
+         err = CRYPT_MEM;
+         goto error;
       }
   }
 
@@ -80,9 +79,7 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
 
    /* tG = G  and convert to montgomery */
    if (mp_cmp_d(mu, 1) == LTC_MP_EQ) {
-      if ((err = mp_copy(G->x, tG->x)) != CRYPT_OK)                                  { goto done; }
-      if ((err = mp_copy(G->y, tG->y)) != CRYPT_OK)                                  { goto done; }
-      if ((err = mp_copy(G->z, tG->z)) != CRYPT_OK)                                  { goto done; }
+      if ((err = ltc_ecc_copy_point(G, tG)) != CRYPT_OK)                             { goto done; }
    } else {
       if ((err = mp_mulmod(G->x, mu, modulus, tG->x)) != CRYPT_OK)                   { goto done; }
       if ((err = mp_mulmod(G->y, mu, modulus, tG->y)) != CRYPT_OK)                   { goto done; }
@@ -93,13 +90,13 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
 
    /* calc the M tab, which holds kG for k==8..15 */
    /* M[0] == 8G */
-   if ((err = ltc_mp.ecc_ptdbl(tG, M[0], modulus, mp)) != CRYPT_OK)                 { goto done; }
-   if ((err = ltc_mp.ecc_ptdbl(M[0], M[0], modulus, mp)) != CRYPT_OK)               { goto done; }
-   if ((err = ltc_mp.ecc_ptdbl(M[0], M[0], modulus, mp)) != CRYPT_OK)               { goto done; }
+   if ((err = ltc_mp.ecc_ptdbl(tG, M[0], ma, modulus, mp)) != CRYPT_OK)              { goto done; }
+   if ((err = ltc_mp.ecc_ptdbl(M[0], M[0], ma, modulus, mp)) != CRYPT_OK)            { goto done; }
+   if ((err = ltc_mp.ecc_ptdbl(M[0], M[0], ma, modulus, mp)) != CRYPT_OK)            { goto done; }
 
    /* now find (8+k)G for k=1..7 */
    for (j = 9; j < 16; j++) {
-       if ((err = ltc_mp.ecc_ptadd(M[j-9], tG, M[j-8], modulus, mp)) != CRYPT_OK)   { goto done; }
+       if ((err = ltc_mp.ecc_ptadd(M[j-9], tG, M[j-8], ma, modulus, mp)) != CRYPT_OK) { goto done; }
    }
 
    /* setup sliding window */
@@ -133,7 +130,7 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
 
      /* if the bit is zero and mode == 1 then we double */
      if (mode == 1 && i == 0) {
-        if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK)                 { goto done; }
+        if ((err = ltc_mp.ecc_ptdbl(R, R, ma, modulus, mp)) != CRYPT_OK)             { goto done; }
         continue;
      }
 
@@ -145,20 +142,18 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
        /* if this is the first window we do a simple copy */
        if (first == 1) {
           /* R = kG [k = first window] */
-          if ((err = mp_copy(M[bitbuf-8]->x, R->x)) != CRYPT_OK)                     { goto done; }
-          if ((err = mp_copy(M[bitbuf-8]->y, R->y)) != CRYPT_OK)                     { goto done; }
-          if ((err = mp_copy(M[bitbuf-8]->z, R->z)) != CRYPT_OK)                     { goto done; }
+          if ((err = ltc_ecc_copy_point(M[bitbuf-8], R)) != CRYPT_OK)                { goto done; }
           first = 0;
        } else {
          /* normal window */
          /* ok window is filled so double as required and add  */
          /* double first */
          for (j = 0; j < WINSIZE; j++) {
-           if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK)              { goto done; }
+           if ((err = ltc_mp.ecc_ptdbl(R, R, ma, modulus, mp)) != CRYPT_OK)          { goto done; }
          }
 
          /* then add, bitbuf will be 8..15 [8..2^WINSIZE] guaranteed */
-         if ((err = ltc_mp.ecc_ptadd(R, M[bitbuf-8], R, modulus, mp)) != CRYPT_OK)   { goto done; }
+         if ((err = ltc_mp.ecc_ptadd(R, M[bitbuf-8], R, ma, modulus, mp)) != CRYPT_OK) { goto done; }
        }
        /* empty window and reset */
        bitcpy = bitbuf = 0;
@@ -172,20 +167,18 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
      for (j = 0; j < bitcpy; j++) {
        /* only double if we have had at least one add first */
        if (first == 0) {
-          if ((err = ltc_mp.ecc_ptdbl(R, R, modulus, mp)) != CRYPT_OK)              { goto done; }
+          if ((err = ltc_mp.ecc_ptdbl(R, R, ma, modulus, mp)) != CRYPT_OK)           { goto done; }
        }
 
        bitbuf <<= 1;
        if ((bitbuf & (1 << WINSIZE)) != 0) {
          if (first == 1){
             /* first add, so copy */
-            if ((err = mp_copy(tG->x, R->x)) != CRYPT_OK)                           { goto done; }
-            if ((err = mp_copy(tG->y, R->y)) != CRYPT_OK)                           { goto done; }
-            if ((err = mp_copy(tG->z, R->z)) != CRYPT_OK)                           { goto done; }
+            if ((err = ltc_ecc_copy_point(tG, R)) != CRYPT_OK)                      { goto done; }
             first = 0;
          } else {
             /* then add */
-            if ((err = ltc_mp.ecc_ptadd(R, tG, R, modulus, mp)) != CRYPT_OK)        { goto done; }
+            if ((err = ltc_mp.ecc_ptadd(R, tG, R, ma, modulus, mp)) != CRYPT_OK)     { goto done; }
          }
        }
      }
@@ -198,14 +191,15 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
       err = CRYPT_OK;
    }
 done:
-   if (mu != NULL) {
-      mp_clear(mu);
-   }
-   mp_montgomery_free(mp);
    ltc_ecc_del_point(tG);
    for (i = 0; i < 8; i++) {
        ltc_ecc_del_point(M[i]);
    }
+error:
+   if (ma != NULL) mp_clear(ma);
+   if (a_plus3 != NULL) mp_clear(a_plus3);
+   if (mu != NULL) mp_clear(mu);
+   if (mp != NULL) mp_montgomery_free(mp);
    return err;
 }
 

src/pk/ecc/ltc_ecc_mulmod_timing.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -28,15 +23,16 @@
    @param k    The scalar to multiply by
    @param G    The base point
    @param R    [out] Destination for kG
+   @param a    ECC curve parameter a
    @param modulus  The modulus of the field the ECC curve is in
    @param map      Boolean whether to map back to affine or not (1==map, 0 == leave in projective)
    @return CRYPT_OK on success
 */
-int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
+int ltc_ecc_mulmod(void *k, const ecc_point *G, ecc_point *R, void *a, void *modulus, int map)
 {
    ecc_point *tG, *M[3];
-   int        i, j, err;
-   void       *mu, *mp;
+   int        i, j, err, inf;
+   void       *mp = NULL, *mu = NULL, *ma = NULL, *a_plus3 = NULL;
    ltc_mp_digit buf;
    int        bitcnt, mode, digidx;
 
@@ -45,18 +41,23 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
    LTC_ARGCHK(R       != NULL);
    LTC_ARGCHK(modulus != NULL);
 
-   /* init montgomery reduction */
-   if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK) {
-      return err;
-   }
-   if ((err = mp_init(&mu)) != CRYPT_OK) {
-      mp_montgomery_free(mp);
-      return err;
+   if ((err = ltc_ecc_is_point_at_infinity(G, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* return the point at infinity */
+      return ltc_ecc_set_point_xyz(1, 1, 0, R);
    }
-   if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) {
-      mp_clear(mu);
-      mp_montgomery_free(mp);
-      return err;
+
+   /* init montgomery reduction */
+   if ((err = mp_montgomery_setup(modulus, &mp)) != CRYPT_OK)        { goto error; }
+   if ((err = mp_init(&mu)) != CRYPT_OK)                             { goto error; }
+   if ((err = mp_montgomery_normalization(mu, modulus)) != CRYPT_OK) { goto error; }
+
+   /* for curves with a == -3 keep ma == NULL */
+   if ((err = mp_init(&a_plus3)) != CRYPT_OK)                        { goto error; }
+   if ((err = mp_add_d(a, 3, a_plus3)) != CRYPT_OK)                  { goto error; }
+   if (mp_cmp(a_plus3, modulus) != LTC_MP_EQ) {
+      if ((err = mp_init(&ma)) != CRYPT_OK)                          { goto error; }
+      if ((err = mp_mulmod(a, mu, modulus, ma)) != CRYPT_OK)         { goto error; }
    }
 
    /* alloc ram for window temps */
@@ -85,11 +86,9 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
 
    /* calc the M tab */
    /* M[0] == G */
-   if ((err = mp_copy(tG->x, M[0]->x)) != CRYPT_OK)                                  { goto done; }
-   if ((err = mp_copy(tG->y, M[0]->y)) != CRYPT_OK)                                  { goto done; }
-   if ((err = mp_copy(tG->z, M[0]->z)) != CRYPT_OK)                                  { goto done; }
+   if ((err = ltc_ecc_copy_point(tG, M[0])) != CRYPT_OK)                             { goto done; }
    /* M[1] == 2G */
-   if ((err = ltc_mp.ecc_ptdbl(tG, M[1], modulus, mp)) != CRYPT_OK)                  { goto done; }
+   if ((err = ltc_mp.ecc_ptdbl(tG, M[1], ma, modulus, mp)) != CRYPT_OK)              { goto done; }
 
    /* setup sliding window */
    mode   = 0;
@@ -110,32 +109,30 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
       }
 
       /* grab the next msb from the ltiplicand */
-      i = (buf >> (MP_DIGIT_BIT - 1)) & 1;
+      i = (int)((buf >> (MP_DIGIT_BIT - 1)) & 1);
       buf <<= 1;
 
       if (mode == 0 && i == 0) {
          /* dummy operations */
-         if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK)    { goto done; }
-         if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], modulus, mp)) != CRYPT_OK)          { goto done; }
+         if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
+         if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], ma, modulus, mp)) != CRYPT_OK)       { goto done; }
          continue;
       }
 
       if (mode == 0 && i == 1) {
          mode = 1;
          /* dummy operations */
-         if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], modulus, mp)) != CRYPT_OK)    { goto done; }
-         if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], modulus, mp)) != CRYPT_OK)          { goto done; }
+         if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[2], ma, modulus, mp)) != CRYPT_OK) { goto done; }
+         if ((err = ltc_mp.ecc_ptdbl(M[1], M[2], ma, modulus, mp)) != CRYPT_OK)       { goto done; }
          continue;
       }
 
-      if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[i^1], modulus, mp)) != CRYPT_OK)     { goto done; }
-      if ((err = ltc_mp.ecc_ptdbl(M[i], M[i], modulus, mp)) != CRYPT_OK)             { goto done; }
+      if ((err = ltc_mp.ecc_ptadd(M[0], M[1], M[i^1], ma, modulus, mp)) != CRYPT_OK)  { goto done; }
+      if ((err = ltc_mp.ecc_ptdbl(M[i], M[i], ma, modulus, mp)) != CRYPT_OK)          { goto done; }
    }
 
    /* copy result out */
-   if ((err = mp_copy(M[0]->x, R->x)) != CRYPT_OK)                                   { goto done; }
-   if ((err = mp_copy(M[0]->y, R->y)) != CRYPT_OK)                                   { goto done; }
-   if ((err = mp_copy(M[0]->z, R->z)) != CRYPT_OK)                                   { goto done; }
+   if ((err = ltc_ecc_copy_point(M[0], R)) != CRYPT_OK)                              { goto done; }
 
    /* map R back from projective space */
    if (map) {
@@ -144,14 +141,15 @@ int ltc_ecc_mulmod(void *k, ecc_point *G, ecc_point *R, void *modulus, int map)
       err = CRYPT_OK;
    }
 done:
-   if (mu != NULL) {
-      mp_clear(mu);
-   }
-   mp_montgomery_free(mp);
    ltc_ecc_del_point(tG);
    for (i = 0; i < 3; i++) {
        ltc_ecc_del_point(M[i]);
    }
+error:
+   if (ma != NULL) mp_clear(ma);
+   if (a_plus3 != NULL) mp_clear(a_plus3);
+   if (mu != NULL) mp_clear(mu);
+   if (mp != NULL) mp_montgomery_free(mp);
    return err;
 }
 

src/pk/ecc/ltc_ecc_points.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -51,6 +46,24 @@ void ltc_ecc_del_point(ecc_point *p)
    }
 }
 
+int ltc_ecc_set_point_xyz(ltc_mp_digit x, ltc_mp_digit y, ltc_mp_digit z, ecc_point *p)
+{
+   int err;
+   if ((err = ltc_mp.set_int(p->x, x)) != CRYPT_OK) return err;
+   if ((err = ltc_mp.set_int(p->y, y)) != CRYPT_OK) return err;
+   if ((err = ltc_mp.set_int(p->z, z)) != CRYPT_OK) return err;
+   return CRYPT_OK;
+}
+
+int ltc_ecc_copy_point(const ecc_point *src, ecc_point *dst)
+{
+   int err;
+   if ((err = ltc_mp.copy(src->x, dst->x)) != CRYPT_OK) return err;
+   if ((err = ltc_mp.copy(src->y, dst->y)) != CRYPT_OK) return err;
+   if ((err = ltc_mp.copy(src->z, dst->z)) != CRYPT_OK) return err;
+   return CRYPT_OK;
+}
+
 #endif
 /* ref:         $Format:%D$ */
 /* git commit:  $Format:%H$ */

src/pk/ecc/ltc_ecc_projective_add_point.c

@@ -7,11 +7,6 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
- *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
- */
 #include "tomcrypt.h"
 
 /**
@@ -26,14 +21,15 @@
    @param P        The point to add
    @param Q        The point to add
    @param R        [out] The destination of the double
+   @param ma       ECC curve parameter a in montgomery form
    @param modulus  The modulus of the field the ECC curve is in
    @param mp       The "b" value from montgomery_setup()
    @return CRYPT_OK on success
 */
-int ltc_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void *modulus, void *mp)
+int ltc_ecc_projective_add_point(const ecc_point *P, const ecc_point *Q, ecc_point *R, void *ma, void *modulus, void *mp)
 {
    void  *t1, *t2, *x, *y, *z;
-   int    err;
+   int    err, inf;
 
    LTC_ARGCHK(P       != NULL);
    LTC_ARGCHK(Q       != NULL);
@@ -45,14 +41,32 @@ int ltc_ecc_projective_add_point(ecc_point *P, ecc_point *Q, ecc_point *R, void
       return err;
    }
 
-   /* should we dbl instead? */
-   if ((err = mp_sub(modulus, Q->y, t1)) != CRYPT_OK)                          { goto done; }
+   if ((err = ltc_ecc_is_point_at_infinity(P, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* P is point at infinity >> Result = Q */
+      err = ltc_ecc_copy_point(Q, R);
+      goto done;
+   }
+
+   if ((err = ltc_ecc_is_point_at_infinity(Q, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* Q is point at infinity >> Result = P */
+      err = ltc_ecc_copy_point(P, R);
+      goto done;
+   }
 
-   if ( (mp_cmp(P->x, Q->x) == LTC_MP_EQ) &&
-        (Q->z != NULL && mp_cmp(P->z, Q->z) == LTC_MP_EQ) &&
-        (mp_cmp(P->y, Q->y) == LTC_MP_EQ || mp_cmp(P->y, t1) == LTC_MP_EQ)) {
-        mp_clear_multi(t1, t2, x, y, z, NULL);
-        return ltc_ecc_projective_dbl_point(P, R, modulus, mp);
+   if ((mp_cmp(P->x, Q->x) == LTC_MP_EQ) && (mp_cmp(P->z, Q->z) == LTC_MP_EQ)) {
+      if (mp_cmp(P->y, Q->y) == LTC_MP_EQ) {
+         /* here P = Q >> Result = 2 * P (use doubling) */
+         mp_clear_multi(t1, t2, x, y, z, NULL);
+         return ltc_ecc_projective_dbl_point(P, R, ma, modulus, mp);
+      }
+      if ((err = mp_sub(modulus, Q->y, t1)) != CRYPT_OK)                       { goto done; }
+      if (mp_cmp(P->y, t1) == LTC_MP_EQ) {
+         /* here Q = -P >>> Result = the point at infinity */
+         err = ltc_ecc_set_point_xyz(1, 1, 0, R);
+         goto done;
+      }
    }
 
    if ((err = mp_copy(P->x, x)) != CRYPT_OK)                                   { goto done; }

src/pk/ecc/ltc_ecc_projective_dbl_point.c

@@ -7,12 +7,25 @@
  * guarantee it works.
  */
 
-/* Implements ECC over Z/pZ for curve y^2 = x^3 - 3x + b
+#include "tomcrypt.h"
+
+/* ### Point doubling in Jacobian coordinate system ###
+ *
+ * let us have a curve:                 y^2 = x^3 + a*x + b
+ * in Jacobian coordinates it becomes:  y^2 = x^3 + a*x*z^4 + b*z^6
  *
- * All curves taken from NIST recommendation paper of July 1999
- * Available at http://csrc.nist.gov/cryptval/dss.htm
+ * The doubling of P = (Xp, Yp, Zp) is given by R = (Xr, Yr, Zr) where:
+ * Xr = M^2 - 2*S
+ * Yr = M * (S - Xr) - 8*T
+ * Zr = 2 * Yp * Zp
+ *
+ * M = 3 * Xp^2 + a*Zp^4
+ * T = Yp^4
+ * S = 4 * Xp * Yp^2
+ *
+ * SPECIAL CASE: when a == -3 we can compute M as
+ * M = 3 * (Xp^2 - Zp^4) = 3 * (Xp + Zp^2) * (Xp - Zp^2)
  */
-#include "tomcrypt.h"
 
 /**
   @file ltc_ecc_projective_dbl_point.c
@@ -25,14 +38,15 @@
    Double an ECC point
    @param P   The point to double
    @param R   [out] The destination of the double
+   @param ma  ECC curve parameter a in montgomery form
    @param modulus  The modulus of the field the ECC curve is in
    @param mp       The "b" value from montgomery_setup()
    @return CRYPT_OK on success
 */
-int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void *mp)
+int ltc_ecc_projective_dbl_point(const ecc_point *P, ecc_point *R, void *ma, void *modulus, void *mp)
 {
    void *t1, *t2;
-   int   err;
+   int   err, inf;
 
    LTC_ARGCHK(P       != NULL);
    LTC_ARGCHK(R       != NULL);
@@ -44,9 +58,14 @@ int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void
    }
 
    if (P != R) {
-      if ((err = mp_copy(P->x, R->x)) != CRYPT_OK)                                { goto done; }
-      if ((err = mp_copy(P->y, R->y)) != CRYPT_OK)                                { goto done; }
-      if ((err = mp_copy(P->z, R->z)) != CRYPT_OK)                                { goto done; }
+      if ((err = ltc_ecc_copy_point(P, R)) != CRYPT_OK)                           { goto done; }
+   }
+
+   if ((err = ltc_ecc_is_point_at_infinity(P, modulus, &inf)) != CRYPT_OK) return err;
+   if (inf) {
+      /* if P is point at infinity >> Result = point at infinity */
+      err = ltc_ecc_set_point_xyz(1, 1, 0, R);
+      goto done;
    }
 
    /* t1 = Z * Z */
@@ -61,28 +80,56 @@ int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void
       if ((err = mp_sub(R->z, modulus, R->z)) != CRYPT_OK)                        { goto done; }
    }
 
-   /* T2 = X - T1 */
-   if ((err = mp_sub(R->x, t1, t2)) != CRYPT_OK)                                  { goto done; }
-   if (mp_cmp_d(t2, 0) == LTC_MP_LT) {
-      if ((err = mp_add(t2, modulus, t2)) != CRYPT_OK)                            { goto done; }
-   }
-   /* T1 = X + T1 */
-   if ((err = mp_add(t1, R->x, t1)) != CRYPT_OK)                                  { goto done; }
-   if (mp_cmp(t1, modulus) != LTC_MP_LT) {
-      if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                            { goto done; }
-   }
-   /* T2 = T1 * T2 */
-   if ((err = mp_mul(t1, t2, t2)) != CRYPT_OK)                                    { goto done; }
-   if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK)                 { goto done; }
-   /* T1 = 2T2 */
-   if ((err = mp_add(t2, t2, t1)) != CRYPT_OK)                                    { goto done; }
-   if (mp_cmp(t1, modulus) != LTC_MP_LT) {
-      if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                            { goto done; }
+   if (ma == NULL) { /* special case for curves with a == -3 (10% faster than general case) */
+      /* T2 = X - T1 */
+      if ((err = mp_sub(R->x, t1, t2)) != CRYPT_OK)                               { goto done; }
+      if (mp_cmp_d(t2, 0) == LTC_MP_LT) {
+         if ((err = mp_add(t2, modulus, t2)) != CRYPT_OK)                         { goto done; }
+      }
+      /* T1 = X + T1 */
+      if ((err = mp_add(t1, R->x, t1)) != CRYPT_OK)                               { goto done; }
+      if (mp_cmp(t1, modulus) != LTC_MP_LT) {
+         if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                         { goto done; }
+      }
+      /* T2 = T1 * T2 */
+      if ((err = mp_mul(t1, t2, t2)) != CRYPT_OK)                                 { goto done; }
+      if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK)              { goto done; }
+      /* T1 = 2T2 */
+      if ((err = mp_add(t2, t2, t1)) != CRYPT_OK)                                 { goto done; }
+      if (mp_cmp(t1, modulus) != LTC_MP_LT) {
+         if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                         { goto done; }
+      }
+      /* T1 = T1 + T2 */
+      if ((err = mp_add(t1, t2, t1)) != CRYPT_OK)                                 { goto done; }
+      if (mp_cmp(t1, modulus) != LTC_MP_LT) {
+         if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                         { goto done; }
+      }
    }
-   /* T1 = T1 + T2 */
-   if ((err = mp_add(t1, t2, t1)) != CRYPT_OK)                                    { goto done; }
-   if (mp_cmp(t1, modulus) != LTC_MP_LT) {
-      if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                            { goto done; }
+   else {
+      /* T2 = T1 * T1 */
+      if ((err = mp_sqr(t1, t2)) != CRYPT_OK)                                     { goto done; }
+      if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK)              { goto done; }
+      /* T1 = T2 * a */
+      if ((err = mp_mul(t2, ma, t1)) != CRYPT_OK)                                 { goto done; }
+      if ((err = mp_montgomery_reduce(t1, modulus, mp)) != CRYPT_OK)              { goto done; }
+      /* T2 = X * X */
+      if ((err = mp_sqr(R->x, t2)) != CRYPT_OK)                                   { goto done; }
+      if ((err = mp_montgomery_reduce(t2, modulus, mp)) != CRYPT_OK)              { goto done; }
+      /* T1 = T2 + T1 */
+      if ((err = mp_add(t1, t2, t1)) != CRYPT_OK)                                 { goto done; }
+      if (mp_cmp(t1, modulus) != LTC_MP_LT) {
+         if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                         { goto done; }
+      }
+      /* T1 = T2 + T1 */
+      if ((err = mp_add(t1, t2, t1)) != CRYPT_OK)                                 { goto done; }
+      if (mp_cmp(t1, modulus) != LTC_MP_LT) {
+         if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                         { goto done; }
+      }
+      /* T1 = T2 + T1 */
+      if ((err = mp_add(t1, t2, t1)) != CRYPT_OK)                                 { goto done; }
+      if (mp_cmp(t1, modulus) != LTC_MP_LT) {
+         if ((err = mp_sub(t1, modulus, t1)) != CRYPT_OK)                         { goto done; }
+      }
    }
 
    /* Y = 2Y */
@@ -135,7 +182,7 @@ int ltc_ecc_projective_dbl_point(ecc_point *P, ecc_point *R, void *modulus, void
 
    err = CRYPT_OK;
 done:
-   mp_clear_multi(t1, t2, NULL);
+   mp_clear_multi(t2, t1, NULL);
    return err;
 }
 #endif

src/pk/ecc/ltc_ecc_verify_key.c

@@ -0,0 +1,69 @@
+/* LibTomCrypt, modular cryptographic library -- Tom St Denis
+ *
+ * LibTomCrypt is a library that provides various cryptographic
+ * algorithms in a highly modular and flexible manner.
+ *
+ * The library is free for all purposes without any express
+ * guarantee it works.
+ */
+
+#include "tomcrypt.h"
+
+/* origin of this code - OLPC */
+
+#ifdef LTC_MECC
+
+/**
+  Verify a key according to ANSI spec
+  @param key     The key to validate
+  @return CRYPT_OK if successful
+*/
+
+int ltc_ecc_verify_key(const ecc_key *key)
+{
+   int err, inf;
+   ecc_point *point;
+   void *prime = key->dp.prime;
+   void *order = key->dp.order;
+   void *a     = key->dp.A;
+
+   /* Test 1: Are the x and y points of the public key in the field? */
+   if (ltc_mp.compare_d(key->pubkey.z, 1) == LTC_MP_EQ) {
+      if ((ltc_mp.compare(key->pubkey.x, prime) != LTC_MP_LT) ||
+          (ltc_mp.compare(key->pubkey.y, prime) != LTC_MP_LT) ||
+          (ltc_mp.compare_d(key->pubkey.x, 0) == LTC_MP_LT) ||
+          (ltc_mp.compare_d(key->pubkey.y, 0) == LTC_MP_LT) ||
+          (mp_iszero(key->pubkey.x) && mp_iszero(key->pubkey.y))
+         )
+      {
+         err = CRYPT_INVALID_PACKET;
+         goto done2;
+      }
+   }
+
+   /* Test 2: is the public key on the curve? */
+   if ((err = ltc_ecc_is_point(&key->dp, key->pubkey.x, key->pubkey.y)) != CRYPT_OK)      { goto done2; }
+
+   /* Test 3: does nG = O? (n = order, O = point at infinity, G = public key) */
+   point = ltc_ecc_new_point();
+   if ((err = ltc_ecc_mulmod(order, &(key->pubkey), point, a, prime, 1)) != CRYPT_OK)     { goto done1; }
+
+   err = ltc_ecc_is_point_at_infinity(point, prime, &inf);
+   if (err != CRYPT_OK || inf) {
+      err = CRYPT_ERROR;
+   }
+   else {
+      err = CRYPT_OK;
+   }
+
+done1:
+   ltc_ecc_del_point(point);
+done2:
+   return err;
+}
+
+#endif
+
+/* ref:         $Format:%D$ */
+/* git commit:  $Format:%H$ */
+/* commit time: $Format:%ai$ */

tests/der_test.c

@@ -306,21 +306,11 @@ static void _der_tests_print_flexi(ltc_asn1_list* l, unsigned int level)
   case LTC_ASN1_OBJECT_IDENTIFIER:
     name = "OBJECT IDENTIFIER";
     {
-      unsigned long i;
-      int r;
-      char* s = buf;
-      int sz = sizeof(buf);
-      for (i = 0; i < l->size; ++i) {
-        r = snprintf(s, sz, "%lu.", ((unsigned long*)l->data)[i]);
-        if (r < 0 || r >= sz) {
-            fprintf(stderr, "%s boom\n", name);
-            exit(EXIT_FAILURE);
-        }
-        s += r;
-        sz -= r;
+      unsigned long len = sizeof(buf);
+      if (pk_oid_num_to_str(l->data, l->size, buf, &len) != CRYPT_OK) {
+        fprintf(stderr, "%s boom\n", name);
+        exit(EXIT_FAILURE);
       }
-      /* replace the last . with a \0 */
-      *(s - 1) = '\0';
       text = buf;
     }
     break;

tests/ecc_test.c

@@ -11,41 +11,42 @@
 #if defined(LTC_MECC)
 
 static unsigned int sizes[] = {
-#ifdef LTC_ECC112
+#ifdef LTC_ECC_SECP112R1
 14,
 #endif
-#ifdef LTC_ECC128
+#ifdef LTC_ECC_SECP128R1
 16,
 #endif
-#ifdef LTC_ECC160
+#ifdef LTC_ECC_SECP160R1
 20,
 #endif
-#ifdef LTC_ECC192
+#ifdef LTC_ECC_SECP192R1
 24,
 #endif
-#ifdef LTC_ECC224
+#ifdef LTC_ECC_SECP224R1
 28,
 #endif
-#ifdef LTC_ECC256
+#ifdef LTC_ECC_SECP256R1
 32,
 #endif
-#ifdef LTC_ECC384
+#ifdef LTC_ECC_SECP384R1
 48,
 #endif
-#ifdef LTC_ECC521
-65
+#ifdef LTC_ECC_SECP512R1
+66
 #endif
 };
 
 #ifdef LTC_ECC_SHAMIR
-int ecc_test_shamir(void)
+static int _ecc_test_shamir(void)
 {
-   void *modulus, *mp, *kA, *kB, *rA, *rB;
+   void *a, *modulus, *mp, *kA, *kB, *rA, *rB;
+   void *mu, *ma;
    ecc_point *G, *A, *B, *C1, *C2;
    int x, y, z;
    unsigned char buf[ECC_BUF_SIZE];
 
-   DO(mp_init_multi(&kA, &kB, &rA, &rB, &modulus, NULL));
+   DO(mp_init_multi(&kA, &kB, &rA, &rB, &modulus, &a, &mu, &ma, NULL));
    LTC_ARGCHK((G  = ltc_ecc_new_point()) != NULL);
    LTC_ARGCHK((A  = ltc_ecc_new_point()) != NULL);
    LTC_ARGCHK((B  = ltc_ecc_new_point()) != NULL);
@@ -54,17 +55,20 @@ int ecc_test_shamir(void)
 
    for (x = 0; x < (int)(sizeof(sizes)/sizeof(sizes[0])); x++) {
        /* get the base point */
-       for (z = 0; ltc_ecc_sets[z].name; z++) {
-           if (sizes[z] < (unsigned int)ltc_ecc_sets[z].size) break;
+       for (z = 0; ltc_ecc_curves[z].prime != NULL; z++) {
+           DO(mp_read_radix(modulus, ltc_ecc_curves[z].prime, 16));
+           if (sizes[x] <= mp_unsigned_bin_size(modulus)) break;
        }
-       LTC_ARGCHK(ltc_ecc_sets[z].name != NULL);
+       LTC_ARGCHK(ltc_ecc_curves[z].prime != NULL);
 
        /* load it */
-       DO(mp_read_radix(G->x, ltc_ecc_sets[z].Gx, 16));
-       DO(mp_read_radix(G->y, ltc_ecc_sets[z].Gy, 16));
+       DO(mp_read_radix(G->x, ltc_ecc_curves[z].Gx, 16));
+       DO(mp_read_radix(G->y, ltc_ecc_curves[z].Gy, 16));
        DO(mp_set(G->z, 1));
-       DO(mp_read_radix(modulus, ltc_ecc_sets[z].prime, 16));
+       DO(mp_read_radix(a, ltc_ecc_curves[z].A, 16));
        DO(mp_montgomery_setup(modulus, &mp));
+       DO(mp_montgomery_normalization(mu, modulus));
+       DO(mp_mulmod(a, mu, modulus, ma));
 
        /* do 100 random tests */
        for (y = 0; y < 100; y++) {
@@ -75,10 +79,10 @@ int ecc_test_shamir(void)
           DO(mp_read_unsigned_bin(rB, buf, sizes[x]));
 
           /* compute rA * G = A */
-          DO(ltc_mp.ecc_ptmul(rA, G, A, modulus, 1));
+          DO(ltc_mp.ecc_ptmul(rA, G, A, a, modulus, 1));
 
           /* compute rB * G = B */
-          DO(ltc_mp.ecc_ptmul(rB, G, B, modulus, 1));
+          DO(ltc_mp.ecc_ptmul(rB, G, B, a, modulus, 1));
 
           /* pick a random kA, kB */
           LTC_ARGCHK(yarrow_read(buf, sizes[x], &yarrow_prng) == sizes[x]);
@@ -87,13 +91,13 @@ int ecc_test_shamir(void)
           DO(mp_read_unsigned_bin(kB, buf, sizes[x]));
 
           /* now, compute kA*A + kB*B = C1 using the older method */
-          DO(ltc_mp.ecc_ptmul(kA, A, C1, modulus, 0));
-          DO(ltc_mp.ecc_ptmul(kB, B, C2, modulus, 0));
-          DO(ltc_mp.ecc_ptadd(C1, C2, C1, modulus, mp));
+          DO(ltc_mp.ecc_ptmul(kA, A, C1, a, modulus, 0));
+          DO(ltc_mp.ecc_ptmul(kB, B, C2, a, modulus, 0));
+          DO(ltc_mp.ecc_ptadd(C1, C2, C1, a, modulus, mp));
           DO(ltc_mp.ecc_map(C1, modulus, mp));
 
           /* now compute using mul2add */
-          DO(ltc_mp.ecc_mul2add(A, kA, B, kB, C2, modulus));
+          DO(ltc_mp.ecc_mul2add(A, kA, B, kB, C2, ma, modulus));
 
           /* is they the sames?  */
           if ((mp_cmp(C1->x, C2->x) != LTC_MP_EQ) || (mp_cmp(C1->y, C2->y) != LTC_MP_EQ) || (mp_cmp(C1->z, C2->z) != LTC_MP_EQ)) {
@@ -108,159 +112,423 @@ int ecc_test_shamir(void)
   ltc_ecc_del_point(B);
   ltc_ecc_del_point(A);
   ltc_ecc_del_point(G);
-  mp_clear_multi(kA, kB, rA, rB, modulus, NULL);
+  mp_clear_multi(kA, kB, rA, rB, modulus, a, mu, ma, NULL);
   return 0;
 }
 #endif
 
-int ecc_tests (void)
+static int _ecc_issue108(void)
 {
-  unsigned char buf[4][4096], ch;
-  unsigned long x, y, z, s;
-  int           stat, stat2;
-  ecc_key usera, userb, pubKey, privKey;
-
-  if (ltc_mp.name == NULL) return CRYPT_NOP;
-
-  DO(ecc_test ());
-
-  for (s = 0; s < (sizeof(sizes)/sizeof(sizes[0])); s++) {
-     /* make up two keys */
-     DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &usera));
-     DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &userb));
-
-     /* make the shared secret */
-     x = sizeof(buf[0]);
-     DO(ecc_shared_secret (&usera, &userb, buf[0], &x));
-
-     y = sizeof(buf[1]);
-     DO(ecc_shared_secret (&userb, &usera, buf[1], &y));
-
-     if (y != x) {
-       fprintf(stderr, "ecc Shared keys are not same size.");
-       return 1;
-     }
-
-     if (memcmp (buf[0], buf[1], x)) {
-       fprintf(stderr, "ecc Shared keys not same contents.");
-       return 1;
-     }
-
-     /* now export userb */
-     y = sizeof(buf[0]);
-     DO(ecc_export (buf[1], &y, PK_PUBLIC, &userb));
-     ecc_free (&userb);
-
-     /* import and make the shared secret again */
-     DO(ecc_import (buf[1], y, &userb));
-
-     z = sizeof(buf[0]);
-     DO(ecc_shared_secret (&usera, &userb, buf[2], &z));
-
-     if (z != x) {
-       fprintf(stderr, "failed.  Size don't match?");
-       return 1;
-     }
-     if (memcmp (buf[0], buf[2], x)) {
-       fprintf(stderr, "Failed.  Contents didn't match.");
-       return 1;
-     }
-
-     /* export with ANSI X9.63 */
-     y = sizeof(buf[1]);
-     DO(ecc_ansi_x963_export(&userb, buf[1], &y));
-     ecc_free (&userb);
-
-     /* now import the ANSI key */
-     DO(ecc_ansi_x963_import(buf[1], y, &userb));
-
-     /* shared secret */
-     z = sizeof(buf[0]);
-     DO(ecc_shared_secret (&usera, &userb, buf[2], &z));
-
-     if (z != x) {
-       fprintf(stderr, "failed.  Size don't match?");
-       return 1;
-     }
-     if (memcmp (buf[0], buf[2], x)) {
-       fprintf(stderr, "Failed.  Contents didn't match.");
-       return 1;
-     }
-
-     ecc_free (&usera);
-     ecc_free (&userb);
-
-     /* test encrypt_key */
-     DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &usera));
-
-     /* export key */
-     x = sizeof(buf[0]);
-     DO(ecc_export(buf[0], &x, PK_PUBLIC, &usera));
-     DO(ecc_import(buf[0], x, &pubKey));
-     x = sizeof(buf[0]);
-     DO(ecc_export(buf[0], &x, PK_PRIVATE, &usera));
-     DO(ecc_import(buf[0], x, &privKey));
-
-     for (ch = 0; ch < 32; ch++) {
-        buf[0][ch] = ch;
-     }
-     y = sizeof (buf[1]);
-     DO(ecc_encrypt_key (buf[0], 32, buf[1], &y, &yarrow_prng, find_prng ("yarrow"), find_hash ("sha256"), &pubKey));
-     zeromem (buf[0], sizeof (buf[0]));
-     x = sizeof (buf[0]);
-     DO(ecc_decrypt_key (buf[1], y, buf[0], &x, &privKey));
-     if (x != 32) {
-       fprintf(stderr, "Failed (length)");
-       return 1;
-     }
-     for (ch = 0; ch < 32; ch++) {
-        if (buf[0][ch] != ch) {
-           fprintf(stderr, "Failed (contents)");
-           return 1;
-        }
-     }
-     /* test sign_hash */
-     for (ch = 0; ch < 16; ch++) {
-        buf[0][ch] = ch;
-     }
-     x = sizeof (buf[1]);
-     DO(ecc_sign_hash (buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey));
-     DO(ecc_verify_hash (buf[1], x, buf[0], 16, &stat, &pubKey));
-     buf[0][0] ^= 1;
-     DO(ecc_verify_hash (buf[1], x, buf[0], 16, &stat2, &privKey));
-     if (!(stat == 1 && stat2 == 0)) {
-        fprintf(stderr, "ecc_verify_hash failed %d, %d, ", stat, stat2);
+   void      *a, *modulus, *order;
+   ecc_point *Q, *Result;
+   int       err;
+   const ltc_ecc_curve* dp;
+
+   /* init */
+   if ((err = mp_init_multi(&modulus, &order, &a, NULL)) != CRYPT_OK) { return err; }
+   Q      = ltc_ecc_new_point();
+   Result = ltc_ecc_new_point();
+
+   /* ECC-224 AKA SECP224R1 */
+   if ((err = ecc_get_curve("SECP224R1", &dp)) != CRYPT_OK)               { goto done; }
+   /* read A */
+   if ((err = mp_read_radix(a, (char *)dp->A,  16)) != CRYPT_OK)          { goto done; }
+   /* read modulus */
+   if ((err = mp_read_radix(modulus, (char *)dp->prime, 16)) != CRYPT_OK) { goto done; }
+   /* read order */
+   if ((err = mp_read_radix(order, (char *)dp->order, 16)) != CRYPT_OK)   { goto done; }
+   /* read Q */
+   if ((err = mp_read_radix(Q->x, (char *)"EA3745501BBC6A70BBFDD8AEEDB18CF5073C6DC9AA7CBB5915170D60", 16)) != CRYPT_OK) { goto done; }
+   if ((err = mp_read_radix(Q->y, (char *)"6C9CB8E68AABFEC989CAC5E2326E0448B7E69C3E56039BA21A44FDAC", 16)) != CRYPT_OK) { goto done; }
+   mp_set(Q->z, 1);
+   /* calculate nQ */
+   if ((err = ltc_mp.ecc_ptmul(order, Q, Result, a, modulus, 1)) != CRYPT_OK)  { goto done; }
+
+done:
+   ltc_ecc_del_point(Result);
+   ltc_ecc_del_point(Q);
+   mp_clear_multi(modulus, order, a, NULL);
+   return err;
+}
+
+static int _ecc_test_mp(void)
+{
+   void       *a, *modulus, *order;
+   ecc_point  *G, *GG;
+   int        i, err, primality;
+
+   if ((err = mp_init_multi(&modulus, &order, &a, NULL)) != CRYPT_OK) {
+      return err;
+   }
+
+   G   = ltc_ecc_new_point();
+   GG  = ltc_ecc_new_point();
+   if (G == NULL || GG == NULL) {
+      mp_clear_multi(modulus, order, NULL);
+      ltc_ecc_del_point(G);
+      ltc_ecc_del_point(GG);
+      return CRYPT_MEM;
+   }
+
+   for (i = 0; ltc_ecc_curves[i].prime != NULL; i++) {
+      if ((err = mp_read_radix(a, (char *)ltc_ecc_curves[i].A,  16)) != CRYPT_OK)            { goto done; }
+      if ((err = mp_read_radix(modulus, (char *)ltc_ecc_curves[i].prime, 16)) != CRYPT_OK)   { goto done; }
+      if ((err = mp_read_radix(order, (char *)ltc_ecc_curves[i].order, 16)) != CRYPT_OK)     { goto done; }
+
+      /* is prime actually prime? */
+      if ((err = mp_prime_is_prime(modulus, 8, &primality)) != CRYPT_OK)                   { goto done; }
+      if (primality == 0) {
+         err = CRYPT_FAIL_TESTVECTOR;
+         goto done;
+      }
+
+      /* is order prime ? */
+      if ((err = mp_prime_is_prime(order, 8, &primality)) != CRYPT_OK)                     { goto done; }
+      if (primality == 0) {
+         err = CRYPT_FAIL_TESTVECTOR;
+         goto done;
+      }
+
+      if ((err = mp_read_radix(G->x, (char *)ltc_ecc_curves[i].Gx, 16)) != CRYPT_OK)       { goto done; }
+      if ((err = mp_read_radix(G->y, (char *)ltc_ecc_curves[i].Gy, 16)) != CRYPT_OK)       { goto done; }
+      mp_set(G->z, 1);
+
+      /* then we should have G == (order + 1)G */
+      if ((err = mp_add_d(order, 1, order)) != CRYPT_OK)                                   { goto done; }
+      if ((err = ltc_mp.ecc_ptmul(order, G, GG, a, modulus, 1)) != CRYPT_OK)               { goto done; }
+      if (mp_cmp(G->x, GG->x) != LTC_MP_EQ || mp_cmp(G->y, GG->y) != LTC_MP_EQ) {
+         err = CRYPT_FAIL_TESTVECTOR;
+         goto done;
+      }
+   }
+   err = CRYPT_OK;
+done:
+   ltc_ecc_del_point(GG);
+   ltc_ecc_del_point(G);
+   mp_clear_multi(order, modulus, a, NULL);
+   return err;
+}
+
+int _ecc_old_api(void)
+{
+   unsigned char buf[4][4096], ch;
+   unsigned long x, y, z, s;
+   int           stat, stat2;
+   ecc_key usera, userb, pubKey, privKey;
+   int low, high;
+
+   ecc_sizes(&low, &high);
+   if (low < 14 || high < 14 || low > 100 || high > 100 || high < low) return CRYPT_FAIL_TESTVECTOR;
+
+   for (s = 0; s < (sizeof(sizes)/sizeof(sizes[0])); s++) {
+      /* make up two keys */
+      DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &usera));
+      DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &userb));
+      if (ecc_get_size(&usera) != (int)sizes[s]) return CRYPT_FAIL_TESTVECTOR;
+      if (ecc_get_size(&userb) != (int)sizes[s]) return CRYPT_FAIL_TESTVECTOR;
+
+      /* make the shared secret */
+      x = sizeof(buf[0]);
+      DO(ecc_shared_secret (&usera, &userb, buf[0], &x));
+
+      y = sizeof(buf[1]);
+      DO(ecc_shared_secret (&userb, &usera, buf[1], &y));
+
+      if (y != x) {
+        fprintf(stderr, "ecc Shared keys are not same size.");
         return 1;
-     }
-     /* test sign_hash_rfc7518 */
-     for (ch = 0; ch < 16; ch++) {
-        buf[0][ch] = ch;
-     }
-     x = sizeof (buf[1]);
-     DO(ecc_sign_hash_rfc7518(buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey));
-     DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat, &pubKey));
-     buf[0][0] ^= 1;
-     DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat2, &privKey));
-     if (!(stat == 1 && stat2 == 0)) {
-        fprintf(stderr, "ecc_verify_hash_rfc7518 failed %d, %d, ", stat, stat2);
+      }
+
+      if (memcmp (buf[0], buf[1], x)) {
+        fprintf(stderr, "ecc Shared keys not same contents.");
         return 1;
-     }
-     ecc_free (&usera);
-     ecc_free (&pubKey);
-     ecc_free (&privKey);
-  }
-#ifdef LTC_ECC_SHAMIR
-  return ecc_test_shamir();
-#else
-  return 0;
-#endif
+      }
+
+      /* now export userb */
+      y = sizeof(buf[0]);
+      DO(ecc_export (buf[1], &y, PK_PUBLIC, &userb));
+      ecc_free (&userb);
+
+      /* import and make the shared secret again */
+      DO(ecc_import (buf[1], y, &userb));
+
+      z = sizeof(buf[0]);
+      DO(ecc_shared_secret (&usera, &userb, buf[2], &z));
+
+      if (z != x) {
+        fprintf(stderr, "failed.  Size don't match?");
+        return 1;
+      }
+      if (memcmp (buf[0], buf[2], x)) {
+        fprintf(stderr, "Failed.  Contents didn't match.");
+        return 1;
+      }
+
+      /* export with ANSI X9.63 */
+      y = sizeof(buf[1]);
+      DO(ecc_ansi_x963_export(&userb, buf[1], &y));
+      ecc_free (&userb);
+
+      /* now import the ANSI key */
+      DO(ecc_ansi_x963_import(buf[1], y, &userb));
+
+      /* shared secret */
+      z = sizeof(buf[0]);
+      DO(ecc_shared_secret (&usera, &userb, buf[2], &z));
+
+      if (z != x) {
+        fprintf(stderr, "failed.  Size don't match?");
+        return 1;
+      }
+      if (memcmp (buf[0], buf[2], x)) {
+        fprintf(stderr, "Failed.  Contents didn't match.");
+        return 1;
+      }
+
+      ecc_free (&usera);
+      ecc_free (&userb);
+
+      /* test encrypt_key */
+      DO(ecc_make_key (&yarrow_prng, find_prng ("yarrow"), sizes[s], &usera));
+
+      /* export key */
+      x = sizeof(buf[0]);
+      DO(ecc_export(buf[0], &x, PK_PUBLIC, &usera));
+      DO(ecc_import(buf[0], x, &pubKey));
+      x = sizeof(buf[0]);
+      DO(ecc_export(buf[0], &x, PK_PRIVATE, &usera));
+      DO(ecc_import(buf[0], x, &privKey));
+
+      for (ch = 0; ch < 32; ch++) {
+         buf[0][ch] = ch;
+      }
+      y = sizeof (buf[1]);
+      DO(ecc_encrypt_key (buf[0], 32, buf[1], &y, &yarrow_prng, find_prng ("yarrow"), find_hash ("sha256"), &pubKey));
+      zeromem (buf[0], sizeof (buf[0]));
+      x = sizeof (buf[0]);
+      DO(ecc_decrypt_key (buf[1], y, buf[0], &x, &privKey));
+      if (x != 32) {
+        fprintf(stderr, "Failed (length)");
+        return 1;
+      }
+      for (ch = 0; ch < 32; ch++) {
+         if (buf[0][ch] != ch) {
+            fprintf(stderr, "Failed (contents)");
+            return 1;
+         }
+      }
+      /* test sign_hash */
+      for (ch = 0; ch < 16; ch++) {
+         buf[0][ch] = ch;
+      }
+      x = sizeof (buf[1]);
+      DO(ecc_sign_hash (buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey));
+      DO(ecc_verify_hash (buf[1], x, buf[0], 16, &stat, &pubKey));
+      buf[0][0] ^= 1;
+      DO(ecc_verify_hash (buf[1], x, buf[0], 16, &stat2, &privKey));
+      if (!(stat == 1 && stat2 == 0)) {
+         fprintf(stderr, "ecc_verify_hash failed %d, %d, ", stat, stat2);
+         return 1;
+      }
+      /* test sign_hash_rfc7518 */
+      for (ch = 0; ch < 16; ch++) {
+         buf[0][ch] = ch;
+      }
+      x = sizeof (buf[1]);
+      DO(ecc_sign_hash_rfc7518(buf[0], 16, buf[1], &x, &yarrow_prng, find_prng ("yarrow"), &privKey));
+      DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat, &pubKey));
+      buf[0][0] ^= 1;
+      DO(ecc_verify_hash_rfc7518(buf[1], x, buf[0], 16, &stat2, &privKey));
+      if (!(stat == 1 && stat2 == 0)) {
+         fprintf(stderr, "ecc_verify_hash_rfc7518 failed %d, %d, ", stat, stat2);
+         return 1;
+      }
+      ecc_free (&usera);
+      ecc_free (&pubKey);
+      ecc_free (&privKey);
+   }
+   return CRYPT_OK;
 }
 
-#else
+int _ecc_new_api(void)
+{
+   const char* names[] = {
+#ifdef LTC_ECC_SECP112R1
+      "SECP112R1", "ECC-112",
+      "secp112r1",              /* name is case-insensitive */
+      "S E C-P-1_1_2r1",        /* should pass fuzzy matching */
+#endif
+#ifdef LTC_ECC_SECP112R2
+      "SECP112R2",
+#endif
+#ifdef LTC_ECC_SECP128R1
+      "SECP128R1", "ECC-128",
+#endif
+#ifdef LTC_ECC_SECP128R2
+      "SECP128R2",
+#endif
+#ifdef LTC_ECC_SECP160R1
+      "SECP160R1", "ECC-160",
+#endif
+#ifdef LTC_ECC_SECP160R2
+      "SECP160R2",
+#endif
+#ifdef LTC_ECC_SECP160K1
+      "SECP160K1",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP160R1
+      "BRAINPOOLP160R1",
+#endif
+#ifdef LTC_ECC_SECP192R1
+      "SECP192R1", "NISTP192", "PRIME192V1", "ECC-192", "P-192",
+#endif
+#ifdef LTC_ECC_PRIME192V2
+      "PRIME192V2",
+#endif
+#ifdef LTC_ECC_PRIME192V3
+      "PRIME192V3",
+#endif
+#ifdef LTC_ECC_SECP192K1
+      "SECP192K1",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP192R1
+      "BRAINPOOLP192R1",
+#endif
+#ifdef LTC_ECC_SECP224R1
+      "SECP224R1", "NISTP224", "ECC-224", "P-224",
+#endif
+#ifdef LTC_ECC_SECP224K1
+      "SECP224K1",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP224R1
+      "BRAINPOOLP224R1",
+#endif
+#ifdef LTC_ECC_PRIME239V1
+      "PRIME239V1",
+#endif
+#ifdef LTC_ECC_PRIME239V2
+      "PRIME239V2",
+#endif
+#ifdef LTC_ECC_PRIME239V3
+      "PRIME239V3",
+#endif
+#ifdef LTC_ECC_SECP256R1
+      "SECP256R1", "NISTP256", "PRIME256V1", "ECC-256", "P-256",
+#endif
+#ifdef LTC_ECC_SECP256K1
+      "SECP256K1",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP256R1
+      "BRAINPOOLP256R1",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP320R1
+      "BRAINPOOLP320R1",
+#endif
+#ifdef LTC_ECC_SECP384R1
+      "SECP384R1", "NISTP384", "ECC-384", "P-384",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP384R1
+      "BRAINPOOLP384R1",
+#endif
+#ifdef LTC_ECC_BRAINPOOLP512R1
+      "BRAINPOOLP512R1",
+#endif
+#ifdef LTC_ECC_SECP521R1
+      "SECP521R1", "NISTP521", "ECC-521", "P-521",
+#endif
+   };
+   int i, j, stat;
+   const ltc_ecc_curve* dp;
+   ecc_key key, privkey, pubkey;
+   unsigned char buf[1000];
+   unsigned long len;
+   unsigned char data16[16] = { 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1, 0xd1 };
+   unsigned long len16;
+
+   if (ltc_mp.name == NULL) return CRYPT_NOP;
+
+   for (i = 0; i < (int)(sizeof(names)/sizeof(names[0])); i++) {
+      DO(ecc_get_curve(names[i], &dp));
+      /* make new key */
+      DO(ecc_make_key_ex(&yarrow_prng, find_prng ("yarrow"), &key, dp));
+      len = sizeof(buf);
+      DO(ecc_export(buf, &len, PK_PRIVATE, &key));
+      DO(ecc_import_ex(buf, len, &privkey, dp));
+      ecc_free(&privkey);
+      len = sizeof(buf);
+      DO(ecc_export(buf, &len, PK_PUBLIC, &key));
+      DO(ecc_import_ex(buf, len, &pubkey, dp));
+      ecc_free(&pubkey);
+      len = sizeof(buf);
+      DO(ecc_ansi_x963_export(&key, buf, &len));
+      ecc_free(&key);
+      DO(ecc_ansi_x963_import_ex(buf, len, &pubkey, dp));
+      ecc_free(&pubkey);
+
+      /* generate new key */
+      DO(ecc_set_dp(dp, &key));
+      DO(ecc_generate_key(&yarrow_prng, find_prng ("yarrow"), &key));
+      len = sizeof(buf);
+      DO(ecc_get_key(buf, &len, PK_PRIVATE, &key));
+      ecc_free(&key);
+
+      /* load exported private key */
+      DO(ecc_set_dp(dp, &privkey));
+      DO(ecc_set_key(buf, len, PK_PRIVATE, &privkey));
+
+#ifndef USE_TFM
+      /* XXX-FIXME: TFM does not support sqrtmod_prime */
+      /* export compressed public key */
+      len = sizeof(buf);
+      DO(ecc_get_key(buf, &len, PK_PUBLIC|PK_COMPRESSED, &privkey));
+      if (len != 1 + (unsigned)ecc_get_size(&privkey)) return CRYPT_FAIL_TESTVECTOR;
+      /* load exported public+compressed key */
+      DO(ecc_set_dp(dp, &pubkey));
+      DO(ecc_set_key(buf, len, PK_PUBLIC, &pubkey));
+      ecc_free(&pubkey);
+#endif
+
+      /* export long public key */
+      len = sizeof(buf);
+      DO(ecc_get_key(buf, &len, PK_PUBLIC, &privkey));
+      if (len != 1 + 2 * (unsigned)ecc_get_size(&privkey)) return CRYPT_FAIL_TESTVECTOR;
+      /* load exported public key */
+      DO(ecc_set_dp(dp, &pubkey));
+      DO(ecc_set_key(buf, len, PK_PUBLIC, &pubkey));
+
+      /* test signature */
+      len = sizeof(buf);
+      DO(ecc_sign_hash(data16, 16, buf, &len, &yarrow_prng, find_prng ("yarrow"), &privkey));
+      stat = 0;
+      DO(ecc_verify_hash(buf, len, data16, 16, &stat, &pubkey));
+      if (stat != 1) return CRYPT_FAIL_TESTVECTOR;
+
+      /* test encryption */
+      len = sizeof(buf);
+      DO(ecc_encrypt_key(data16, 16, buf, &len, &yarrow_prng, find_prng("yarrow"), find_hash("sha256"), &pubkey));
+      zeromem(data16, 16);
+      len16 = 16;
+      DO(ecc_decrypt_key(buf, len, data16, &len16, &privkey));
+      if (len16 != 16) return CRYPT_FAIL_TESTVECTOR;
+      for (j = 0; j < 16; j++) if (data16[j] != 0xd1) return CRYPT_FAIL_TESTVECTOR;
+
+      /* cleanup */
+      ecc_free(&privkey);
+      ecc_free(&pubkey);
+   }
+   return CRYPT_OK;
+}
 
 int ecc_tests(void)
 {
-   return CRYPT_NOP;
+   DO(_ecc_old_api()); /* up to 1.18 */
+   DO(_ecc_new_api());
+   DO(_ecc_test_mp());
+   DO(_ecc_issue108());
+#ifdef LTC_ECC_SHAMIR
+   DO(_ecc_test_shamir());
+#endif
+   return CRYPT_OK;
 }
 
 #endif