// Copyright 2010 The Go Authors. All rights reserved. // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. // Package elliptic implements the standard NIST P-224, P-256, P-384, and P-521 // elliptic curves over prime fields. // // The P224(), P256(), P384() and P521() values are necessary to use the crypto/ecdsa package. // Most other uses should migrate to the more efficient and safer crypto/ecdh package. package elliptic import ( "io" "math/big" "sync" ) // A Curve represents a short-form Weierstrass curve with a=-3. // // The behavior of Add, Double, and ScalarMult when the input is not a point on // the curve is undefined. // // Note that the conventional point at infinity (0, 0) is not considered on the // curve, although it can be returned by Add, Double, ScalarMult, or // ScalarBaseMult (but not the Unmarshal or UnmarshalCompressed functions). type Curve interface { // Params returns the parameters for the curve. Params() *CurveParams // IsOnCurve reports whether the given (x,y) lies on the curve. // // Note: this is a low-level unsafe API. For ECDH, use the crypto/ecdh // package. The NewPublicKey methods of NIST curves in crypto/ecdh accept // the same encoding as the Unmarshal function, and perform on-curve checks. IsOnCurve(x, y *big.Int) bool // Add returns the sum of (x1,y1) and (x2,y2). // // Note: this is a low-level unsafe API. Add(x1, y1, x2, y2 *big.Int) (x, y *big.Int) // Double returns 2*(x,y). // // Note: this is a low-level unsafe API. Double(x1, y1 *big.Int) (x, y *big.Int) // ScalarMult returns k*(x,y) where k is an integer in big-endian form. // // Note: this is a low-level unsafe API. For ECDH, use the crypto/ecdh // package. Most uses of ScalarMult can be replaced by a call to the ECDH // methods of NIST curves in crypto/ecdh. ScalarMult(x1, y1 *big.Int, k []byte) (x, y *big.Int) // ScalarBaseMult returns k*G, where G is the base point of the group // and k is an integer in big-endian form. // // Note: this is a low-level unsafe API. For ECDH, use the crypto/ecdh // package. Most uses of ScalarBaseMult can be replaced by a call to the // PrivateKey.PublicKey method in crypto/ecdh. ScalarBaseMult(k []byte) (x, y *big.Int) } var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f} // GenerateKey returns a public/private key pair. The private key is // generated using the given reader, which must return random data. // // Note: for ECDH, use the GenerateKey methods of the crypto/ecdh package; // for ECDSA, use the GenerateKey function of the crypto/ecdsa package. func GenerateKey(curve Curve, rand io.Reader) (priv []byte, x, y *big.Int, err error) { N := curve.Params().N bitSize := N.BitLen() byteLen := (bitSize + 7) / 8 priv = make([]byte, byteLen) for x == nil { _, err = io.ReadFull(rand, priv) if err != nil { return } // We have to mask off any excess bits in the case that the size of the // underlying field is not a whole number of bytes. priv[0] &= mask[bitSize%8] // This is because, in tests, rand will return all zeros and we don't // want to get the point at infinity and loop forever. priv[1] ^= 0x42 // If the scalar is out of range, sample another random number. if new(big.Int).SetBytes(priv).Cmp(N) >= 0 { continue } x, y = curve.ScalarBaseMult(priv) } return } // Marshal converts a point on the curve into the uncompressed form specified in // SEC 1, Version 2.0, Section 2.3.3. If the point is not on the curve (or is // the conventional point at infinity), the behavior is undefined. // // Note: for ECDH, use the crypto/ecdh package. This function returns an // encoding equivalent to that of PublicKey.Bytes in crypto/ecdh. func Marshal(curve Curve, x, y *big.Int) []byte { panicIfNotOnCurve(curve, x, y) byteLen := (curve.Params().BitSize + 7) / 8 ret := make([]byte, 1+2*byteLen) ret[0] = 4 // uncompressed point x.FillBytes(ret[1 : 1+byteLen]) y.FillBytes(ret[1+byteLen : 1+2*byteLen]) return ret } // MarshalCompressed converts a point on the curve into the compressed form // specified in SEC 1, Version 2.0, Section 2.3.3. If the point is not on the // curve (or is the conventional point at infinity), the behavior is undefined. func MarshalCompressed(curve Curve, x, y *big.Int) []byte { panicIfNotOnCurve(curve, x, y) byteLen := (curve.Params().BitSize + 7) / 8 compressed := make([]byte, 1+byteLen) compressed[0] = byte(y.Bit(0)) | 2 x.FillBytes(compressed[1:]) return compressed } // unmarshaler is implemented by curves with their own constant-time Unmarshal. // // There isn't an equivalent interface for Marshal/MarshalCompressed because // that doesn't involve any mathematical operations, only FillBytes and Bit. type unmarshaler interface { Unmarshal([]byte) (x, y *big.Int) UnmarshalCompressed([]byte) (x, y *big.Int) } // Assert that the known curves implement unmarshaler. var _ = []unmarshaler{p224, p256, p384, p521} // Unmarshal converts a point, serialized by Marshal, into an x, y pair. It is // an error if the point is not in uncompressed form, is not on the curve, or is // the point at infinity. On error, x = nil. // // Note: for ECDH, use the crypto/ecdh package. This function accepts an // encoding equivalent to that of the NewPublicKey methods in crypto/ecdh. func Unmarshal(curve Curve, data []byte) (x, y *big.Int) { if c, ok := curve.(unmarshaler); ok { return c.Unmarshal(data) } byteLen := (curve.Params().BitSize + 7) / 8 if len(data) != 1+2*byteLen { return nil, nil } if data[0] != 4 { // uncompressed form return nil, nil } p := curve.Params().P x = new(big.Int).SetBytes(data[1 : 1+byteLen]) y = new(big.Int).SetBytes(data[1+byteLen:]) if x.Cmp(p) >= 0 || y.Cmp(p) >= 0 { return nil, nil } if !curve.IsOnCurve(x, y) { return nil, nil } return } // UnmarshalCompressed converts a point, serialized by MarshalCompressed, into // an x, y pair. It is an error if the point is not in compressed form, is not // on the curve, or is the point at infinity. On error, x = nil. func UnmarshalCompressed(curve Curve, data []byte) (x, y *big.Int) { if c, ok := curve.(unmarshaler); ok { return c.UnmarshalCompressed(data) } byteLen := (curve.Params().BitSize + 7) / 8 if len(data) != 1+byteLen { return nil, nil } if data[0] != 2 && data[0] != 3 { // compressed form return nil, nil } p := curve.Params().P x = new(big.Int).SetBytes(data[1:]) if x.Cmp(p) >= 0 { return nil, nil } // y² = x³ - 3x + b y = curve.Params().polynomial(x) y = y.ModSqrt(y, p) if y == nil { return nil, nil } if byte(y.Bit(0)) != data[0]&1 { y.Neg(y).Mod(y, p) } if !curve.IsOnCurve(x, y) { return nil, nil } return } func panicIfNotOnCurve(curve Curve, x, y *big.Int) { // (0, 0) is the point at infinity by convention. It's ok to operate on it, // although IsOnCurve is documented to return false for it. See Issue 37294. if x.Sign() == 0 && y.Sign() == 0 { return } if !curve.IsOnCurve(x, y) { panic("crypto/elliptic: attempted operation on invalid point") } } var initonce sync.Once func initAll() { initP224() initP256() initP384() initP521() } // P224 returns a Curve which implements NIST P-224 (FIPS 186-3, section D.2.2), // also known as secp224r1. The CurveParams.Name of this Curve is "P-224". // // Multiple invocations of this function will return the same value, so it can // be used for equality checks and switch statements. // // The cryptographic operations are implemented using constant-time algorithms. func P224() Curve { initonce.Do(initAll) return p224 } // P256 returns a Curve which implements NIST P-256 (FIPS 186-3, section D.2.3), // also known as secp256r1 or prime256v1. The CurveParams.Name of this Curve is // "P-256". // // Multiple invocations of this function will return the same value, so it can // be used for equality checks and switch statements. // // The cryptographic operations are implemented using constant-time algorithms. func P256() Curve { initonce.Do(initAll) return p256 } // P384 returns a Curve which implements NIST P-384 (FIPS 186-3, section D.2.4), // also known as secp384r1. The CurveParams.Name of this Curve is "P-384". // // Multiple invocations of this function will return the same value, so it can // be used for equality checks and switch statements. // // The cryptographic operations are implemented using constant-time algorithms. func P384() Curve { initonce.Do(initAll) return p384 } // P521 returns a Curve which implements NIST P-521 (FIPS 186-3, section D.2.5), // also known as secp521r1. The CurveParams.Name of this Curve is "P-521". // // Multiple invocations of this function will return the same value, so it can // be used for equality checks and switch statements. // // The cryptographic operations are implemented using constant-time algorithms. func P521() Curve { initonce.Do(initAll) return p521 }