Implementation of the NIST P-521 curve

ivankravets · Mar 26, 2016 · 9ff24b0 · 9ff24b0
1 parent c8d7c31
commit 9ff24b0
Show file tree

Hide file tree

Showing 10 changed files with 2,928 additions and 5 deletions.
diff --git a/doc/crypto.dox b/doc/crypto.dox
@@ -33,7 +33,7 @@
 \li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
 \li Extendable output functions (XOF's): SHAKE128, SHAKE256
 \li Message authenticators: Poly1305, GHASH, OMAC
-\li Public key algorithms: Curve25519, Ed25519
+\li Public key algorithms: Curve25519, Ed25519, P521
 \li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource
 
 All cryptographic algorithms have been optimized for 8-bit Arduino platforms
@@ -129,6 +129,12 @@ Ardunino Mega 2560 running at 16 MHz are similar:
 <tr><td>Ed25519::sign()</td><td align="right">5148ms</td><td colspan="3">Digital signature generation</td></tr>
 <tr><td>Ed25519::verify()</td><td align="right">8196ms</td><td colspan="3">Digital signature verification</td></tr>
 <tr><td>Ed25519::derivePublicKey()</td><td align="right">5102ms</td><td colspan="3">Derive a public key from a private key</td></tr>
+<tr><td>P521::eval()</td><td align="right">46290ms</td><td colspan="3">Raw curve evaluation</td></tr>
+<tr><td>P521::dh1()</td><td align="right">46293ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
+<tr><td>P521::dh2()</td><td align="right">46304ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
+<tr><td>P521::sign()</td><td align="right">60514ms</td><td colspan="3">Digital signature generation</td></tr>
+<tr><td>P521::verify()</td><td align="right">109078ms</td><td colspan="3">Digital signature verification</td></tr>
+<tr><td>P521::derivePublicKey()</td><td align="right">46290ms</td><td colspan="3">Derive a public key from a private key</td></tr>
 </table>
 
 Where a cipher supports more than one key size (such as ChaCha), the values
@@ -196,5 +202,11 @@ All figures are for the Arduino Due running at 84 MHz:
 <tr><td>Ed25519::sign()</td><td align="right">195ms</td><td colspan="3">Digital signature generation</td></tr>
 <tr><td>Ed25519::verify()</td><td align="right">306ms</td><td colspan="3">Digital signature verification</td></tr>
 <tr><td>Ed25519::derivePublicKey()</td><td align="right">194ms</td><td colspan="3">Derive a public key from a private key</td></tr>
+<tr><td>P521::eval()</td><td align="right">1503ms</td><td colspan="3">Raw curve evaluation</td></tr>
+<tr><td>P521::dh1()</td><td align="right">1503ms</td><td colspan="3">First half of Diffie-Hellman key agreement</td></tr>
+<tr><td>P521::dh2()</td><td align="right">1503ms</td><td colspan="3">Second half of Diffie-Hellman key agreement</td></tr>
+<tr><td>P521::sign()</td><td align="right">1860ms</td><td colspan="3">Digital signature generation</td></tr>
+<tr><td>P521::verify()</td><td align="right">3423ms</td><td colspan="3">Digital signature verification</td></tr>
+<tr><td>P521::derivePublicKey()</td><td align="right">1503ms</td><td colspan="3">Derive a public key from a private key</td></tr>
 </table>
 */
diff --git a/doc/mainpage.dox b/doc/mainpage.dox
@@ -98,7 +98,7 @@ realtime clock and the LCD library to implement an alarm clock.
 \li Hash algorithms: SHA256, SHA512, SHA3_256, SHA3_512, BLAKE2s, BLAKE2b (regular and HMAC modes)
 \li Extendable output functions (XOF's): SHAKE128, SHAKE256
 \li Message authenticators: Poly1305, GHASH, OMAC
-\li Public key algorithms: Curve25519, Ed25519
+\li Public key algorithms: Curve25519, Ed25519, P521
 \li Random number generation: \link RNGClass RNG\endlink, TransistorNoiseSource, RingOscillatorNoiseSource
 
 More information can be found on the \ref crypto "Cryptographic Library" page.

diff --git a/host/Crypto/Makefile b/host/Crypto/Makefile
@@ -47,6 +47,7 @@ SOURCES =   \
 	NoiseSource.cpp \
 	OFB.cpp \
 	OMAC.cpp \
+        P521.cpp \
 	Poly1305.cpp \
         RNG_host.cpp \
 	SHA256.cpp \
@@ -76,6 +77,8 @@ SKETCHES = \
 	TestGCM/TestGCM.ino \
 	TestGHASH/TestGHASH.ino \
 	TestOFB/TestOFB.ino \
+	TestP521/TestP521.ino \
+	TestP521Math/TestP521Math.ino \
 	TestPoly1305/TestPoly1305.ino \
 	TestSHA256/TestSHA256.ino \
 	TestSHA3_256/TestSHA3_256.ino \

diff --git a/libraries/Crypto/BigNumberUtil.cpp b/libraries/Crypto/BigNumberUtil.cpp
@@ -634,3 +634,22 @@ void BigNumberUtil::reduceQuick_P(limb_t *result, const limb_t *x,
         --size;
     }
 }
+
+/**
+ * \brief Determine if a big number is zero.
+ *
+ * \param x Points to the number to test.
+ * \param size The number of limbs in \a x.
+ * \return Returns 1 if \a x is zero or 0 otherwise.
+ *
+ * This function attempts to make the determination in constant time.
+ */
+limb_t BigNumberUtil::isZero(const limb_t *x, size_t size)
+{
+    limb_t word = 0;
+    while (size > 0) {
+        word |= *x++;
+        --size;
+    }
+    return (limb_t)(((((dlimb_t)1) << LIMB_BITS) - word) >> LIMB_BITS);
+}
diff --git a/libraries/Crypto/BigNumberUtil.h b/libraries/Crypto/BigNumberUtil.h
@@ -86,6 +86,8 @@ class BigNumberUtil
     static void reduceQuick_P(limb_t *result, const limb_t *x,
                               const limb_t *y, size_t size);
 
+    static limb_t isZero(const limb_t *x, size_t size);
+
 private:
     // Constructor and destructor are private - cannot instantiate this class.
     BigNumberUtil() {}