Google Git
Sign in
android / device / google / contexthub / 2eb0faf1f928aa9e4a428062c732312ee75ff4a1 / . / lib / nanohub / rsa.c
blob: d718de04cf122459207bc435a7161319e1b34999 [file] [log] [blame]
/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#include <nanohub/rsa.h>
static bool biModIterative(uint32_t *num, const uint32_t *denum, uint32_t *tmp, uint32_t *state1, uint32_t *state2, uint32_t step)
//num %= denum where num is RSA_LEN * 2 and denum is RSA_LEN and tmp is RSA_LEN + limb_sz
//will need to be called till it returns true (up to RSA_LEN * 2 + 2 times)
{
uint32_t bitsh = *state1, limbsh = *state2;
bool ret = false;
int64_t t;
int32_t i;
//first step is init
if (!step) {
//initially set it up left shifted as far as possible
memcpy(tmp + 1, denum, RSA_BYTES);
tmp[0] = 0;
bitsh = 32;
limbsh = RSA_LIMBS - 1;
goto out;
}
//second is shifting denum
if (step == 1) {
while (!(tmp[RSA_LIMBS] & 0x80000000)) {
for (i = RSA_LIMBS; i > 0; i--) {
tmp[i] <<= 1;
if (tmp[i - 1] & 0x80000000)
tmp[i]++;
}
//no need to adjust tmp[0] as it is still zero
bitsh++;
}
goto out;
}
//all future steps do the division
//check if we should subtract (uses less space than subtracting and unroling it later)
for (i = RSA_LIMBS; i >= 0; i--) {
if (num[limbsh + i] < tmp[i])
goto dont_subtract;
if (num[limbsh + i] > tmp[i])
break;
}
//subtract
t = 0;
for (i = 0; i <= RSA_LIMBS; i++) {
t += (uint64_t)num[limbsh + i];
t -= (uint64_t)tmp[i];
num[limbsh + i] = t;
t >>= 32;
}
//carry the subtraction's carry to the end
for (i = RSA_LIMBS + limbsh + 1; i < RSA_LIMBS * 2; i++) {
t += (uint64_t)num[i];
num[i] = t;
t >>= 32;
}
dont_subtract:
//handle bitshifts/refills
if (!bitsh) { // tmp = denum << 32
if (!limbsh) {
ret = true;
goto out;
}
memcpy(tmp + 1, denum, RSA_BYTES);
tmp[0] = 0;
bitsh = 32;
limbsh--;
}
else { // tmp >>= 1
for (i = 0; i < RSA_LIMBS; i++) {
tmp[i] >>= 1;
if (tmp[i + 1] & 1)
tmp[i] += 0x80000000;
}
tmp[i] >>= 1;
bitsh--;
}
out:
*state1 = bitsh;
*state2 = limbsh;
return ret;
}
static void biMulIterative(uint32_t *ret, const uint32_t *a, const uint32_t *b, uint32_t step) //ret = a * b, call with step = [0..RSA_LIMBS)
{
uint32_t j, c;
uint64_t r;
//zero the result on first call
if (!step)
memset(ret, 0, RSA_BYTES * 2);
//produce a partial sum & add it in
c = 0;
for (j = 0; j < RSA_LIMBS; j++) {
r = (uint64_t)a[step] * b[j] + c + ret[step + j];
ret[step + j] = r;
c = r >> 32;
}
//carry the carry to the end
for (j = step + RSA_LIMBS; j < RSA_LIMBS * 2; j++) {
r = (uint64_t)ret[j] + c;
ret[j] = r;
c = r >> 32;
}
}
/*
* Piecewise RSA:
* normal RSA public op with 65537 exponent does 34 operations. 17 muls and 17 mods, as follows:
* 16x {mul, mod} to calculate a ^ 65536 mod c
* 1x {mul, mod} to calculate a ^ 65537 mod c
* we break up each mul and mod itself into more steps. mul needs RSA_LIMBS steps, and mod needs up to RSA_LEN * 2 + 2 steps
* so if we allocate RSA_LEN * 3 step values to mod, each mul-mod pair will use <= RSA_LEN * 4 step values
* and the whole opetaion will need <= RSA_LEN * 4 * 34 step values, which fits into a uint32. cool. In fact
* some values will be skipped, but this makes life easier, really. Call this func with *stepP = 0, and keep calling till
* output stepP is zero. We'll call each of the RSA_LEN * 4 pieces a gigastep, and have 17 of them as seen above. Each
* will be logically separated into 4 megasteps. First will contain the MUL, last 3 the MOD and maybe the memcpy.
* In the first 16 gigasteps, the very last step of the gigastep will be used for the memcpy call.
*
* The initial non-iterative RSA logic looks as follows, shown here for clarity:
*
* memcpy(state->tmpB, a, RSA_BYTES);
* for (i = 0; i < 16; i++) {
* biMul(state->tmpA, state->tmpB, state->tmpB);
* biMod(state->tmpA, c, state->tmpB);
* memcpy(state->tmpB, state->tmpA, RSA_BYTES);
* }
*
* //calculate a ^ 65537 mod c into state->tmpA [ at this point this means do state->tmpA = (state->tmpB * a) % c ]
* biMul(state->tmpA, state->tmpB, a);
* biMod(state->tmpA, c, state->tmpB);
*
* //return result
* return state->tmpA;
*
*/
const uint32_t* rsaPubOpIterative(struct RsaState* state, const uint32_t *a, const uint32_t *c, uint32_t *state1, uint32_t *state2, uint32_t *stepP)
{
uint32_t step = *stepP, gigastep, gigastepBase, gigastepSubstep, megaSubstep;
//step 0: copy a -> tmpB
if (!step) {
memcpy(state->tmpB, a, RSA_BYTES);
step = 1;
}
else { //subsequent steps: do real work
gigastep = (step - 1) / (RSA_LEN * 4);
gigastepSubstep = (step - 1) % (RSA_LEN * 4);
gigastepBase = gigastep * (RSA_LEN * 4);
megaSubstep = gigastepSubstep / RSA_LEN;
if (!megaSubstep) { // first megastep of the gigastep - MUL
biMulIterative(state->tmpA, state->tmpB, gigastep == 16 ? a : state->tmpB, gigastepSubstep);
if (gigastepSubstep == RSA_LIMBS - 1) //MUL is done - do mod next
step = gigastepBase + RSA_LEN + 1;
else //More of MUL is left to do
step++;
}
else if (gigastepSubstep != RSA_LEN * 4 - 1){ // second part of gigastep - MOD
if (biModIterative(state->tmpA, c, state->tmpB, state1, state2, gigastepSubstep - RSA_LEN)) { //MOD is done
if (gigastep == 16) // we're done
step = 0;
else // last part of the gigastep is a copy
step = gigastepBase + RSA_LEN * 4 - 1 + 1;
}
else
step++;
}
else { //last part - memcpy
memcpy(state->tmpB, state->tmpA, RSA_BYTES);
step++;
}
}
*stepP = step;
return state->tmpA;
}
#if defined(RSA_SUPPORT_PRIV_OP_LOWRAM) || defined (RSA_SUPPORT_PRIV_OP_BIGRAM)
#include <stdio.h>
const uint32_t* rsaPubOp(struct RsaState* state, const uint32_t *a, const uint32_t *c)
{
const uint32_t *ret;
uint32_t state1 = 0, state2 = 0, step = 0, ns = 0;
do {
ret = rsaPubOpIterative(state, a, c, &state1, &state2, &step);
ns++;
} while(step);
fprintf(stderr, "steps: %u\n", ns);
return ret;
}
static void biMod(uint32_t *num, const uint32_t *denum, uint32_t *tmp)
{
uint32_t state1 = 0, state2 = 0, step;
for (step = 0; !biModIterative(num, denum, tmp, &state1, &state2, step); step++);
}
static void biMul(uint32_t *ret, const uint32_t *a, const uint32_t *b)
{
uint32_t step;
for (step = 0; step < RSA_LIMBS; step++)
biMulIterative(ret, a, b, step);
}
const uint32_t* rsaPrivOp(struct RsaState* state, const uint32_t *a, const uint32_t *b, const uint32_t *c)
{
uint32_t i;
memcpy(state->tmpC, a, RSA_BYTES); //tC will hold our powers of a
memset(state->tmpA, 0, RSA_BYTES * 2); //tA will hold result
state->tmpA[0] = 1;
for (i = 0; i < RSA_LEN; i++) {
//if the bit is set, multiply the current power of A into result
if (b[i / 32] & (1 << (i % 32))) {
memcpy(state->tmpB, state->tmpA, RSA_BYTES);
biMul(state->tmpA, state->tmpB, state->tmpC);
biMod(state->tmpA, c, state->tmpB);
}
//calculate the next power of a and modulus it
#if defined(RSA_SUPPORT_PRIV_OP_LOWRAM)
memcpy(state->tmpB, state->tmpA, RSA_BYTES); //save tA
biMul(state->tmpA, state->tmpC, state->tmpC);
biMod(state->tmpA, c, state->tmpC);
memcpy(state->tmpC, state->tmpA, RSA_BYTES);
memcpy(state->tmpA, state->tmpB, RSA_BYTES); //restore tA
#elif defined (RSA_SUPPORT_PRIV_OP_BIGRAM)
memcpy(state->tmpB, state->tmpC, RSA_BYTES);
biMul(state->tmpC, state->tmpB, state->tmpB);
biMod(state->tmpC, c, state->tmpB);
#endif
}
return state->tmpA;
}
#endif