public ECDomainParameters(
ECCurve curve,
ECPoint g,
BigInteger n)
: this(curve, g, n, BigInteger.One)
{
}
public static ECPoint SumOfMultiplies(ECPoint[] ps, BigInteger[] ks)
{
if (ps == null || ks == null || ps.Length != ks.Length || ps.Length < 1)
throw new ArgumentException("point and scalar arrays should be non-null, and of equal, non-zero, length");
int count = ps.Length;
switch (count)
{
case 1:
return ps[0].Multiply(ks[0]);
case 2:
return SumOfTwoMultiplies(ps[0], ks[0], ps[1], ks[1]);
default:
break;
}
ECPoint p = ps[0];
ECCurve c = p.Curve;
ECPoint[] imported = new ECPoint[count];
imported[0] = p;
for (int i = 1; i < count; ++i)
{
imported[i] = ImportPoint(c, ps[i]);
}
GlvEndomorphism glvEndomorphism = c.GetEndomorphism() as GlvEndomorphism;
if (glvEndomorphism != null)
{
return ValidatePoint(ImplSumOfMultipliesGlv(imported, ks, glvEndomorphism));
}
return ValidatePoint(ImplSumOfMultiplies(imported, ks));
}
public X9ECParameters(
ECCurve curve,
ECPoint g,
BigInteger n)
: this(curve, g, n, BigInteger.One, null)
{
}
public ECDomainParameters(
ECCurve curve,
ECPoint g,
BigInteger n,
BigInteger h)
: this(curve, g, n, h, null)
{
}
public X9ECParameters(
ECCurve curve,
ECPoint g,
BigInteger n,
BigInteger h,
byte[] seed)
: this(curve, new X9ECPoint(g), n, h, seed)
{
}
public ECPublicKeyParameters(
ECPoint q,
DerObjectIdentifier publicKeyParamSet)
: base("ECGOST3410", false, publicKeyParamSet)
{
if (q == null)
throw new ArgumentNullException("q");
this.q = q.Normalize();
}
public ECPublicKeyParameters(
string algorithm,
ECPoint q,
DerObjectIdentifier publicKeyParamSet)
: base(algorithm, false, publicKeyParamSet)
{
if (q == null)
throw new ArgumentNullException("q");
this.q = q.Normalize();
}
public ECPublicKeyParameters(
string algorithm,
ECPoint q,
ECDomainParameters parameters)
: base(algorithm, false, parameters)
{
if(q == null)
throw new ArgumentNullException("q");
this.q = q.Normalize();
}
public X9ECParameters(
Asn1Sequence seq)
{
if (!(seq[0] is DerInteger)
|| !((DerInteger) seq[0]).Value.Equals(BigInteger.One))
{
throw new ArgumentException("bad version in X9ECParameters");
}
X9Curve x9c = null;
if (seq[2] is X9Curve)
{
x9c = (X9Curve) seq[2];
}
else
{
x9c = new X9Curve(
new X9FieldID(
(Asn1Sequence) seq[1]),
(Asn1Sequence) seq[2]);
}
this.curve = x9c.Curve;
if (seq[3] is X9ECPoint)
{
this.g = ((X9ECPoint) seq[3]).Point;
}
else
{
this.g = new X9ECPoint(curve, (Asn1OctetString) seq[3]).Point;
}
this.n = ((DerInteger) seq[4]).Value;
this.seed = x9c.GetSeed();
if (seq.Count == 6)
{
this.h = ((DerInteger) seq[5]).Value;
}
}
public X9ECParameters(
ECCurve curve,
ECPoint g,
BigInteger n,
BigInteger h,
byte[] seed)
{
this.curve = curve;
this.g = g.Normalize();
this.n = n;
this.h = h;
this.seed = seed;
if (ECAlgorithms.IsFpCurve(curve))
{
this.fieldID = new X9FieldID(curve.Field.Characteristic);
}
else if (ECAlgorithms.IsF2mCurve(curve))
{
IPolynomialExtensionField field = (IPolynomialExtensionField)curve.Field;
int[] exponents = field.MinimalPolynomial.GetExponentsPresent();
if (exponents.Length == 3)
{
this.fieldID = new X9FieldID(exponents[2], exponents[1]);
}
else if (exponents.Length == 5)
{
this.fieldID = new X9FieldID(exponents[4], exponents[1], exponents[2], exponents[3]);
}
else
{
throw new ArgumentException("Only trinomial and pentomial curves are supported");
}
}
else
{
throw new ArgumentException("'curve' is of an unsupported type");
}
}
// The ECMQV Primitive as described in SEC-1, 3.4
private static ECPoint CalculateMqvAgreement(
ECDomainParameters parameters,
ECPrivateKeyParameters d1U,
ECPrivateKeyParameters d2U,
ECPublicKeyParameters Q2U,
ECPublicKeyParameters Q1V,
ECPublicKeyParameters Q2V)
{
BigInteger n = parameters.N;
int e = (n.BitLength + 1) / 2;
BigInteger powE = BigInteger.One.ShiftLeft(e);
ECCurve curve = parameters.Curve;
ECPoint[] points = new ECPoint[]{
// The Q2U public key is optional
ECAlgorithms.ImportPoint(curve, Q2U == null ? parameters.G.Multiply(d2U.D) : Q2U.Q),
ECAlgorithms.ImportPoint(curve, Q1V.Q),
ECAlgorithms.ImportPoint(curve, Q2V.Q)
};
curve.NormalizeAll(points);
ECPoint q2u = points[0], q1v = points[1], q2v = points[2];
BigInteger x = q2u.AffineXCoord.ToBigInteger();
BigInteger xBar = x.Mod(powE);
BigInteger Q2UBar = xBar.SetBit(e);
BigInteger s = d1U.D.Multiply(Q2UBar).Add(d2U.D).Mod(n);
BigInteger xPrime = q2v.AffineXCoord.ToBigInteger();
BigInteger xPrimeBar = xPrime.Mod(powE);
BigInteger Q2VBar = xPrimeBar.SetBit(e);
BigInteger hs = parameters.H.Multiply(s).Mod(n);
return ECAlgorithms.SumOfTwoMultiplies(
q1v, Q2VBar.Multiply(hs).Mod(n), q2v, hs);
}
public ECDomainParameters(
ECCurve curve,
ECPoint g,
BigInteger n,
BigInteger h,
byte[] seed)
{
if (curve == null)
throw new ArgumentNullException("curve");
if (g == null)
throw new ArgumentNullException("g");
if (n == null)
throw new ArgumentNullException("n");
if (h == null)
throw new ArgumentNullException("h");
this.curve = curve;
this.g = g.Normalize();
this.n = n;
this.h = h;
this.seed = Arrays.Clone(seed);
}
public static ECPoint SumOfTwoMultiplies(ECPoint P, BigInteger a, ECPoint Q, BigInteger b)
{
ECCurve cp = P.Curve;
Q = ImportPoint(cp, Q);
// Point multiplication for Koblitz curves (using WTNAF) beats Shamir's trick
{
AbstractF2mCurve f2mCurve = cp as AbstractF2mCurve;
if(f2mCurve != null && f2mCurve.IsKoblitz)
{
return ValidatePoint(P.Multiply(a).Add(Q.Multiply(b)));
}
}
GlvEndomorphism glvEndomorphism = cp.GetEndomorphism() as GlvEndomorphism;
if(glvEndomorphism != null)
{
return ValidatePoint(
ImplSumOfMultipliesGlv(new ECPoint[] { P, Q }, new BigInteger[] { a, b }, glvEndomorphism));
}
return ValidatePoint(ImplShamirsTrickWNaf(P, a, Q, b));
}
public X9ECPoint(ECPoint p, bool compressed)
{
this.p = p.Normalize();
this.encoding = new DerOctetString(p.GetEncoded(compressed));
}
public X9ECPoint(ECPoint p)
: this(p, false)
{
}
public override ECPoint ImportPoint(ECPoint p)
{
if (this != p.Curve && this.CoordinateSystem == COORD_JACOBIAN && !p.IsInfinity)
{
switch (p.Curve.CoordinateSystem)
{
case COORD_JACOBIAN:
case COORD_JACOBIAN_CHUDNOVSKY:
case COORD_JACOBIAN_MODIFIED:
return new FpPoint(this,
FromBigInteger(p.RawXCoord.ToBigInteger()),
FromBigInteger(p.RawYCoord.ToBigInteger()),
new ECFieldElement[] { FromBigInteger(p.GetZCoord(0).ToBigInteger()) },
p.IsCompressed);
default:
break;
}
}
return base.ImportPoint(p);
}
protected virtual void CheckPoints(ECPoint[] points)
{
if (points == null)
throw new ArgumentNullException("points");
for (int i = 0; i < points.Length; ++i)
{
ECPoint point = points[i];
if (null != point && this != point.Curve)
throw new ArgumentException("entries must be null or on this curve", "points");
}
}
protected virtual void CheckPoint(ECPoint point)
{
if (null == point || (this != point.Curve))
throw new ArgumentException("must be non-null and on this curve", "point");
}
/**
* Normalization ensures that any projective coordinate is 1, and therefore that the x, y
* coordinates reflect those of the equivalent point in an affine coordinate system. Where more
* than one point is to be normalized, this method will generally be more efficient than
* normalizing each point separately.
*
* @param points
* An array of points that will be updated in place with their normalized versions,
* where necessary
*/
public virtual void NormalizeAll(ECPoint[] points)
{
CheckPoints(points);
if (this.CoordinateSystem == ECCurve.COORD_AFFINE)
{
return;
}
/*
* Figure out which of the points actually need to be normalized
*/
ECFieldElement[] zs = new ECFieldElement[points.Length];
int[] indices = new int[points.Length];
int count = 0;
for (int i = 0; i < points.Length; ++i)
{
ECPoint p = points[i];
if (null != p && !p.IsNormalized())
{
zs[count] = p.GetZCoord(0);
indices[count++] = i;
}
}
if (count == 0)
{
return;
}
ECAlgorithms.MontgomeryTrick(zs, 0, count);
for (int j = 0; j < count; ++j)
{
int index = indices[j];
points[index] = points[index].Normalize(zs[j]);
}
}
public virtual ECPoint ImportPoint(ECPoint p)
{
if (this == p.Curve)
{
return p;
}
if (p.IsInfinity)
{
return Infinity;
}
// TODO Default behaviour could be improved if the two curves have the same coordinate system by copying any Z coordinates.
p = p.Normalize();
return ValidatePoint(p.XCoord.ToBigInteger(), p.YCoord.ToBigInteger(), p.IsCompressed);
}
internal static ECPoint ImplShamirsTrickJsf(ECPoint P, BigInteger k, ECPoint Q, BigInteger l)
{
ECCurve curve = P.Curve;
ECPoint infinity = curve.Infinity;
// TODO conjugate co-Z addition (ZADDC) can return both of these
ECPoint PaddQ = P.Add(Q);
ECPoint PsubQ = P.Subtract(Q);
ECPoint[] points = new ECPoint[] { Q, PsubQ, P, PaddQ };
curve.NormalizeAll(points);
ECPoint[] table = new ECPoint[] {
points[3].Negate(), points[2].Negate(), points[1].Negate(),
points[0].Negate(), infinity, points[0],
points[1], points[2], points[3] };
byte[] jsf = WNafUtilities.GenerateJsf(k, l);
ECPoint R = infinity;
int i = jsf.Length;
while (--i >= 0)
{
int jsfi = jsf[i];
// NOTE: The shifting ensures the sign is extended correctly
int kDigit = ((jsfi << 24) >> 28), lDigit = ((jsfi << 28) >> 28);
int index = 4 + (kDigit * 3) + lDigit;
R = R.TwicePlus(table[index]);
}
return R;
}
internal static ECPoint ImplShamirsTrickWNaf(ECPoint P, BigInteger k, ECPointMap pointMapQ, BigInteger l)
{
bool negK = k.SignValue < 0, negL = l.SignValue < 0;
k = k.Abs();
l = l.Abs();
int width = System.Math.Max(2, System.Math.Min(16, WNafUtilities.GetWindowSize(System.Math.Max(k.BitLength, l.BitLength))));
ECPoint Q = WNafUtilities.MapPointWithPrecomp(P, width, true, pointMapQ);
WNafPreCompInfo infoP = WNafUtilities.GetWNafPreCompInfo(P);
WNafPreCompInfo infoQ = WNafUtilities.GetWNafPreCompInfo(Q);
ECPoint[] preCompP = negK ? infoP.PreCompNeg : infoP.PreComp;
ECPoint[] preCompQ = negL ? infoQ.PreCompNeg : infoQ.PreComp;
ECPoint[] preCompNegP = negK ? infoP.PreComp : infoP.PreCompNeg;
ECPoint[] preCompNegQ = negL ? infoQ.PreComp : infoQ.PreCompNeg;
byte[] wnafP = WNafUtilities.GenerateWindowNaf(width, k);
byte[] wnafQ = WNafUtilities.GenerateWindowNaf(width, l);
return ImplShamirsTrickWNaf(preCompP, preCompNegP, wnafP, preCompQ, preCompNegQ, wnafQ);
}
private static ECPoint ImplShamirsTrickWNaf(ECPoint[] preCompP, ECPoint[] preCompNegP, byte[] wnafP,
ECPoint[] preCompQ, ECPoint[] preCompNegQ, byte[] wnafQ)
{
int len = System.Math.Max(wnafP.Length, wnafQ.Length);
ECCurve curve = preCompP[0].Curve;
ECPoint infinity = curve.Infinity;
ECPoint R = infinity;
int zeroes = 0;
for (int i = len - 1; i >= 0; --i)
{
int wiP = i < wnafP.Length ? (int)(sbyte)wnafP[i] : 0;
int wiQ = i < wnafQ.Length ? (int)(sbyte)wnafQ[i] : 0;
if ((wiP | wiQ) == 0)
{
++zeroes;
continue;
}
ECPoint r = infinity;
if (wiP != 0)
{
int nP = System.Math.Abs(wiP);
ECPoint[] tableP = wiP < 0 ? preCompNegP : preCompP;
r = r.Add(tableP[nP >> 1]);
}
if (wiQ != 0)
{
int nQ = System.Math.Abs(wiQ);
ECPoint[] tableQ = wiQ < 0 ? preCompNegQ : preCompQ;
r = r.Add(tableQ[nQ >> 1]);
}
if (zeroes > 0)
{
R = R.TimesPow2(zeroes);
zeroes = 0;
}
R = R.TwicePlus(r);
}
if (zeroes > 0)
{
R = R.TimesPow2(zeroes);
}
return R;
}
internal static ECPoint ImplSumOfMultiplies(ECPoint[] ps, ECPointMap pointMap, BigInteger[] ks)
{
int halfCount = ps.Length, fullCount = halfCount << 1;
bool[] negs = new bool[fullCount];
WNafPreCompInfo[] infos = new WNafPreCompInfo[fullCount];
byte[][] wnafs = new byte[fullCount][];
for (int i = 0; i < halfCount; ++i)
{
int j0 = i << 1, j1 = j0 + 1;
BigInteger kj0 = ks[j0]; negs[j0] = kj0.SignValue < 0; kj0 = kj0.Abs();
BigInteger kj1 = ks[j1]; negs[j1] = kj1.SignValue < 0; kj1 = kj1.Abs();
int width = System.Math.Max(2, System.Math.Min(16, WNafUtilities.GetWindowSize(System.Math.Max(kj0.BitLength, kj1.BitLength))));
ECPoint P = ps[i], Q = WNafUtilities.MapPointWithPrecomp(P, width, true, pointMap);
infos[j0] = WNafUtilities.GetWNafPreCompInfo(P);
infos[j1] = WNafUtilities.GetWNafPreCompInfo(Q);
wnafs[j0] = WNafUtilities.GenerateWindowNaf(width, kj0);
wnafs[j1] = WNafUtilities.GenerateWindowNaf(width, kj1);
}
return ImplSumOfMultiplies(negs, infos, wnafs);
}
internal static ECPoint ImplSumOfMultipliesGlv(ECPoint[] ps, BigInteger[] ks, GlvEndomorphism glvEndomorphism)
{
BigInteger n = ps[0].Curve.Order;
int len = ps.Length;
BigInteger[] abs = new BigInteger[len << 1];
for (int i = 0, j = 0; i < len; ++i)
{
BigInteger[] ab = glvEndomorphism.DecomposeScalar(ks[i].Mod(n));
abs[j++] = ab[0];
abs[j++] = ab[1];
}
ECPointMap pointMap = glvEndomorphism.PointMap;
if (glvEndomorphism.HasEfficientPointMap)
{
return ECAlgorithms.ImplSumOfMultiplies(ps, pointMap, abs);
}
ECPoint[] pqs = new ECPoint[len << 1];
for (int i = 0, j = 0; i < len; ++i)
{
ECPoint p = ps[i], q = pointMap.Map(p);
pqs[j++] = p;
pqs[j++] = q;
}
return ECAlgorithms.ImplSumOfMultiplies(pqs, abs);
}
internal static ECPoint ImplSumOfMultiplies(ECPoint[] ps, BigInteger[] ks)
{
int count = ps.Length;
bool[] negs = new bool[count];
WNafPreCompInfo[] infos = new WNafPreCompInfo[count];
byte[][] wnafs = new byte[count][];
for (int i = 0; i < count; ++i)
{
BigInteger ki = ks[i]; negs[i] = ki.SignValue < 0; ki = ki.Abs();
int width = System.Math.Max(2, System.Math.Min(16, WNafUtilities.GetWindowSize(ki.BitLength)));
infos[i] = WNafUtilities.Precompute(ps[i], width, true);
wnafs[i] = WNafUtilities.GenerateWindowNaf(width, ki);
}
return ImplSumOfMultiplies(negs, infos, wnafs);
}
public virtual PreCompInfo GetPreCompInfo(ECPoint point, string name)
{
CheckPoint(point);
lock (point)
{
IDictionary table = point.m_preCompTable;
return table == null ? null : (PreCompInfo)table[name];
}
}
/**
* Adds <code>PreCompInfo</code> for a point on this curve, under a given name. Used by
* <code>ECMultiplier</code>s to save the precomputation for this <code>ECPoint</code> for use
* by subsequent multiplication.
*
* @param point
* The <code>ECPoint</code> to store precomputations for.
* @param name
* A <code>String</code> used to index precomputations of different types.
* @param preCompInfo
* The values precomputed by the <code>ECMultiplier</code>.
*/
public virtual void SetPreCompInfo(ECPoint point, string name, PreCompInfo preCompInfo)
{
CheckPoint(point);
lock (point)
{
IDictionary table = point.m_preCompTable;
if (null == table)
{
point.m_preCompTable = table = Platform.CreateHashtable(4);
}
table[name] = preCompInfo;
}
}
protected virtual ECFieldElement GetDenominator(int coordinateSystem, ECPoint p)
{
switch(coordinateSystem)
{
case ECCurve.COORD_HOMOGENEOUS:
case ECCurve.COORD_LAMBDA_PROJECTIVE:
case ECCurve.COORD_SKEWED:
return p.GetZCoord(0);
case ECCurve.COORD_JACOBIAN:
case ECCurve.COORD_JACOBIAN_CHUDNOVSKY:
case ECCurve.COORD_JACOBIAN_MODIFIED:
return p.GetZCoord(0).Square();
default:
return null;
}
}
public static ECPoint ValidatePoint(ECPoint p)
{
if (!p.IsValid())
throw new ArgumentException("Invalid point", "p");
return p;
}
