studio/cli
2
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 4 Wiki Activity

chore: checkpoint before Python removal

Browse Source
This commit is contained in:
Sienna Meridian Satterwhite
2026-03-26 22:33:59 +00:00
parent 683cec9307
commit e568ddf82a
29972 changed files with 11269302 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
vendor/p256/.cargo-checksum.json vendored Normal file
View File

@@ -0,0 +1 @@
{"files":{".cargo_vcs_info.json":"0b69d56d90ebc939fdc3a9922b2df145f69819a8b7288266a5cc7848186e41f6","CHANGELOG.md":"3272f88b47cecbeb331fec729b83de2390cf4dd38115419fa5058b679dc6b38e","Cargo.toml":"7f2c98e9af91a495cf341425f77b782d6c253dba9cf4f63a16d63489ecb9ddfc","Cargo.toml.orig":"7e3be28c59320935a37d60bcd3e1f3e3863939279c6d7a114e1ad83e877e94e8","LICENSE-APACHE":"a9040321c3712d8fd0b09cf52b17445de04a23a10165049ae187cd39e5c86be5","LICENSE-MIT":"233b95ccbf90dc67e32f3e8995c489f6312d9191ebd141a931c3b684f1e3be6d","README.md":"853918bdd020ad083277d1334b4a750b2f5171d814c86d4620e5cdbc46313828","benches/field.rs":"ca079736657a3219905fd318eaa92b73d049d2a9f9dccc04731868715f8bf5e2","benches/scalar.rs":"6c42feb64301d2be881e84b5c3dfc0cb7016ac6f457e0819ca9df7ed536251e4","src/arithmetic.rs":"90fc20a835f72da3e7c8c9a7120aefb5468bc31a2d5f097d8f57b2f11f3daf42","src/arithmetic/field.rs":"b7ac34f7f82072e45b86d33bb0c82d87058d65e50b1a4e2037753d1d414dfcac","src/arithmetic/field/field32.rs":"eea276076f53bb6a79d634838c6d1587c72d8f43cd7ad21d58ce9bc249d3b477","src/arithmetic/field/field64.rs":"611bc1c282a22913784ca1fd6364c0aae67b04f800fc6bd00a3268b6d50f5e60","src/arithmetic/hash2curve.rs":"02ca3a1d182c1da967656412886f44a9038b91e510308b4832cabd89ea1af850","src/arithmetic/scalar.rs":"50a38c74863ee5e808faf49354eb5c0f9e86a79cb77c68e5cad43e583c11871a","src/arithmetic/scalar/scalar32.rs":"41d30273f6a701abcdfac710cc4ea17f356575d8c58cdec0ffb70cf924de199e","src/arithmetic/scalar/scalar64.rs":"37c2989a1545fca234149374024ce5d5a5a5b0a7fe4de1ab3e9fbb1d61ffd2fb","src/arithmetic/util.rs":"86fcf1662ed0e73a064fc5aefaa886222ae598939856f4a63f2455e4189a33d1","src/ecdh.rs":"787171546abfd6cc92585b0251338a9a3dd9dc914a984fb60d6ff614ef55ecf2","src/ecdsa.rs":"ca2c1ce78f3368a94f71e15d3f355fe05834cd5de8297429d812bb79293c6b9e","src/lib.rs":"df474e465541a9ec708958ff44ea587d9b8d7832a9727454f15abb2ac58b8857","src/test_vectors.rs":"21b05ff78e574ee8d5823ec0f97a7a618e34dd91d0f29a6cbdbf818cc7b68dbc","src/test_vectors/data/wycheproof.blb":"2086114032e72c195e2c49c61f2377c27b141aac455dff8bac3128eaff048253","src/test_vectors/ecdsa.rs":"607d74f05e1ed43d2aa387af6e6b665ec9b66a82e291630b18642ca1032af684","src/test_vectors/field.rs":"62061f33cc39a4b1e16c233411ba54b03a9daa4bb5e76e5c7eff26510626a492","src/test_vectors/group.rs":"d08c69a1e01933d0bfcdccdf08713b35258b7141767a7bf0485fae64ac5bd95f","tests/affine.rs":"fd4c233b9e37c03c6ca942d9020a7a1d71a00daa0fc797701a28e836749f467f","tests/ecdsa.rs":"5da4d26f15ab98a1da5bb02c6858ba5dcb450e7e2ea00d9b368a8ebebf8980d5","tests/examples/pkcs8-private-key.der":"8125ab208d2181ed3ef05ff0ab1906e5898c36a858277e5b987e78e505288769","tests/examples/pkcs8-private-key.pem":"f4171f5ea72bf95ee444ceb868872f5c5d2bbc5fca038ae801b06fb9ac6b9429","tests/examples/pkcs8-public-key.der":"b9968d56ed8d6aa3fb43b15fa01e355d7a3a0203b1408b3fd2733637c4d1642c","tests/examples/pkcs8-public-key.pem":"d1ff198dc495da63f5f909db0254d6e49cff519487fcb26d055a762fc3ca47a1","tests/pkcs8.rs":"271bf78755ef8e8437788a6c970a8a1f04acf78a57e8d00a86c415c86db2fc4f","tests/projective.rs":"53f39d506645e15c254b089b2364aeb76895baa0d6a8f6118a556d2271a95fad","tests/scalar.rs":"8699445399dc568ee7937608bbd2164eef388b398ad8f20cb6d87eef9ae66b89"},"package":"c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"}

6
vendor/p256/.cargo_vcs_info.json vendored Normal file
View File

@@ -0,0 +1,6 @@
{
"git": {
"sha1": "d21a81b2be325db940502fdc5299094b79b450f0"
},
"path_in_vcs": "p256"
}

331
vendor/p256/CHANGELOG.md vendored Normal file
View File

@@ -0,0 +1,331 @@
# Changelog
All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## 0.13.2 (2023-04-15)
### Changed
- Enable `pem` feature by default ([#832])
### Fixed
- Have `serde` feature enable `primeorder/serde` ([#851])
[#832]: https://github.com/RustCrypto/elliptic-curves/pull/832
[#851]: https://github.com/RustCrypto/elliptic-curves/pull/851
## 0.13.1 (2023-04-10)
### Changed
- Bump `primeorder` to v0.13.1 ([#819])
### Fixed
- Correct product definition for empty iterators ([#802])
[#802]: https://github.com/RustCrypto/elliptic-curves/pull/802
[#819]: https://github.com/RustCrypto/elliptic-curves/pull/819
## 0.13.0 (2023-03-03)
### Added
- `PrimeField` constants/tests ([#730], [#737], [#738])
- `const fn` inversions for all field elements ([#736])
### Changed
- `FieldBytesEncoding` trait impls ([#732])
- Update `hash2curve` implementations to new API ([#735])
- Impl `Invert` trait for `Scalar` types ([#741])
- Bump `ecdsa` dependency to v0.16 ([#770])
- Bump `elliptic-curve` dependency to v0.13 ([#770])
- Bump `primeorder` dependency to v0.13 ([#777])
### Fixed
- Point compactabtility check ([#772])
[#730]: https://github.com/RustCrypto/elliptic-curves/pull/730
[#732]: https://github.com/RustCrypto/elliptic-curves/pull/732
[#735]: https://github.com/RustCrypto/elliptic-curves/pull/735
[#736]: https://github.com/RustCrypto/elliptic-curves/pull/736
[#737]: https://github.com/RustCrypto/elliptic-curves/pull/737
[#738]: https://github.com/RustCrypto/elliptic-curves/pull/738
[#741]: https://github.com/RustCrypto/elliptic-curves/pull/741
[#770]: https://github.com/RustCrypto/elliptic-curves/pull/770
[#772]: https://github.com/RustCrypto/elliptic-curves/pull/772
[#777]: https://github.com/RustCrypto/elliptic-curves/pull/777
## 0.12.0 (2023-01-16)
### Added
- 32-bit scalar backend ([#636])
- `alloc` feature ([#670])
- Constructors for `Scalar` from `u128` ([#709])
### Changed
- Use generic curve arithmetic implementation from `primeorder` crate ([#631], [#716])
- Use `U256` as the inner type for `FieldElement` ([#634])
- Update P-256 VOPRF test vectors ([#693])
- Use weak feature activation; MSRV 1.60 ([#701])
- Bump `ecdsa` dependency to v0.15 ([#713])
[#631]: https://github.com/RustCrypto/elliptic-curves/pull/631
[#634]: https://github.com/RustCrypto/elliptic-curves/pull/634
[#636]: https://github.com/RustCrypto/elliptic-curves/pull/636
[#670]: https://github.com/RustCrypto/elliptic-curves/pull/670
[#693]: https://github.com/RustCrypto/elliptic-curves/pull/693
[#701]: https://github.com/RustCrypto/elliptic-curves/pull/701
[#709]: https://github.com/RustCrypto/elliptic-curves/pull/709
[#713]: https://github.com/RustCrypto/elliptic-curves/pull/713
[#716]: https://github.com/RustCrypto/elliptic-curves/pull/716
## 0.11.1 (2022-06-12)
### Added
- Re-export low-level `diffie_hellman` function ([#556])
- Additional RFC6979 test vectors ([#591])
### Changed
- Use a 4-bit window for scalar multiplication ([#563])
- `invert()`, `sqrt()`: replace exponentiations with addition chains ([#564])
- Use generic prime order formulas ([#602])
[#556]: https://github.com/RustCrypto/elliptic-curves/pull/556
[#563]: https://github.com/RustCrypto/elliptic-curves/pull/563
[#564]: https://github.com/RustCrypto/elliptic-curves/pull/564
[#591]: https://github.com/RustCrypto/elliptic-curves/pull/591
[#602]: https://github.com/RustCrypto/elliptic-curves/pull/602
## 0.11.0 (2022-05-09)
### Changed
- Bump `digest` to v0.10 ([#515])
- Have `pkcs8` feature activate `ecdsa/pkcs8` ([#538])
- Bump `elliptic-curve` to v0.12 ([#544])
- Bump `ecdsa` to v0.14 ([#544])
[#515]: https://github.com/RustCrypto/elliptic-curves/pull/515
[#538]: https://github.com/RustCrypto/elliptic-curves/pull/538
[#544]: https://github.com/RustCrypto/elliptic-curves/pull/544
## 0.10.1 (2022-01-17)
### Added
- Impl `ff::Field` trait for `FieldElement` ([#498])
- hash2curve support: impl `GroupDigest` trait for `NistP256` ([#503])
- Impl `VoprfParameters` trait for `NistP256` ([#506])
- Impl `ReduceNonZero<U256>` trait for `Scalar` ([#507])
- `IDENTITY` and `GENERATOR` point constants ([#509], [#511])
[#498]: https://github.com/RustCrypto/elliptic-curves/pull/498
[#503]: https://github.com/RustCrypto/elliptic-curves/pull/503
[#506]: https://github.com/RustCrypto/elliptic-curves/pull/506
[#507]: https://github.com/RustCrypto/elliptic-curves/pull/507
[#509]: https://github.com/RustCrypto/elliptic-curves/pull/509
[#511]: https://github.com/RustCrypto/elliptic-curves/pull/511
## 0.10.0 (2021-12-14)
### Added
- Implement point compaction support ([#357])
- Implement `Scalar::sqrt` ([#392])
- Impl `DefaultIsZeroes` for `ProjectivePoint` ([#414])
- Impl `PrimeCurveArithmetic` ([#415])
- Impl `Reduce<U256>` for `Scalar` ([#436])
- `serde` feature ([#463], [#465])
- Impl `LinearCombination` trait ([#476])
### Changed
- Use `PrimeCurve` trait ([#413])
- Use `sec1` crate for `EncodedPoint` type ([#435])
- Replace `ecdsa::hazmat::FromDigest` with `Reduce` ([#438])
- Make `FromEncodedPoint` return a `CtOption` ([#445])
- Rust 2021 edition upgrade; MSRV 1.56+ ([#453])
- Leverage generic ECDSA implementation from `ecdsa` crate ([#462])
- Bump `elliptic-curve` crate dependency to v0.11 ([#466])
- Bump `ecdsa` crate dependency to v0.13 ([#467])
### Fixed
- `ProjectivePoint::to_bytes()` encoding for identity ([#443])
- Handle identity point in `GroupEncoding` ([#446])
[#357]: https://github.com/RustCrypto/elliptic-curves/pull/357
[#392]: https://github.com/RustCrypto/elliptic-curves/pull/392
[#413]: https://github.com/RustCrypto/elliptic-curves/pull/413
[#414]: https://github.com/RustCrypto/elliptic-curves/pull/414
[#415]: https://github.com/RustCrypto/elliptic-curves/pull/415
[#435]: https://github.com/RustCrypto/elliptic-curves/pull/435
[#436]: https://github.com/RustCrypto/elliptic-curves/pull/436
[#438]: https://github.com/RustCrypto/elliptic-curves/pull/438
[#443]: https://github.com/RustCrypto/elliptic-curves/pull/443
[#445]: https://github.com/RustCrypto/elliptic-curves/pull/445
[#446]: https://github.com/RustCrypto/elliptic-curves/pull/446
[#453]: https://github.com/RustCrypto/elliptic-curves/pull/453
[#463]: https://github.com/RustCrypto/elliptic-curves/pull/463
[#465]: https://github.com/RustCrypto/elliptic-curves/pull/465
[#466]: https://github.com/RustCrypto/elliptic-curves/pull/466
[#467]: https://github.com/RustCrypto/elliptic-curves/pull/467
[#476]: https://github.com/RustCrypto/elliptic-curves/pull/476
## 0.9.0 (2021-06-08)
### Added
- `AffineArithmetic` trait impl ([#347])
- `PrimeCurve` trait impls ([#350])
### Changed
- Bump `elliptic-curve` to v0.10; MSRV 1.51+ ([#349])
- Bump `ecdsa` to v0.12 ([#349])
[#347]: https://github.com/RustCrypto/elliptic-curves/pull/347
[#349]: https://github.com/RustCrypto/elliptic-curves/pull/349
[#350]: https://github.com/RustCrypto/elliptic-curves/pull/350
## 0.8.1 (2021-05-10)
### Fixed
- Mixed coordinate addition with the point at infinity ([#337])
[#337]: https://github.com/RustCrypto/elliptic-curves/pull/337
## 0.8.0 (2021-04-29)
### Added
- `jwk` feature ([#279])
- Wycheproof ECDSA P-256 test vectors ([#313])
- `Order` constant ([#328])
### Changed
- Rename `ecdsa::Asn1Signature` to `::DerSignature` ([#288])
- Migrate to `FromDigest` trait from `ecdsa` crate ([#292])
- Bump `elliptic-curve` to v0.9.2 ([#296])
- Bump `pkcs8` to v0.6 ([#319])
- Bump `ecdsa` crate dependency to v0.11 ([#330])
### Fixed
- `DigestPrimitive` feature gating ([#324])
[#279]: https://github.com/RustCrypto/elliptic-curves/pull/279
[#288]: https://github.com/RustCrypto/elliptic-curves/pull/288
[#292]: https://github.com/RustCrypto/elliptic-curves/pull/292
[#296]: https://github.com/RustCrypto/elliptic-curves/pull/296
[#313]: https://github.com/RustCrypto/elliptic-curves/pull/313
[#319]: https://github.com/RustCrypto/elliptic-curves/pull/319
[#324]: https://github.com/RustCrypto/elliptic-curves/pull/324
[#328]: https://github.com/RustCrypto/elliptic-curves/pull/328
[#330]: https://github.com/RustCrypto/elliptic-curves/pull/330
## 0.7.3 (2021-04-16)
### Changed
- Make `ecdsa` a default feature ([#325])
[#325]: https://github.com/RustCrypto/elliptic-curves/pull/325
## 0.7.2 (2021-01-13)
### Changed
- Have `std` feature activate `ecdsa-core/std` ([#273])
[#273]: https://github.com/RustCrypto/elliptic-curves/pull/273
## 0.7.1 (2020-12-16)
### Fixed
- Trigger docs.rs rebuild with nightly bugfix ([RustCrypto/traits#412])
[RustCrypto/traits#412]: https://github.com/RustCrypto/traits/pull/412
## 0.7.0 (2020-12-16)
### Changed
- Bump `elliptic-curve` dependency to v0.8 ([#260])
- Bump `ecdsa` to v0.10 ([#260])
[#260]: https://github.com/RustCrypto/elliptic-curves/pull/260
## 0.6.0 (2020-12-06)
### Added
- PKCS#8 support ([#243], [#244], [#245])
- `PublicKey` type ([#239])
### Changed
- Bump `elliptic-curve` crate dependency to v0.7; MSRV 1.46+ ([#247])
- Bump `ecdsa` crate dependency to v0.9 ([#247])
[#247]: https://github.com/RustCrypto/elliptic-curves/pull/247
[#245]: https://github.com/RustCrypto/elliptic-curves/pull/245
[#244]: https://github.com/RustCrypto/elliptic-curves/pull/244
[#243]: https://github.com/RustCrypto/elliptic-curves/pull/243
[#239]: https://github.com/RustCrypto/elliptic-curves/pull/239
## 0.5.2 (2020-10-08)
### Fixed
- Regenerate `rustdoc` on https://docs.rs after nightly breakage
## 0.5.1 (2020-10-08)
### Added
- `SecretValue` impl when `arithmetic` feature is disabled ([#222])
[#222]: https://github.com/RustCrypto/elliptic-curves/pull/222
## 0.5.0 (2020-09-18)
### Added
- `ecdsa::Asn1Signature` type alias ([#186])
- `ff` and `group` crate dependencies; MSRV 1.44+ ([#169], [#174])
- `AffinePoint::identity()` and `::is_identity()` ([#167])
### Changed
- Bump `elliptic-curve` crate to v0.6; `ecdsa` to v0.8 ([#180])
- Refactor ProjectiveArithmetic trait ([#179])
- Support generic inner type for `elliptic_curve::SecretKey<C>` ([#177])
- Rename `ElementBytes` => `FieldBytes` ([#176])
- Rename `ecdsa::{Signer, Verifier}` => `::{SigningKey, VerifyKey}` ([#153])
- Rename `Curve::ElementSize` => `FieldSize` ([#150])
- Implement RFC6979 deterministic ECDSA ([#146], [#147])
- Rename `PublicKey` to `EncodedPoint` ([#141])
### Removed
- `rand` feature ([#162])
[#186]: https://github.com/RustCrypto/elliptic-curves/pull/186
[#180]: https://github.com/RustCrypto/elliptic-curves/pull/180
[#179]: https://github.com/RustCrypto/elliptic-curves/pull/179
[#177]: https://github.com/RustCrypto/elliptic-curves/pull/177
[#176]: https://github.com/RustCrypto/elliptic-curves/pull/176
[#174]: https://github.com/RustCrypto/elliptic-curves/pull/174
[#169]: https://github.com/RustCrypto/elliptic-curves/pull/164
[#167]: https://github.com/RustCrypto/elliptic-curves/pull/167
[#162]: https://github.com/RustCrypto/elliptic-curves/pull/162
[#153]: https://github.com/RustCrypto/elliptic-curves/pull/153
[#150]: https://github.com/RustCrypto/elliptic-curves/pull/150
[#147]: https://github.com/RustCrypto/elliptic-curves/pull/147
[#146]: https://github.com/RustCrypto/elliptic-curves/pull/146
[#141]: https://github.com/RustCrypto/elliptic-curves/pull/141
## 0.4.1 (2020-08-11)
### Fixed
- Builds with either `ecdsa-core` or `sha256` in isolation ([#133])
[#133]: https://github.com/RustCrypto/elliptic-curves/pull/133
## 0.4.0 (2020-08-10)
### Added
- ECDSA support ([#73], [#101], [#104], [#105])
- ECDSA public key recovery support ([#110])
- OID support ([#103], [#113])
- Elliptic Curve Diffie-Hellman ([#120])
### Changed
- Bump `elliptic-curve` crate dependency to v0.5 ([#126])
[#73]: https://github.com/RustCrypto/elliptic-curves/pull/73
[#101]: https://github.com/RustCrypto/elliptic-curves/pull/101
[#103]: https://github.com/RustCrypto/elliptic-curves/pull/103
[#104]: https://github.com/RustCrypto/elliptic-curves/pull/104
[#105]: https://github.com/RustCrypto/elliptic-curves/pull/105
[#110]: https://github.com/RustCrypto/elliptic-curves/pull/110
[#113]: https://github.com/RustCrypto/elliptic-curves/pull/113
[#120]: https://github.com/RustCrypto/elliptic-curves/pull/120
[#126]: https://github.com/RustCrypto/elliptic-curves/pull/126
## 0.3.0 (2020-06-08)
### Changed
- Bump `elliptic-curve` crate dependency to v0.4 ([#39])
[#39]: https://github.com/RustCrypto/elliptic-curves/pull/39
## 0.2.0 (2020-04-30)
### Added
- Constant time scalar multiplication ([#18])
- Group operation ([#15])
[#18]: https://github.com/RustCrypto/elliptic-curves/pull/18
[#15]: https://github.com/RustCrypto/elliptic-curves/pull/15
## 0.1.0 (2020-01-15)
- Initial release

181
vendor/p256/Cargo.toml vendored Normal file
View File

@@ -0,0 +1,181 @@
# THIS FILE IS AUTOMATICALLY GENERATED BY CARGO
#
# When uploading crates to the registry Cargo will automatically
# "normalize" Cargo.toml files for maximal compatibility
# with all versions of Cargo and also rewrite `path` dependencies
# to registry (e.g., crates.io) dependencies.
#
# If you are reading this file be aware that the original Cargo.toml
# will likely look very different (and much more reasonable).
# See Cargo.toml.orig for the original contents.
[package]
edition = "2021"
rust-version = "1.65"
name = "p256"
version = "0.13.2"
authors = ["RustCrypto Developers"]
description = """
Pure Rust implementation of the NIST P-256 (a.k.a. secp256r1, prime256v1)
elliptic curve as defined in SP 800-186, with support for ECDH, ECDSA
signing/verification, and general purpose curve arithmetic
"""
documentation = "https://docs.rs/p256"
readme = "README.md"
keywords = [
"crypto",
"ecc",
"nist",
"prime256v1",
"secp256r1",
]
categories = [
"cryptography",
"no-std",
]
license = "Apache-2.0 OR MIT"
repository = "https://github.com/RustCrypto/elliptic-curves/tree/master/p256"
[package.metadata.docs.rs]
all-features = true
rustdoc-args = [
"--cfg",
"docsrs",
]
[[bench]]
name = "field"
harness = false
required-features = ["expose-field"]
[[bench]]
name = "scalar"
harness = false
[dependencies.ecdsa-core]
version = "0.16"
features = ["der"]
optional = true
default-features = false
package = "ecdsa"
[dependencies.elliptic-curve]
version = "0.13.1"
features = [
"hazmat",
"sec1",
]
default-features = false
[dependencies.hex-literal]
version = "0.4"
optional = true
[dependencies.primeorder]
version = "0.13"
optional = true
[dependencies.serdect]
version = "0.2"
optional = true
default-features = false
[dependencies.sha2]
version = "0.10"
optional = true
default-features = false
[dev-dependencies.blobby]
version = "0.3"
[dev-dependencies.criterion]
version = "0.4"
[dev-dependencies.ecdsa-core]
version = "0.16"
features = ["dev"]
default-features = false
package = "ecdsa"
[dev-dependencies.hex-literal]
version = "0.4"
[dev-dependencies.primeorder]
version = "0.13"
features = ["dev"]
[dev-dependencies.proptest]
version = "1"
[dev-dependencies.rand_core]
version = "0.6"
features = ["getrandom"]
[features]
alloc = [
"ecdsa-core?/alloc",
"elliptic-curve/alloc",
]
arithmetic = [
"dep:primeorder",
"elliptic-curve/arithmetic",
]
bits = [
"arithmetic",
"elliptic-curve/bits",
]
default = [
"arithmetic",
"ecdsa",
"pem",
"std",
]
digest = [
"ecdsa-core/digest",
"ecdsa-core/hazmat",
]
ecdh = [
"arithmetic",
"elliptic-curve/ecdh",
]
ecdsa = [
"arithmetic",
"ecdsa-core/signing",
"ecdsa-core/verifying",
"sha256",
]
expose-field = ["arithmetic"]
hash2curve = [
"arithmetic",
"elliptic-curve/hash2curve",
]
jwk = ["elliptic-curve/jwk"]
pem = [
"elliptic-curve/pem",
"ecdsa-core/pem",
"pkcs8",
]
pkcs8 = [
"ecdsa-core?/pkcs8",
"elliptic-curve/pkcs8",
]
serde = [
"ecdsa-core?/serde",
"elliptic-curve/serde",
"primeorder?/serde",
"serdect",
]
sha256 = [
"digest",
"sha2",
]
std = [
"alloc",
"ecdsa-core?/std",
"elliptic-curve/std",
]
test-vectors = ["dep:hex-literal"]
voprf = [
"elliptic-curve/voprf",
"sha2",
]

201
vendor/p256/LICENSE-APACHE vendored Normal file
View File

@@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

25
vendor/p256/LICENSE-MIT vendored Normal file
View File

@@ -0,0 +1,25 @@
Copyright (c) 2020-2023 RustCrypto Developers
Permission is hereby granted, free of charge, to any
person obtaining a copy of this software and associated
documentation files (the "Software"), to deal in the
Software without restriction, including without
limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of
the Software, and to permit persons to whom the Software
is furnished to do so, subject to the following
conditions:
The above copyright notice and this permission notice
shall be included in all copies or substantial portions
of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF
ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED
TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

91
vendor/p256/README.md vendored Normal file
View File

@@ -0,0 +1,91 @@
# [RustCrypto]: NIST P-256 (secp256r1) elliptic curve
[![crate][crate-image]][crate-link]
[![Docs][docs-image]][docs-link]
[![Build Status][build-image]][build-link]
![Apache2/MIT licensed][license-image]
![Rust Version][rustc-image]
[![Project Chat][chat-image]][chat-link]
Pure Rust implementation of the NIST P-256 (a.k.a. secp256r1, prime256v1)
elliptic curve with support for ECDH, ECDSA signing/verification, and general
purpose curve arithmetic support implemented in terms of traits from the
[`elliptic-curve`] crate.
[Documentation][docs-link]
## ⚠️ Security Warning
The elliptic curve arithmetic contained in this crate has never been
independently audited!
This crate has been designed with the goal of ensuring that secret-dependent
operations are performed in constant time (using the `subtle` crate and
constant-time formulas). However, it has not been thoroughly assessed to ensure
that generated assembly is constant time on common CPU architectures.
USE AT YOUR OWN RISK!
## Supported Algorithms
- [Elliptic Curve Diffie-Hellman (ECDH)][ECDH]: gated under the `ecdh` feature.
- [Elliptic Curve Digital Signature Algorithm (ECDSA)][ECDSA]: gated under the
`ecdsa` feature.
## About NIST P-256
NIST P-256 is a Weierstrass curve specified in [SP 800-186]:
Recommendations for Discrete Logarithm-based Cryptography:
Elliptic Curve Domain Parameters.
Also known as prime256v1 (ANSI X9.62) and secp256r1 (SECG), it's included in
the US National Security Agency's "Suite B" and is widely used in protocols
like TLS and the associated X.509 PKI.
## Minimum Supported Rust Version
Rust **1.65** or higher.
Minimum supported Rust version can be changed in the future, but it will be
done with a minor version bump.
## SemVer Policy
- All on-by-default features of this library are covered by SemVer
- MSRV is considered exempt from SemVer as noted above
## License
All crates licensed under either of
* [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0)
* [MIT license](http://opensource.org/licenses/MIT)
at your option.
### Contribution
Unless you explicitly state otherwise, any contribution intentionally submitted
for inclusion in the work by you, as defined in the Apache-2.0 license, shall be
dual licensed as above, without any additional terms or conditions.
[//]: # (badges)
[crate-image]: https://buildstats.info/crate/p256
[crate-link]: https://crates.io/crates/p256
[docs-image]: https://docs.rs/p256/badge.svg
[docs-link]: https://docs.rs/p256/
[build-image]: https://github.com/RustCrypto/elliptic-curves/actions/workflows/p256.yml/badge.svg
[build-link]: https://github.com/RustCrypto/elliptic-curves/actions/workflows/p256.yml
[license-image]: https://img.shields.io/badge/license-Apache2.0/MIT-blue.svg
[rustc-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg
[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg
[chat-link]: https://rustcrypto.zulipchat.com/#narrow/stream/260040-elliptic-curves
[//]: # (general links)
[RustCrypto]: https://github.com/rustcrypto/
[`elliptic-curve`]: https://github.com/RustCrypto/traits/tree/master/elliptic-curve
[ECDH]: https://en.wikipedia.org/wiki/Elliptic-curve_Diffie-Hellman
[ECDSA]: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm
[SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final

54
vendor/p256/benches/field.rs vendored Normal file
View File

@@ -0,0 +1,54 @@
//! secp256r1 field element benchmarks
use criterion::{
criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion,
};
use hex_literal::hex;
use p256::FieldElement;
fn test_field_element_x() -> FieldElement {
FieldElement::from_bytes(
&hex!("1ccbe91c075fc7f4f033bfa248db8fccd3565de94bbfb12f3c59ff46c271bf83").into(),
)
.unwrap()
}
fn test_field_element_y() -> FieldElement {
FieldElement::from_bytes(
&hex!("ce4014c68811f9a21a1fdb2c0e6113e06db7ca93b7404e78dc7ccd5ca89a4ca9").into(),
)
.unwrap()
}
fn bench_field_element_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_field_element_x();
let y = test_field_element_y();
group.bench_function("mul", |b| b.iter(|| &x * &y));
}
fn bench_field_element_square<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_field_element_x();
group.bench_function("square", |b| b.iter(|| x.square()));
}
fn bench_field_element_sqrt<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_field_element_x();
group.bench_function("sqrt", |b| b.iter(|| x.sqrt()));
}
fn bench_field_element_invert<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_field_element_x();
group.bench_function("invert", |b| b.iter(|| x.invert()));
}
fn bench_field_element(c: &mut Criterion) {
let mut group = c.benchmark_group("field element operations");
bench_field_element_mul(&mut group);
bench_field_element_square(&mut group);
bench_field_element_invert(&mut group);
bench_field_element_sqrt(&mut group);
group.finish();
}
criterion_group!(benches, bench_field_element);
criterion_main!(benches);

75
vendor/p256/benches/scalar.rs vendored Normal file
View File

@@ -0,0 +1,75 @@
//! secp256r1 scalar arithmetic benchmarks
use criterion::{
criterion_group, criterion_main, measurement::Measurement, BenchmarkGroup, Criterion,
};
use hex_literal::hex;
use p256::{elliptic_curve::group::ff::PrimeField, ProjectivePoint, Scalar};
fn test_scalar_x() -> Scalar {
Scalar::from_repr(
hex!("519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464").into(),
)
.unwrap()
}
fn test_scalar_y() -> Scalar {
Scalar::from_repr(
hex!("0f56db78ca460b055c500064824bed999a25aaf48ebb519ac201537b85479813").into(),
)
.unwrap()
}
fn bench_point_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let p = ProjectivePoint::GENERATOR;
let m = test_scalar_x();
let s = Scalar::from_repr(m.into()).unwrap();
group.bench_function("point-scalar mul", |b| b.iter(|| &p * &s));
}
fn bench_scalar_sub<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_scalar_x();
let y = test_scalar_y();
group.bench_function("sub", |b| b.iter(|| &x - &y));
}
fn bench_scalar_add<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_scalar_x();
let y = test_scalar_y();
group.bench_function("add", |b| b.iter(|| &x + &y));
}
fn bench_scalar_mul<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_scalar_x();
let y = test_scalar_y();
group.bench_function("mul", |b| b.iter(|| &x * &y));
}
fn bench_scalar_negate<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_scalar_x();
group.bench_function("negate", |b| b.iter(|| -x));
}
fn bench_scalar_invert<'a, M: Measurement>(group: &mut BenchmarkGroup<'a, M>) {
let x = test_scalar_x();
group.bench_function("invert", |b| b.iter(|| x.invert()));
}
fn bench_point(c: &mut Criterion) {
let mut group = c.benchmark_group("point operations");
bench_point_mul(&mut group);
group.finish();
}
fn bench_scalar(c: &mut Criterion) {
let mut group = c.benchmark_group("scalar operations");
bench_scalar_sub(&mut group);
bench_scalar_add(&mut group);
bench_scalar_mul(&mut group);
bench_scalar_negate(&mut group);
bench_scalar_invert(&mut group);
group.finish();
}
criterion_group!(benches, bench_point, bench_scalar);
criterion_main!(benches);

59
vendor/p256/src/arithmetic.rs vendored Normal file
View File

@@ -0,0 +1,59 @@
//! Pure Rust implementation of group operations on secp256r1.
//!
//! Curve parameters can be found in [NIST SP 800-186] § G.1.2: Curve P-256.
//!
//! [NIST SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final
pub(crate) mod field;
#[cfg(feature = "hash2curve")]
mod hash2curve;
pub(crate) mod scalar;
pub(crate) mod util;
use self::{field::FieldElement, scalar::Scalar};
use crate::NistP256;
use elliptic_curve::{CurveArithmetic, PrimeCurveArithmetic};
use primeorder::{point_arithmetic, PrimeCurveParams};
/// Elliptic curve point in affine coordinates.
pub type AffinePoint = primeorder::AffinePoint<NistP256>;
/// Elliptic curve point in projective coordinates.
pub type ProjectivePoint = primeorder::ProjectivePoint<NistP256>;
impl CurveArithmetic for NistP256 {
type AffinePoint = AffinePoint;
type ProjectivePoint = ProjectivePoint;
type Scalar = Scalar;
}
impl PrimeCurveArithmetic for NistP256 {
type CurveGroup = ProjectivePoint;
}
/// Adapted from [NIST SP 800-186] § G.1.2: Curve P-256.
///
/// [NIST SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final
impl PrimeCurveParams for NistP256 {
type FieldElement = FieldElement;
type PointArithmetic = point_arithmetic::EquationAIsMinusThree;
/// a = -3
const EQUATION_A: FieldElement = FieldElement::from_u64(3).neg();
const EQUATION_B: FieldElement =
FieldElement::from_hex("5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b");
/// Base point of P-256.
///
/// Defined in NIST SP 800-186 § G.1.2:
///
/// ```text
/// Gₓ = 6b17d1f2 e12c4247 f8bce6e5 63a440f2 77037d81 2deb33a0 f4a13945 d898c296
/// Gᵧ = 4fe342e2 fe1a7f9b 8ee7eb4a 7c0f9e16 2bce3357 6b315ece cbb64068 37bf51f5
/// ```
const GENERATOR: (FieldElement, FieldElement) = (
FieldElement::from_hex("6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296"),
FieldElement::from_hex("4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5"),
);
}

309
vendor/p256/src/arithmetic/field.rs vendored Normal file
View File

@@ -0,0 +1,309 @@
//! Field arithmetic modulo p = 2^{224}(2^{32} 1) + 2^{192} + 2^{96} 1
#![allow(clippy::assign_op_pattern, clippy::op_ref)]
#[cfg_attr(target_pointer_width = "32", path = "field/field32.rs")]
#[cfg_attr(target_pointer_width = "64", path = "field/field64.rs")]
mod field_impl;
use self::field_impl::*;
use crate::{FieldBytes, NistP256};
use core::{
fmt::{self, Debug},
iter::{Product, Sum},
ops::{AddAssign, Mul, MulAssign, Neg, SubAssign},
};
use elliptic_curve::{
bigint::U256,
ff::PrimeField,
subtle::{Choice, ConstantTimeEq, CtOption},
};
/// Field modulus serialized as hex.
/// p = 2^{224}(2^{32} 1) + 2^{192} + 2^{96} 1
const MODULUS_HEX: &str = "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff";
/// Constant representing the modulus.
pub const MODULUS: U256 = U256::from_be_hex(MODULUS_HEX);
/// R^2 = 2^512 mod p
const R_2: U256 =
U256::from_be_hex("00000004fffffffdfffffffffffffffefffffffbffffffff0000000000000003");
/// An element in the finite field modulo p = 2^{224}(2^{32} 1) + 2^{192} + 2^{96} 1.
///
/// The internal representation is in little-endian order. Elements are always in
/// Montgomery form; i.e., FieldElement(a) = aR mod p, with R = 2^256.
#[derive(Clone, Copy)]
pub struct FieldElement(pub(crate) U256);
primeorder::impl_mont_field_element!(
NistP256,
FieldElement,
FieldBytes,
U256,
MODULUS,
Fe,
fe_from_montgomery,
fe_to_montgomery,
fe_add,
fe_sub,
fe_mul,
fe_neg,
fe_square
);
impl FieldElement {
/// Returns the multiplicative inverse of self, if self is non-zero.
pub fn invert(&self) -> CtOption<Self> {
CtOption::new(self.invert_unchecked(), !self.is_zero())
}
/// Returns the multiplicative inverse of self.
///
/// Does not check that self is non-zero.
const fn invert_unchecked(&self) -> Self {
// We need to find b such that b * a ≡ 1 mod p. As we are in a prime
// field, we can apply Fermat's Little Theorem:
//
// a^p ≡ a mod p
// a^(p-1) ≡ 1 mod p
// a^(p-2) * a ≡ 1 mod p
//
// Thus inversion can be implemented with a single exponentiation.
let t111 = self.multiply(&self.multiply(&self.square()).square());
let t111111 = t111.multiply(&t111.sqn(3));
let x15 = t111111.sqn(6).multiply(&t111111).sqn(3).multiply(&t111);
let x16 = x15.square().multiply(self);
let i53 = x16.sqn(16).multiply(&x16).sqn(15);
let x47 = x15.multiply(&i53);
x47.multiply(&i53.sqn(17).multiply(self).sqn(143).multiply(&x47).sqn(47))
.sqn(2)
.multiply(self)
}
/// Returns the square root of self mod p, or `None` if no square root exists.
pub fn sqrt(&self) -> CtOption<Self> {
// We need to find alpha such that alpha^2 = beta mod p. For secp256r1,
// p ≡ 3 mod 4. By Euler's Criterion, beta^(p-1)/2 ≡ 1 mod p. So:
//
// alpha^2 = beta beta^((p - 1) / 2) mod p ≡ beta^((p + 1) / 2) mod p
// alpha = ± beta^((p + 1) / 4) mod p
//
// Thus sqrt can be implemented with a single exponentiation.
let t11 = self.mul(&self.square());
let t1111 = t11.mul(&t11.sqn(2));
let t11111111 = t1111.mul(&t1111.sqn(4));
let x16 = t11111111.sqn(8).mul(&t11111111);
let sqrt = x16
.sqn(16)
.mul(&x16)
.sqn(32)
.mul(self)
.sqn(96)
.mul(self)
.sqn(94);
CtOption::new(
sqrt,
(&sqrt * &sqrt).ct_eq(self), // Only return Some if it's the square root.
)
}
/// Returns self^(2^n) mod p
const fn sqn(&self, n: usize) -> Self {
let mut x = *self;
let mut i = 0;
while i < n {
x = x.square();
i += 1;
}
x
}
}
impl PrimeField for FieldElement {
type Repr = FieldBytes;
const MODULUS: &'static str = MODULUS_HEX;
const NUM_BITS: u32 = 256;
const CAPACITY: u32 = 255;
const TWO_INV: Self = Self::from_u64(2).invert_unchecked();
const MULTIPLICATIVE_GENERATOR: Self = Self::from_u64(6);
const S: u32 = 1;
const ROOT_OF_UNITY: Self =
Self::from_hex("ffffffff00000001000000000000000000000000fffffffffffffffffffffffe");
const ROOT_OF_UNITY_INV: Self = Self::ROOT_OF_UNITY.invert_unchecked();
const DELTA: Self = Self::from_u64(36);
#[inline]
fn from_repr(bytes: FieldBytes) -> CtOption<Self> {
Self::from_bytes(&bytes)
}
#[inline]
fn to_repr(&self) -> FieldBytes {
self.to_bytes()
}
#[inline]
fn is_odd(&self) -> Choice {
self.is_odd()
}
}
impl Debug for FieldElement {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "FieldElement(0x{:X})", &self.0)
}
}
#[cfg(test)]
mod tests {
use super::FieldElement;
use crate::{test_vectors::field::DBL_TEST_VECTORS, FieldBytes};
use elliptic_curve::{bigint::U256, ff::PrimeField};
use primeorder::{
impl_field_identity_tests, impl_field_invert_tests, impl_field_sqrt_tests,
impl_primefield_tests,
};
use proptest::{num, prelude::*};
/// t = (modulus - 1) >> S
const T: [u64; 4] = [
0xffffffffffffffff,
0x000000007fffffff,
0x8000000000000000,
0x7fffffff80000000,
];
impl_field_identity_tests!(FieldElement);
impl_field_invert_tests!(FieldElement);
impl_field_sqrt_tests!(FieldElement);
impl_primefield_tests!(FieldElement, T);
#[test]
fn from_bytes() {
assert_eq!(
FieldElement::from_bytes(&FieldBytes::default()).unwrap(),
FieldElement::ZERO
);
assert_eq!(
FieldElement::from_bytes(
&[
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 1
]
.into()
)
.unwrap(),
FieldElement::ONE
);
assert!(bool::from(
FieldElement::from_bytes(&[0xff; 32].into()).is_none()
));
}
#[test]
fn to_bytes() {
assert_eq!(FieldElement::ZERO.to_bytes(), FieldBytes::default());
assert_eq!(
FieldElement::ONE.to_bytes(),
[
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 1
]
.into()
);
}
#[test]
fn repeated_add() {
let mut r = FieldElement::ONE;
for i in 0..DBL_TEST_VECTORS.len() {
assert_eq!(r.to_bytes(), DBL_TEST_VECTORS[i].into());
r = r + &r;
}
}
#[test]
fn repeated_double() {
let mut r = FieldElement::ONE;
for i in 0..DBL_TEST_VECTORS.len() {
assert_eq!(r.to_bytes(), DBL_TEST_VECTORS[i].into());
r = r.double();
}
}
#[test]
fn repeated_mul() {
let mut r = FieldElement::ONE;
let two = r + &r;
for i in 0..DBL_TEST_VECTORS.len() {
assert_eq!(r.to_bytes(), DBL_TEST_VECTORS[i].into());
r = r * &two;
}
}
#[test]
fn negation() {
let two = FieldElement::ONE.double();
let neg_two = -two;
assert_eq!(two + &neg_two, FieldElement::ZERO);
assert_eq!(-neg_two, two);
}
#[test]
fn pow_vartime() {
let one = FieldElement::ONE;
let two = one + &one;
let four = two.square();
assert_eq!(two.pow_vartime(&[2, 0, 0, 0]), four);
}
proptest! {
/// This checks behaviour well within the field ranges, because it doesn't set the
/// highest limb.
#[cfg(target_pointer_width = "32")]
#[test]
fn add_then_sub(
a0 in num::u32::ANY,
a1 in num::u32::ANY,
a2 in num::u32::ANY,
a3 in num::u32::ANY,
a4 in num::u32::ANY,
a5 in num::u32::ANY,
a6 in num::u32::ANY,
b0 in num::u32::ANY,
b1 in num::u32::ANY,
b2 in num::u32::ANY,
b3 in num::u32::ANY,
b4 in num::u32::ANY,
b5 in num::u32::ANY,
b6 in num::u32::ANY,
) {
let a = FieldElement(U256::from_words([a0, a1, a2, a3, a4, a5, a6, 0]));
let b = FieldElement(U256::from_words([b0, b1, b2, b3, b4, b5, b6, 0]));
assert_eq!(a.add(&b).sub(&a), b);
}
/// This checks behaviour well within the field ranges, because it doesn't set the
/// highest limb.
#[cfg(target_pointer_width = "64")]
#[test]
fn add_then_sub(
a0 in num::u64::ANY,
a1 in num::u64::ANY,
a2 in num::u64::ANY,
b0 in num::u64::ANY,
b1 in num::u64::ANY,
b2 in num::u64::ANY,
) {
let a = FieldElement(U256::from_words([a0, a1, a2, 0]));
let b = FieldElement(U256::from_words([b0, b1, b2, 0]));
assert_eq!(a.add(&b).sub(&a), b);
}
}
}

206
vendor/p256/src/arithmetic/field/field32.rs vendored Normal file
View File

@@ -0,0 +1,206 @@
//! 32-bit secp256r1 base field implementation
// TODO(tarcieri): adapt 64-bit arithmetic to proper 32-bit arithmetic
use super::{MODULUS, R_2};
use crate::arithmetic::util::{adc, mac, sbb};
/// Raw field element.
pub type Fe = [u32; 8];
/// Translate a field element out of the Montgomery domain.
#[inline]
pub const fn fe_from_montgomery(w: &Fe) -> Fe {
let w = fe32_to_fe64(w);
montgomery_reduce(&[w[0], w[1], w[2], w[3], 0, 0, 0, 0])
}
/// Translate a field element into the Montgomery domain.
#[inline]
pub const fn fe_to_montgomery(w: &Fe) -> Fe {
fe_mul(w, R_2.as_words())
}
/// Returns `a + b mod p`.
pub const fn fe_add(a: &Fe, b: &Fe) -> Fe {
let a = fe32_to_fe64(a);
let b = fe32_to_fe64(b);
// Bit 256 of p is set, so addition can result in five words.
let (w0, carry) = adc(a[0], b[0], 0);
let (w1, carry) = adc(a[1], b[1], carry);
let (w2, carry) = adc(a[2], b[2], carry);
let (w3, w4) = adc(a[3], b[3], carry);
// Attempt to subtract the modulus, to ensure the result is in the field.
let modulus = fe32_to_fe64(MODULUS.as_words());
sub_inner(
&[w0, w1, w2, w3, w4],
&[modulus[0], modulus[1], modulus[2], modulus[3], 0],
)
}
/// Returns `a - b mod p`.
pub const fn fe_sub(a: &Fe, b: &Fe) -> Fe {
let a = fe32_to_fe64(a);
let b = fe32_to_fe64(b);
sub_inner(&[a[0], a[1], a[2], a[3], 0], &[b[0], b[1], b[2], b[3], 0])
}
/// Returns `a * b mod p`.
pub const fn fe_mul(a: &Fe, b: &Fe) -> Fe {
let a = fe32_to_fe64(a);
let b = fe32_to_fe64(b);
let (w0, carry) = mac(0, a[0], b[0], 0);
let (w1, carry) = mac(0, a[0], b[1], carry);
let (w2, carry) = mac(0, a[0], b[2], carry);
let (w3, w4) = mac(0, a[0], b[3], carry);
let (w1, carry) = mac(w1, a[1], b[0], 0);
let (w2, carry) = mac(w2, a[1], b[1], carry);
let (w3, carry) = mac(w3, a[1], b[2], carry);
let (w4, w5) = mac(w4, a[1], b[3], carry);
let (w2, carry) = mac(w2, a[2], b[0], 0);
let (w3, carry) = mac(w3, a[2], b[1], carry);
let (w4, carry) = mac(w4, a[2], b[2], carry);
let (w5, w6) = mac(w5, a[2], b[3], carry);
let (w3, carry) = mac(w3, a[3], b[0], 0);
let (w4, carry) = mac(w4, a[3], b[1], carry);
let (w5, carry) = mac(w5, a[3], b[2], carry);
let (w6, w7) = mac(w6, a[3], b[3], carry);
montgomery_reduce(&[w0, w1, w2, w3, w4, w5, w6, w7])
}
/// Returns `-w mod p`.
pub const fn fe_neg(w: &Fe) -> Fe {
fe_sub(&[0; 8], w)
}
/// Returns `w * w mod p`.
pub const fn fe_square(w: &Fe) -> Fe {
fe_mul(w, w)
}
/// Montgomery Reduction
///
/// The general algorithm is:
/// ```text
/// A <- input (2n b-limbs)
/// for i in 0..n {
/// k <- A[i] p' mod b
/// A <- A + k p b^i
/// }
/// A <- A / b^n
/// if A >= p {
/// A <- A - p
/// }
/// ```
///
/// For secp256r1, we have the following simplifications:
///
/// - `p'` is 1, so our multiplicand is simply the first limb of the intermediate A.
///
/// - The first limb of p is 2^64 - 1; multiplications by this limb can be simplified
/// to a shift and subtraction:
/// ```text
/// a_i * (2^64 - 1) = a_i * 2^64 - a_i = (a_i << 64) - a_i
/// ```
/// However, because `p' = 1`, the first limb of p is multiplied by limb i of the
/// intermediate A and then immediately added to that same limb, so we simply
/// initialize the carry to limb i of the intermediate.
///
/// - The third limb of p is zero, so we can ignore any multiplications by it and just
/// add the carry.
///
/// References:
/// - Handbook of Applied Cryptography, Chapter 14
/// Algorithm 14.32
/// http://cacr.uwaterloo.ca/hac/about/chap14.pdf
///
/// - Efficient and Secure Elliptic Curve Cryptography Implementation of Curve P-256
/// Algorithm 7) Montgomery Word-by-Word Reduction
/// https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf
#[inline]
#[allow(clippy::too_many_arguments)]
const fn montgomery_reduce(r: &[u64; 8]) -> Fe {
let r0 = r[0];
let r1 = r[1];
let r2 = r[2];
let r3 = r[3];
let r4 = r[4];
let r5 = r[5];
let r6 = r[6];
let r7 = r[7];
let modulus = fe32_to_fe64(MODULUS.as_words());
let (r1, carry) = mac(r1, r0, modulus[1], r0);
let (r2, carry) = adc(r2, 0, carry);
let (r3, carry) = mac(r3, r0, modulus[3], carry);
let (r4, carry2) = adc(r4, 0, carry);
let (r2, carry) = mac(r2, r1, modulus[1], r1);
let (r3, carry) = adc(r3, 0, carry);
let (r4, carry) = mac(r4, r1, modulus[3], carry);
let (r5, carry2) = adc(r5, carry2, carry);
let (r3, carry) = mac(r3, r2, modulus[1], r2);
let (r4, carry) = adc(r4, 0, carry);
let (r5, carry) = mac(r5, r2, modulus[3], carry);
let (r6, carry2) = adc(r6, carry2, carry);
let (r4, carry) = mac(r4, r3, modulus[1], r3);
let (r5, carry) = adc(r5, 0, carry);
let (r6, carry) = mac(r6, r3, modulus[3], carry);
let (r7, r8) = adc(r7, carry2, carry);
// Result may be within MODULUS of the correct value
sub_inner(
&[r4, r5, r6, r7, r8],
&[modulus[0], modulus[1], modulus[2], modulus[3], 0],
)
}
#[inline]
#[allow(clippy::too_many_arguments)]
const fn sub_inner(l: &[u64; 5], r: &[u64; 5]) -> Fe {
let (w0, borrow) = sbb(l[0], r[0], 0);
let (w1, borrow) = sbb(l[1], r[1], borrow);
let (w2, borrow) = sbb(l[2], r[2], borrow);
let (w3, borrow) = sbb(l[3], r[3], borrow);
let (_, borrow) = sbb(l[4], r[4], borrow);
// If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise
// borrow = 0x000...000. Thus, we use it as a mask to conditionally add the
// modulus.
let modulus = fe32_to_fe64(MODULUS.as_words());
let (w0, carry) = adc(w0, modulus[0] & borrow, 0);
let (w1, carry) = adc(w1, modulus[1] & borrow, carry);
let (w2, carry) = adc(w2, modulus[2] & borrow, carry);
let (w3, _) = adc(w3, modulus[3] & borrow, carry);
[
(w0 & 0xFFFFFFFF) as u32,
(w0 >> 32) as u32,
(w1 & 0xFFFFFFFF) as u32,
(w1 >> 32) as u32,
(w2 & 0xFFFFFFFF) as u32,
(w2 >> 32) as u32,
(w3 & 0xFFFFFFFF) as u32,
(w3 >> 32) as u32,
]
}
// TODO(tarcieri): replace this with proper 32-bit arithmetic
#[inline]
const fn fe32_to_fe64(fe32: &Fe) -> [u64; 4] {
[
(fe32[0] as u64) | ((fe32[1] as u64) << 32),
(fe32[2] as u64) | ((fe32[3] as u64) << 32),
(fe32[4] as u64) | ((fe32[5] as u64) << 32),
(fe32[6] as u64) | ((fe32[7] as u64) << 32),
]
}

175
vendor/p256/src/arithmetic/field/field64.rs vendored Normal file
View File

@@ -0,0 +1,175 @@
//! 64-bit secp256r1 base field implementation
use super::{MODULUS, R_2};
use crate::arithmetic::util::{adc, mac, sbb};
/// Raw field element.
pub type Fe = [u64; 4];
/// Translate a field element out of the Montgomery domain.
#[inline]
pub const fn fe_from_montgomery(w: &Fe) -> Fe {
montgomery_reduce(&[w[0], w[1], w[2], w[3], 0, 0, 0, 0])
}
/// Translate a field element into the Montgomery domain.
#[inline]
pub const fn fe_to_montgomery(w: &Fe) -> Fe {
fe_mul(w, R_2.as_words())
}
/// Returns `a + b mod p`.
pub const fn fe_add(a: &Fe, b: &Fe) -> Fe {
// Bit 256 of p is set, so addition can result in five words.
let (w0, carry) = adc(a[0], b[0], 0);
let (w1, carry) = adc(a[1], b[1], carry);
let (w2, carry) = adc(a[2], b[2], carry);
let (w3, w4) = adc(a[3], b[3], carry);
// Attempt to subtract the modulus, to ensure the result is in the field.
let modulus = MODULUS.as_words();
sub_inner(
&[w0, w1, w2, w3, w4],
&[modulus[0], modulus[1], modulus[2], modulus[3], 0],
)
}
/// Returns `a - b mod p`.
pub const fn fe_sub(a: &Fe, b: &Fe) -> Fe {
sub_inner(&[a[0], a[1], a[2], a[3], 0], &[b[0], b[1], b[2], b[3], 0])
}
/// Returns `a * b mod p`.
pub const fn fe_mul(a: &Fe, b: &Fe) -> Fe {
let (w0, carry) = mac(0, a[0], b[0], 0);
let (w1, carry) = mac(0, a[0], b[1], carry);
let (w2, carry) = mac(0, a[0], b[2], carry);
let (w3, w4) = mac(0, a[0], b[3], carry);
let (w1, carry) = mac(w1, a[1], b[0], 0);
let (w2, carry) = mac(w2, a[1], b[1], carry);
let (w3, carry) = mac(w3, a[1], b[2], carry);
let (w4, w5) = mac(w4, a[1], b[3], carry);
let (w2, carry) = mac(w2, a[2], b[0], 0);
let (w3, carry) = mac(w3, a[2], b[1], carry);
let (w4, carry) = mac(w4, a[2], b[2], carry);
let (w5, w6) = mac(w5, a[2], b[3], carry);
let (w3, carry) = mac(w3, a[3], b[0], 0);
let (w4, carry) = mac(w4, a[3], b[1], carry);
let (w5, carry) = mac(w5, a[3], b[2], carry);
let (w6, w7) = mac(w6, a[3], b[3], carry);
montgomery_reduce(&[w0, w1, w2, w3, w4, w5, w6, w7])
}
/// Returns `-w mod p`.
pub const fn fe_neg(w: &Fe) -> Fe {
fe_sub(&[0, 0, 0, 0], w)
}
/// Returns `w * w mod p`.
pub const fn fe_square(w: &Fe) -> Fe {
fe_mul(w, w)
}
/// Montgomery Reduction
///
/// The general algorithm is:
/// ```text
/// A <- input (2n b-limbs)
/// for i in 0..n {
/// k <- A[i] p' mod b
/// A <- A + k p b^i
/// }
/// A <- A / b^n
/// if A >= p {
/// A <- A - p
/// }
/// ```
///
/// For secp256r1, we have the following simplifications:
///
/// - `p'` is 1, so our multiplicand is simply the first limb of the intermediate A.
///
/// - The first limb of p is 2^64 - 1; multiplications by this limb can be simplified
/// to a shift and subtraction:
/// ```text
/// a_i * (2^64 - 1) = a_i * 2^64 - a_i = (a_i << 64) - a_i
/// ```
/// However, because `p' = 1`, the first limb of p is multiplied by limb i of the
/// intermediate A and then immediately added to that same limb, so we simply
/// initialize the carry to limb i of the intermediate.
///
/// - The third limb of p is zero, so we can ignore any multiplications by it and just
/// add the carry.
///
/// References:
/// - Handbook of Applied Cryptography, Chapter 14
/// Algorithm 14.32
/// http://cacr.uwaterloo.ca/hac/about/chap14.pdf
///
/// - Efficient and Secure Elliptic Curve Cryptography Implementation of Curve P-256
/// Algorithm 7) Montgomery Word-by-Word Reduction
/// https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf
#[inline]
#[allow(clippy::too_many_arguments)]
const fn montgomery_reduce(r: &[u64; 8]) -> Fe {
let r0 = r[0];
let r1 = r[1];
let r2 = r[2];
let r3 = r[3];
let r4 = r[4];
let r5 = r[5];
let r6 = r[6];
let r7 = r[7];
let modulus = MODULUS.as_words();
let (r1, carry) = mac(r1, r0, modulus[1], r0);
let (r2, carry) = adc(r2, 0, carry);
let (r3, carry) = mac(r3, r0, modulus[3], carry);
let (r4, carry2) = adc(r4, 0, carry);
let (r2, carry) = mac(r2, r1, modulus[1], r1);
let (r3, carry) = adc(r3, 0, carry);
let (r4, carry) = mac(r4, r1, modulus[3], carry);
let (r5, carry2) = adc(r5, carry2, carry);
let (r3, carry) = mac(r3, r2, modulus[1], r2);
let (r4, carry) = adc(r4, 0, carry);
let (r5, carry) = mac(r5, r2, modulus[3], carry);
let (r6, carry2) = adc(r6, carry2, carry);
let (r4, carry) = mac(r4, r3, modulus[1], r3);
let (r5, carry) = adc(r5, 0, carry);
let (r6, carry) = mac(r6, r3, modulus[3], carry);
let (r7, r8) = adc(r7, carry2, carry);
// Result may be within MODULUS of the correct value
sub_inner(
&[r4, r5, r6, r7, r8],
&[modulus[0], modulus[1], modulus[2], modulus[3], 0],
)
}
#[inline]
#[allow(clippy::too_many_arguments)]
const fn sub_inner(l: &[u64; 5], r: &[u64; 5]) -> Fe {
let (w0, borrow) = sbb(l[0], r[0], 0);
let (w1, borrow) = sbb(l[1], r[1], borrow);
let (w2, borrow) = sbb(l[2], r[2], borrow);
let (w3, borrow) = sbb(l[3], r[3], borrow);
let (_, borrow) = sbb(l[4], r[4], borrow);
// If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise
// borrow = 0x000...000. Thus, we use it as a mask to conditionally add the
// modulus.
let modulus = MODULUS.as_words();
let (w0, carry) = adc(w0, modulus[0] & borrow, 0);
let (w1, carry) = adc(w1, modulus[1] & borrow, carry);
let (w2, carry) = adc(w2, modulus[2] & borrow, carry);
let (w3, _) = adc(w3, modulus[3] & borrow, carry);
[w0, w1, w2, w3]
}

320
vendor/p256/src/arithmetic/hash2curve.rs vendored Normal file
View File

@@ -0,0 +1,320 @@
use super::FieldElement;
use crate::{AffinePoint, FieldBytes, NistP256, ProjectivePoint, Scalar};
use elliptic_curve::{
bigint::{ArrayEncoding, U256},
consts::U48,
generic_array::GenericArray,
hash2curve::{FromOkm, GroupDigest, MapToCurve, OsswuMap, OsswuMapParams, Sgn0},
point::DecompressPoint,
subtle::Choice,
};
impl GroupDigest for NistP256 {
type FieldElement = FieldElement;
}
impl FromOkm for FieldElement {
type Length = U48;
fn from_okm(data: &GenericArray<u8, Self::Length>) -> Self {
const F_2_192: FieldElement = FieldElement(U256::from_be_hex(
"00000000000000030000000200000000fffffffffffffffefffffffeffffffff",
));
let mut d0_bytes = FieldBytes::default();
d0_bytes[8..].copy_from_slice(&data[..24]);
let d0 = FieldElement::from_uint_unchecked(U256::from_be_byte_array(d0_bytes));
let mut d1_bytes = FieldBytes::default();
d1_bytes[8..].copy_from_slice(&data[24..]);
let d1 = FieldElement::from_uint_unchecked(U256::from_be_byte_array(d1_bytes));
d0 * F_2_192 + d1
}
}
impl Sgn0 for FieldElement {
fn sgn0(&self) -> Choice {
self.is_odd()
}
}
impl OsswuMap for FieldElement {
const PARAMS: OsswuMapParams<Self> = OsswuMapParams {
c1: &[
0xffff_ffff_ffff_ffff,
0x0000_0000_3fff_ffff,
0x4000_0000_0000_0000,
0x3fff_ffff_c000_0000,
],
c2: FieldElement(U256::from_be_hex(
"a3323851ba997e271ac5d59c3298bf50b2806c63966a1a6653e43951f64fdbe7",
)),
map_a: FieldElement(U256::from_be_hex(
"fffffffc00000004000000000000000000000003fffffffffffffffffffffffc",
)),
map_b: FieldElement(U256::from_be_hex(
"dc30061d04874834e5a220abf7212ed6acf005cd78843090d89cdf6229c4bddf",
)),
z: FieldElement(U256::from_be_hex(
"fffffff50000000b00000000000000000000000afffffffffffffffffffffff5",
)),
};
}
impl MapToCurve for FieldElement {
type Output = ProjectivePoint;
fn map_to_curve(&self) -> Self::Output {
let (qx, qy) = self.osswu();
// TODO(tarcieri): assert that `qy` is correct? less circuitous conversion?
AffinePoint::decompress(&qx.to_bytes(), qy.is_odd())
.unwrap()
.into()
}
}
impl FromOkm for Scalar {
type Length = U48;
fn from_okm(data: &GenericArray<u8, Self::Length>) -> Self {
const F_2_192: Scalar = Scalar(U256::from_be_hex(
"0000000000000001000000000000000000000000000000000000000000000000",
));
let mut d0 = GenericArray::default();
d0[8..].copy_from_slice(&data[0..24]);
let d0 = Scalar(U256::from_be_byte_array(d0));
let mut d1 = GenericArray::default();
d1[8..].copy_from_slice(&data[24..]);
let d1 = Scalar(U256::from_be_byte_array(d1));
d0 * F_2_192 + d1
}
}
#[cfg(test)]
mod tests {
use crate::{FieldElement, NistP256, Scalar, U256};
use elliptic_curve::{
bigint::{ArrayEncoding, NonZero, U384},
consts::U48,
generic_array::GenericArray,
group::cofactor::CofactorGroup,
hash2curve::{self, ExpandMsgXmd, FromOkm, GroupDigest, MapToCurve},
sec1::{self, ToEncodedPoint},
Curve, Field,
};
use hex_literal::hex;
use proptest::{num::u64::ANY, prelude::ProptestConfig, proptest};
use sha2::Sha256;
#[allow(dead_code)] // TODO(tarcieri): fix commented out code
#[test]
fn hash_to_curve() {
struct TestVector {
msg: &'static [u8],
p_x: [u8; 32],
p_y: [u8; 32],
u_0: [u8; 32],
u_1: [u8; 32],
q0_x: [u8; 32],
q0_y: [u8; 32],
q1_x: [u8; 32],
q1_y: [u8; 32],
}
const DST: &[u8] = b"QUUX-V01-CS02-with-P256_XMD:SHA-256_SSWU_RO_";
const TEST_VECTORS: &[TestVector] = &[
TestVector {
msg: b"",
p_x: hex!("2c15230b26dbc6fc9a37051158c95b79656e17a1a920b11394ca91c44247d3e4"),
p_y: hex!("8a7a74985cc5c776cdfe4b1f19884970453912e9d31528c060be9ab5c43e8415"),
u_0: hex!("ad5342c66a6dd0ff080df1da0ea1c04b96e0330dd89406465eeba11582515009"),
u_1: hex!("8c0f1d43204bd6f6ea70ae8013070a1518b43873bcd850aafa0a9e220e2eea5a"),
q0_x: hex!("ab640a12220d3ff283510ff3f4b1953d09fad35795140b1c5d64f313967934d5"),
q0_y: hex!("dccb558863804a881d4fff3455716c836cef230e5209594ddd33d85c565b19b1"),
q1_x: hex!("51cce63c50d972a6e51c61334f0f4875c9ac1cd2d3238412f84e31da7d980ef5"),
q1_y: hex!("b45d1a36d00ad90e5ec7840a60a4de411917fbe7c82c3949a6e699e5a1b66aac"),
},
TestVector {
msg: b"abc",
p_x: hex!("0bb8b87485551aa43ed54f009230450b492fead5f1cc91658775dac4a3388a0f"),
p_y: hex!("5c41b3d0731a27a7b14bc0bf0ccded2d8751f83493404c84a88e71ffd424212e"),
u_0: hex!("afe47f2ea2b10465cc26ac403194dfb68b7f5ee865cda61e9f3e07a537220af1"),
u_1: hex!("379a27833b0bfe6f7bdca08e1e83c760bf9a338ab335542704edcd69ce9e46e0"),
q0_x: hex!("5219ad0ddef3cc49b714145e91b2f7de6ce0a7a7dc7406c7726c7e373c58cb48"),
q0_y: hex!("7950144e52d30acbec7b624c203b1996c99617d0b61c2442354301b191d93ecf"),
q1_x: hex!("019b7cb4efcfeaf39f738fe638e31d375ad6837f58a852d032ff60c69ee3875f"),
q1_y: hex!("589a62d2b22357fed5449bc38065b760095ebe6aeac84b01156ee4252715446e"),
},
TestVector {
msg: b"abcdef0123456789",
p_x: hex!("65038ac8f2b1def042a5df0b33b1f4eca6bff7cb0f9c6c1526811864e544ed80"),
p_y: hex!("cad44d40a656e7aff4002a8de287abc8ae0482b5ae825822bb870d6df9b56ca3"),
u_0: hex!("0fad9d125a9477d55cf9357105b0eb3a5c4259809bf87180aa01d651f53d312c"),
u_1: hex!("b68597377392cd3419d8fcc7d7660948c8403b19ea78bbca4b133c9d2196c0fb"),
q0_x: hex!("a17bdf2965eb88074bc01157e644ed409dac97cfcf0c61c998ed0fa45e79e4a2"),
q0_y: hex!("4f1bc80c70d411a3cc1d67aeae6e726f0f311639fee560c7f5a664554e3c9c2e"),
q1_x: hex!("7da48bb67225c1a17d452c983798113f47e438e4202219dd0715f8419b274d66"),
q1_y: hex!("b765696b2913e36db3016c47edb99e24b1da30e761a8a3215dc0ec4d8f96e6f9"),
},
TestVector {
msg: b"q128_qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq",
p_x: hex!("4be61ee205094282ba8a2042bcb48d88dfbb609301c49aa8b078533dc65a0b5d"),
p_y: hex!("98f8df449a072c4721d241a3b1236d3caccba603f916ca680f4539d2bfb3c29e"),
u_0: hex!("3bbc30446f39a7befad080f4d5f32ed116b9534626993d2cc5033f6f8d805919"),
u_1: hex!("76bb02db019ca9d3c1e02f0c17f8baf617bbdae5c393a81d9ce11e3be1bf1d33"),
q0_x: hex!("c76aaa823aeadeb3f356909cb08f97eee46ecb157c1f56699b5efebddf0e6398"),
q0_y: hex!("776a6f45f528a0e8d289a4be12c4fab80762386ec644abf2bffb9b627e4352b1"),
q1_x: hex!("418ac3d85a5ccc4ea8dec14f750a3a9ec8b85176c95a7022f391826794eb5a75"),
q1_y: hex!("fd6604f69e9d9d2b74b072d14ea13050db72c932815523305cb9e807cc900aff"),
},
TestVector {
msg: b"a512_aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
p_x: hex!("457ae2981f70ca85d8e24c308b14db22f3e3862c5ea0f652ca38b5e49cd64bc5"),
p_y: hex!("ecb9f0eadc9aeed232dabc53235368c1394c78de05dd96893eefa62b0f4757dc"),
u_0: hex!("4ebc95a6e839b1ae3c63b847798e85cb3c12d3817ec6ebc10af6ee51adb29fec"),
u_1: hex!("4e21af88e22ea80156aff790750121035b3eefaa96b425a8716e0d20b4e269ee"),
q0_x: hex!("d88b989ee9d1295df413d4456c5c850b8b2fb0f5402cc5c4c7e815412e926db8"),
q0_y: hex!("bb4a1edeff506cf16def96afff41b16fc74f6dbd55c2210e5b8f011ba32f4f40"),
q1_x: hex!("a281e34e628f3a4d2a53fa87ff973537d68ad4fbc28d3be5e8d9f6a2571c5a4b"),
q1_y: hex!("f6ed88a7aab56a488100e6f1174fa9810b47db13e86be999644922961206e184"),
},
];
for test_vector in TEST_VECTORS {
// in parts
let mut u = [FieldElement::default(), FieldElement::default()];
hash2curve::hash_to_field::<ExpandMsgXmd<Sha256>, FieldElement>(
&[test_vector.msg],
&[DST],
&mut u,
)
.unwrap();
/// Assert that the provided projective point matches the given test vector.
// TODO(tarcieri): use coordinate APIs. See zkcrypto/group#30
macro_rules! assert_point_eq {
($actual:expr, $expected_x:expr, $expected_y:expr) => {
let point = $actual.to_affine().to_encoded_point(false);
let (actual_x, actual_y) = match point.coordinates() {
sec1::Coordinates::Uncompressed { x, y } => (x, y),
_ => unreachable!(),
};
assert_eq!(&$expected_x, actual_x.as_slice());
assert_eq!(&$expected_y, actual_y.as_slice());
};
}
assert_eq!(u[0].to_bytes().as_slice(), test_vector.u_0);
assert_eq!(u[1].to_bytes().as_slice(), test_vector.u_1);
let q0 = u[0].map_to_curve();
assert_point_eq!(q0, test_vector.q0_x, test_vector.q0_y);
let q1 = u[1].map_to_curve();
assert_point_eq!(q1, test_vector.q1_x, test_vector.q1_y);
let p = q0.clear_cofactor() + q1.clear_cofactor();
assert_point_eq!(p, test_vector.p_x, test_vector.p_y);
// complete run
let pt = NistP256::hash_from_bytes::<ExpandMsgXmd<Sha256>>(&[test_vector.msg], &[DST])
.unwrap();
assert_point_eq!(pt, test_vector.p_x, test_vector.p_y);
}
}
/// Taken from <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-16.html#name-oprfp-256-sha-256-2>.
#[test]
fn hash_to_scalar_voprf() {
struct TestVector {
dst: &'static [u8],
key_info: &'static [u8],
seed: &'static [u8],
sk_sm: &'static [u8],
}
const TEST_VECTORS: &[TestVector] = &[
TestVector {
dst: b"DeriveKeyPairVOPRF10-\x00\x00\x03",
key_info: b"test key",
seed: &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3"),
sk_sm: &hex!("274d7747cf2e26352ecea6bd768c426087da3dfcd466b6841b441ada8412fb33"),
},
TestVector {
dst: b"DeriveKeyPairVOPRF10-\x01\x00\x03",
key_info: b"test key",
seed: &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3"),
sk_sm: &hex!("b3d12edba73e40401fdc27c0094a56337feb3646d1633345af7e7142a6b1559d"),
},
TestVector {
dst: b"DeriveKeyPairVOPRF10-\x02\x00\x03",
key_info: b"test key",
seed: &hex!("a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3a3"),
sk_sm: &hex!("59519f6c7da344f340ad35ad895a5b97437673cc3ac8b964b823cdb52c932f86"),
},
];
'outer: for test_vector in TEST_VECTORS {
let key_info_len = u16::try_from(test_vector.key_info.len())
.unwrap()
.to_be_bytes();
for counter in 0_u8..=u8::MAX {
let scalar = NistP256::hash_to_scalar::<ExpandMsgXmd<Sha256>>(
&[
test_vector.seed,
&key_info_len,
test_vector.key_info,
&counter.to_be_bytes(),
],
&[test_vector.dst],
)
.unwrap();
if !bool::from(scalar.is_zero()) {
assert_eq!(scalar.to_bytes().as_slice(), test_vector.sk_sm);
continue 'outer;
}
}
panic!("deriving key failed");
}
}
#[test]
fn from_okm_fuzz() {
let mut wide_order = GenericArray::default();
wide_order[16..].copy_from_slice(&NistP256::ORDER.to_be_byte_array());
let wide_order = NonZero::new(U384::from_be_byte_array(wide_order)).unwrap();
let simple_from_okm = move |data: GenericArray<u8, U48>| -> Scalar {
let data = U384::from_be_slice(&data);
let scalar = data % wide_order;
let reduced_scalar = U256::from_be_slice(&scalar.to_be_byte_array()[16..]);
Scalar(reduced_scalar)
};
proptest!(ProptestConfig::with_cases(1000), |(b0 in ANY, b1 in ANY, b2 in ANY, b3 in ANY, b4 in ANY, b5 in ANY)| {
let mut data = GenericArray::default();
data[..8].copy_from_slice(&b0.to_be_bytes());
data[8..16].copy_from_slice(&b1.to_be_bytes());
data[16..24].copy_from_slice(&b2.to_be_bytes());
data[24..32].copy_from_slice(&b3.to_be_bytes());
data[32..40].copy_from_slice(&b4.to_be_bytes());
data[40..].copy_from_slice(&b5.to_be_bytes());
let from_okm = Scalar::from_okm(&data);
let simple_from_okm = simple_from_okm(data);
assert_eq!(from_okm, simple_from_okm);
});
}
}

828
vendor/p256/src/arithmetic/scalar.rs vendored Normal file
View File

@@ -0,0 +1,828 @@
//! Scalar field arithmetic modulo n = 115792089210356248762697446949407573529996955224135760342422259061068512044369
#[cfg_attr(target_pointer_width = "32", path = "scalar/scalar32.rs")]
#[cfg_attr(target_pointer_width = "64", path = "scalar/scalar64.rs")]
mod scalar_impl;
use self::scalar_impl::barrett_reduce;
use crate::{FieldBytes, NistP256, SecretKey, ORDER_HEX};
use core::{
fmt::{self, Debug},
iter::{Product, Sum},
ops::{Add, AddAssign, Mul, MulAssign, Neg, Shr, ShrAssign, Sub, SubAssign},
};
use elliptic_curve::{
bigint::{prelude::*, Limb, U256},
group::ff::{self, Field, PrimeField},
ops::{Invert, Reduce, ReduceNonZero},
rand_core::RngCore,
scalar::{FromUintUnchecked, IsHigh},
subtle::{
Choice, ConditionallySelectable, ConstantTimeEq, ConstantTimeGreater, ConstantTimeLess,
CtOption,
},
zeroize::DefaultIsZeroes,
Curve, ScalarPrimitive,
};
#[cfg(feature = "bits")]
use {crate::ScalarBits, elliptic_curve::group::ff::PrimeFieldBits};
#[cfg(feature = "serde")]
use serdect::serde::{de, ser, Deserialize, Serialize};
/// Constant representing the modulus
/// n = FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551
pub(crate) const MODULUS: U256 = NistP256::ORDER;
/// `MODULUS / 2`
const FRAC_MODULUS_2: Scalar = Scalar(MODULUS.shr_vartime(1));
/// MU = floor(2^512 / n)
/// = 115792089264276142090721624801893421302707618245269942344307673200490803338238
/// = 0x100000000fffffffffffffffeffffffff43190552df1a6c21012ffd85eedf9bfe
pub const MU: [u64; 5] = [
0x012f_fd85_eedf_9bfe,
0x4319_0552_df1a_6c21,
0xffff_fffe_ffff_ffff,
0x0000_0000_ffff_ffff,
0x0000_0000_0000_0001,
];
/// Scalars are elements in the finite field modulo n.
///
/// # Trait impls
///
/// Much of the important functionality of scalars is provided by traits from
/// the [`ff`](https://docs.rs/ff/) crate, which is re-exported as
/// `p256::elliptic_curve::ff`:
///
/// - [`Field`](https://docs.rs/ff/latest/ff/trait.Field.html) -
/// represents elements of finite fields and provides:
/// - [`Field::random`](https://docs.rs/ff/latest/ff/trait.Field.html#tymethod.random) -
/// generate a random scalar
/// - `double`, `square`, and `invert` operations
/// - Bounds for [`Add`], [`Sub`], [`Mul`], and [`Neg`] (as well as `*Assign` equivalents)
/// - Bounds for [`ConditionallySelectable`] from the `subtle` crate
/// - [`PrimeField`](https://docs.rs/ff/latest/ff/trait.PrimeField.html) -
/// represents elements of prime fields and provides:
/// - `from_repr`/`to_repr` for converting field elements from/to big integers.
/// - `multiplicative_generator` and `root_of_unity` constants.
/// - [`PrimeFieldBits`](https://docs.rs/ff/latest/ff/trait.PrimeFieldBits.html) -
/// operations over field elements represented as bits (requires `bits` feature)
///
/// Please see the documentation for the relevant traits for more information.
///
/// # `serde` support
///
/// When the `serde` feature of this crate is enabled, the `Serialize` and
/// `Deserialize` traits are impl'd for this type.
///
/// The serialization is a fixed-width big endian encoding. When used with
/// textual formats, the binary data is encoded as hexadecimal.
#[derive(Clone, Copy, Default)]
pub struct Scalar(pub(crate) U256);
impl Scalar {
/// Zero scalar.
pub const ZERO: Self = Self(U256::ZERO);
/// Multiplicative identity.
pub const ONE: Self = Self(U256::ONE);
/// Returns the SEC1 encoding of this scalar.
pub fn to_bytes(&self) -> FieldBytes {
self.0.to_be_byte_array()
}
/// Returns self + rhs mod n
pub const fn add(&self, rhs: &Self) -> Self {
Self(self.0.add_mod(&rhs.0, &NistP256::ORDER))
}
/// Returns 2*self.
pub const fn double(&self) -> Self {
self.add(self)
}
/// Returns self - rhs mod n.
pub const fn sub(&self, rhs: &Self) -> Self {
Self(self.0.sub_mod(&rhs.0, &NistP256::ORDER))
}
/// Returns self * rhs mod n
pub const fn multiply(&self, rhs: &Self) -> Self {
let (lo, hi) = self.0.mul_wide(&rhs.0);
Self(barrett_reduce(lo, hi))
}
/// Returns self * self mod p
pub const fn square(&self) -> Self {
// Schoolbook multiplication.
self.multiply(self)
}
/// Right shifts the scalar.
///
/// Note: not constant-time with respect to the `shift` parameter.
pub const fn shr_vartime(&self, shift: usize) -> Scalar {
Self(self.0.shr_vartime(shift))
}
/// Returns the multiplicative inverse of self, if self is non-zero
pub fn invert(&self) -> CtOption<Self> {
CtOption::new(self.invert_unchecked(), !self.is_zero())
}
/// Returns the multiplicative inverse of self.
///
/// Does not check that self is non-zero.
const fn invert_unchecked(&self) -> Self {
// We need to find b such that b * a ≡ 1 mod p. As we are in a prime
// field, we can apply Fermat's Little Theorem:
//
// a^p ≡ a mod p
// a^(p-1) ≡ 1 mod p
// a^(p-2) * a ≡ 1 mod p
//
// Thus inversion can be implemented with a single exponentiation.
//
// This is `n - 2`, so the top right two digits are `4f` instead of `51`.
self.pow_vartime(&[
0xf3b9_cac2_fc63_254f,
0xbce6_faad_a717_9e84,
0xffff_ffff_ffff_ffff,
0xffff_ffff_0000_0000,
])
}
/// Exponentiates `self` by `exp`, where `exp` is a little-endian order integer
/// exponent.
pub const fn pow_vartime(&self, exp: &[u64]) -> Self {
let mut res = Self::ONE;
let mut i = exp.len();
while i > 0 {
i -= 1;
let mut j = 64;
while j > 0 {
j -= 1;
res = res.square();
if ((exp[i] >> j) & 1) == 1 {
res = res.multiply(self);
}
}
}
res
}
/// Is integer representing equivalence class odd?
pub fn is_odd(&self) -> Choice {
self.0.is_odd()
}
/// Is integer representing equivalence class even?
pub fn is_even(&self) -> Choice {
!self.is_odd()
}
}
impl AsRef<Scalar> for Scalar {
fn as_ref(&self) -> &Scalar {
self
}
}
impl Field for Scalar {
const ZERO: Self = Self::ZERO;
const ONE: Self = Self::ONE;
fn random(mut rng: impl RngCore) -> Self {
let mut bytes = FieldBytes::default();
// Generate a uniformly random scalar using rejection sampling,
// which produces a uniformly random distribution of scalars.
//
// This method is not constant time, but should be secure so long as
// rejected RNG outputs are unrelated to future ones (which is a
// necessary property of a `CryptoRng`).
//
// With an unbiased RNG, the probability of failing to complete after 4
// iterations is vanishingly small.
loop {
rng.fill_bytes(&mut bytes);
if let Some(scalar) = Scalar::from_repr(bytes).into() {
return scalar;
}
}
}
#[must_use]
fn square(&self) -> Self {
Scalar::square(self)
}
#[must_use]
fn double(&self) -> Self {
self.add(self)
}
fn invert(&self) -> CtOption<Self> {
Scalar::invert(self)
}
/// Tonelli-Shank's algorithm for q mod 16 = 1
/// <https://eprint.iacr.org/2012/685.pdf> (page 12, algorithm 5)
#[allow(clippy::many_single_char_names)]
fn sqrt(&self) -> CtOption<Self> {
// Note: `pow_vartime` is constant-time with respect to `self`
let w = self.pow_vartime(&[
0x279dce5617e3192a,
0xfde737d56d38bcf4,
0x07ffffffffffffff,
0x07fffffff8000000,
]);
let mut v = Self::S;
let mut x = *self * w;
let mut b = x * w;
let mut z = Self::ROOT_OF_UNITY;
for max_v in (1..=Self::S).rev() {
let mut k = 1;
let mut tmp = b.square();
let mut j_less_than_v = Choice::from(1);
for j in 2..max_v {
let tmp_is_one = tmp.ct_eq(&Self::ONE);
let squared = Self::conditional_select(&tmp, &z, tmp_is_one).square();
tmp = Self::conditional_select(&squared, &tmp, tmp_is_one);
let new_z = Self::conditional_select(&z, &squared, tmp_is_one);
j_less_than_v &= !j.ct_eq(&v);
k = u32::conditional_select(&j, &k, tmp_is_one);
z = Self::conditional_select(&z, &new_z, j_less_than_v);
}
let result = x * z;
x = Self::conditional_select(&result, &x, b.ct_eq(&Self::ONE));
z = z.square();
b *= z;
v = k;
}
CtOption::new(x, x.square().ct_eq(self))
}
fn sqrt_ratio(num: &Self, div: &Self) -> (Choice, Self) {
ff::helpers::sqrt_ratio_generic(num, div)
}
}
impl PrimeField for Scalar {
type Repr = FieldBytes;
const MODULUS: &'static str = ORDER_HEX;
const NUM_BITS: u32 = 256;
const CAPACITY: u32 = 255;
const TWO_INV: Self = Self(U256::from_u8(2)).invert_unchecked();
const MULTIPLICATIVE_GENERATOR: Self = Self(U256::from_u8(7));
const S: u32 = 4;
const ROOT_OF_UNITY: Self = Self(U256::from_be_hex(
"ffc97f062a770992ba807ace842a3dfc1546cad004378daf0592d7fbb41e6602",
));
const ROOT_OF_UNITY_INV: Self = Self::ROOT_OF_UNITY.invert_unchecked();
const DELTA: Self = Self(U256::from_u64(33232930569601));
/// Attempts to parse the given byte array as an SEC1-encoded scalar.
///
/// Returns None if the byte array does not contain a big-endian integer in the range
/// [0, p).
fn from_repr(bytes: FieldBytes) -> CtOption<Self> {
let inner = U256::from_be_byte_array(bytes);
CtOption::new(Self(inner), inner.ct_lt(&NistP256::ORDER))
}
fn to_repr(&self) -> FieldBytes {
self.to_bytes()
}
fn is_odd(&self) -> Choice {
self.0.is_odd()
}
}
#[cfg(feature = "bits")]
impl PrimeFieldBits for Scalar {
#[cfg(target_pointer_width = "32")]
type ReprBits = [u32; 8];
#[cfg(target_pointer_width = "64")]
type ReprBits = [u64; 4];
fn to_le_bits(&self) -> ScalarBits {
self.into()
}
fn char_le_bits() -> ScalarBits {
NistP256::ORDER.to_words().into()
}
}
impl DefaultIsZeroes for Scalar {}
impl Eq for Scalar {}
impl FromUintUnchecked for Scalar {
type Uint = U256;
fn from_uint_unchecked(uint: Self::Uint) -> Self {
Self(uint)
}
}
impl Invert for Scalar {
type Output = CtOption<Self>;
fn invert(&self) -> CtOption<Self> {
self.invert()
}
/// Fast variable-time inversion using Stein's algorithm.
///
/// Returns none if the scalar is zero.
///
/// <https://link.springer.com/article/10.1007/s13389-016-0135-4>
///
/// ⚠️ WARNING!
///
/// This method should not be used with (unblinded) secret scalars, as its
/// variable-time operation can potentially leak secrets through
/// sidechannels.
#[allow(non_snake_case)]
fn invert_vartime(&self) -> CtOption<Self> {
let mut u = *self;
let mut v = Self(MODULUS);
let mut A = Self::ONE;
let mut C = Self::ZERO;
while !bool::from(u.is_zero()) {
// u-loop
while bool::from(u.is_even()) {
u >>= 1;
let was_odd: bool = A.is_odd().into();
A >>= 1;
if was_odd {
A += FRAC_MODULUS_2;
A += Self::ONE;
}
}
// v-loop
while bool::from(v.is_even()) {
v >>= 1;
let was_odd: bool = C.is_odd().into();
C >>= 1;
if was_odd {
C += FRAC_MODULUS_2;
C += Self::ONE;
}
}
// sub-step
if u >= v {
u -= &v;
A -= &C;
} else {
v -= &u;
C -= &A;
}
}
CtOption::new(C, !self.is_zero())
}
}
impl IsHigh for Scalar {
fn is_high(&self) -> Choice {
self.0.ct_gt(&FRAC_MODULUS_2.0)
}
}
impl Shr<usize> for Scalar {
type Output = Self;
fn shr(self, rhs: usize) -> Self::Output {
self.shr_vartime(rhs)
}
}
impl Shr<usize> for &Scalar {
type Output = Scalar;
fn shr(self, rhs: usize) -> Self::Output {
self.shr_vartime(rhs)
}
}
impl ShrAssign<usize> for Scalar {
fn shr_assign(&mut self, rhs: usize) {
*self = *self >> rhs;
}
}
impl PartialEq for Scalar {
fn eq(&self, other: &Self) -> bool {
self.ct_eq(other).into()
}
}
impl PartialOrd for Scalar {
fn partial_cmp(&self, other: &Self) -> Option<core::cmp::Ordering> {
Some(self.cmp(other))
}
}
impl Ord for Scalar {
fn cmp(&self, other: &Self) -> core::cmp::Ordering {
self.0.cmp(&other.0)
}
}
impl From<u32> for Scalar {
fn from(k: u32) -> Self {
Scalar(k.into())
}
}
impl From<u64> for Scalar {
fn from(k: u64) -> Self {
Scalar(k.into())
}
}
impl From<u128> for Scalar {
fn from(k: u128) -> Self {
Scalar(k.into())
}
}
impl From<Scalar> for FieldBytes {
fn from(scalar: Scalar) -> Self {
scalar.to_bytes()
}
}
impl From<&Scalar> for FieldBytes {
fn from(scalar: &Scalar) -> Self {
scalar.to_bytes()
}
}
impl From<ScalarPrimitive<NistP256>> for Scalar {
fn from(scalar: ScalarPrimitive<NistP256>) -> Scalar {
Scalar(*scalar.as_uint())
}
}
impl From<&ScalarPrimitive<NistP256>> for Scalar {
fn from(scalar: &ScalarPrimitive<NistP256>) -> Scalar {
Scalar(*scalar.as_uint())
}
}
impl From<Scalar> for ScalarPrimitive<NistP256> {
fn from(scalar: Scalar) -> ScalarPrimitive<NistP256> {
ScalarPrimitive::from(&scalar)
}
}
impl From<&Scalar> for ScalarPrimitive<NistP256> {
fn from(scalar: &Scalar) -> ScalarPrimitive<NistP256> {
ScalarPrimitive::new(scalar.0).unwrap()
}
}
impl From<&SecretKey> for Scalar {
fn from(secret_key: &SecretKey) -> Scalar {
*secret_key.to_nonzero_scalar()
}
}
impl From<Scalar> for U256 {
fn from(scalar: Scalar) -> U256 {
scalar.0
}
}
impl From<&Scalar> for U256 {
fn from(scalar: &Scalar) -> U256 {
scalar.0
}
}
#[cfg(feature = "bits")]
impl From<&Scalar> for ScalarBits {
fn from(scalar: &Scalar) -> ScalarBits {
scalar.0.to_words().into()
}
}
impl Add<Scalar> for Scalar {
type Output = Scalar;
fn add(self, other: Scalar) -> Scalar {
Scalar::add(&self, &other)
}
}
impl Add<&Scalar> for &Scalar {
type Output = Scalar;
fn add(self, other: &Scalar) -> Scalar {
Scalar::add(self, other)
}
}
impl Add<&Scalar> for Scalar {
type Output = Scalar;
fn add(self, other: &Scalar) -> Scalar {
Scalar::add(&self, other)
}
}
impl AddAssign<Scalar> for Scalar {
fn add_assign(&mut self, rhs: Scalar) {
*self = Scalar::add(self, &rhs);
}
}
impl AddAssign<&Scalar> for Scalar {
fn add_assign(&mut self, rhs: &Scalar) {
*self = Scalar::add(self, rhs);
}
}
impl Sub<Scalar> for Scalar {
type Output = Scalar;
fn sub(self, other: Scalar) -> Scalar {
Scalar::sub(&self, &other)
}
}
impl Sub<&Scalar> for &Scalar {
type Output = Scalar;
fn sub(self, other: &Scalar) -> Scalar {
Scalar::sub(self, other)
}
}
impl Sub<&Scalar> for Scalar {
type Output = Scalar;
fn sub(self, other: &Scalar) -> Scalar {
Scalar::sub(&self, other)
}
}
impl SubAssign<Scalar> for Scalar {
fn sub_assign(&mut self, rhs: Scalar) {
*self = Scalar::sub(self, &rhs);
}
}
impl SubAssign<&Scalar> for Scalar {
fn sub_assign(&mut self, rhs: &Scalar) {
*self = Scalar::sub(self, rhs);
}
}
impl Mul<Scalar> for Scalar {
type Output = Scalar;
fn mul(self, other: Scalar) -> Scalar {
Scalar::multiply(&self, &other)
}
}
impl Mul<&Scalar> for &Scalar {
type Output = Scalar;
fn mul(self, other: &Scalar) -> Scalar {
Scalar::multiply(self, other)
}
}
impl Mul<&Scalar> for Scalar {
type Output = Scalar;
fn mul(self, other: &Scalar) -> Scalar {
Scalar::multiply(&self, other)
}
}
impl MulAssign<Scalar> for Scalar {
fn mul_assign(&mut self, rhs: Scalar) {
*self = Scalar::multiply(self, &rhs);
}
}
impl MulAssign<&Scalar> for Scalar {
fn mul_assign(&mut self, rhs: &Scalar) {
*self = Scalar::multiply(self, rhs);
}
}
impl Neg for Scalar {
type Output = Scalar;
fn neg(self) -> Scalar {
Scalar::ZERO - self
}
}
impl<'a> Neg for &'a Scalar {
type Output = Scalar;
fn neg(self) -> Scalar {
Scalar::ZERO - self
}
}
impl Reduce<U256> for Scalar {
type Bytes = FieldBytes;
fn reduce(w: U256) -> Self {
let (r, underflow) = w.sbb(&NistP256::ORDER, Limb::ZERO);
let underflow = Choice::from((underflow.0 >> (Limb::BITS - 1)) as u8);
Self(U256::conditional_select(&w, &r, !underflow))
}
fn reduce_bytes(bytes: &FieldBytes) -> Self {
Self::reduce(U256::from_be_byte_array(*bytes))
}
}
impl ReduceNonZero<U256> for Scalar {
fn reduce_nonzero(w: U256) -> Self {
const ORDER_MINUS_ONE: U256 = NistP256::ORDER.wrapping_sub(&U256::ONE);
let (r, underflow) = w.sbb(&ORDER_MINUS_ONE, Limb::ZERO);
let underflow = Choice::from((underflow.0 >> (Limb::BITS - 1)) as u8);
Self(U256::conditional_select(&w, &r, !underflow).wrapping_add(&U256::ONE))
}
fn reduce_nonzero_bytes(bytes: &FieldBytes) -> Self {
Self::reduce_nonzero(U256::from_be_byte_array(*bytes))
}
}
impl Sum for Scalar {
fn sum<I: Iterator<Item = Self>>(iter: I) -> Self {
iter.reduce(core::ops::Add::add).unwrap_or(Self::ZERO)
}
}
impl<'a> Sum<&'a Scalar> for Scalar {
fn sum<I: Iterator<Item = &'a Scalar>>(iter: I) -> Self {
iter.copied().sum()
}
}
impl Product for Scalar {
fn product<I: Iterator<Item = Self>>(iter: I) -> Self {
iter.reduce(core::ops::Mul::mul).unwrap_or(Self::ONE)
}
}
impl<'a> Product<&'a Scalar> for Scalar {
fn product<I: Iterator<Item = &'a Scalar>>(iter: I) -> Self {
iter.copied().product()
}
}
impl ConditionallySelectable for Scalar {
fn conditional_select(a: &Self, b: &Self, choice: Choice) -> Self {
Self(U256::conditional_select(&a.0, &b.0, choice))
}
}
impl ConstantTimeEq for Scalar {
fn ct_eq(&self, other: &Self) -> Choice {
self.0.ct_eq(&other.0)
}
}
impl Debug for Scalar {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
write!(f, "Scalar(0x{:X})", &self.0)
}
}
#[cfg(feature = "serde")]
impl Serialize for Scalar {
fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
where
S: ser::Serializer,
{
ScalarPrimitive::from(self).serialize(serializer)
}
}
#[cfg(feature = "serde")]
impl<'de> Deserialize<'de> for Scalar {
fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
where
D: de::Deserializer<'de>,
{
Ok(ScalarPrimitive::deserialize(deserializer)?.into())
}
}
#[cfg(test)]
mod tests {
use super::Scalar;
use crate::{FieldBytes, SecretKey};
use elliptic_curve::group::ff::{Field, PrimeField};
use primeorder::{
impl_field_identity_tests, impl_field_invert_tests, impl_field_sqrt_tests,
impl_primefield_tests,
};
/// t = (modulus - 1) >> S
const T: [u64; 4] = [
0x4f3b9cac2fc63255,
0xfbce6faada7179e8,
0x0fffffffffffffff,
0x0ffffffff0000000,
];
impl_field_identity_tests!(Scalar);
impl_field_invert_tests!(Scalar);
impl_field_sqrt_tests!(Scalar);
impl_primefield_tests!(Scalar, T);
#[test]
fn from_to_bytes_roundtrip() {
let k: u64 = 42;
let mut bytes = FieldBytes::default();
bytes[24..].copy_from_slice(k.to_be_bytes().as_ref());
let scalar = Scalar::from_repr(bytes).unwrap();
assert_eq!(bytes, scalar.to_bytes());
}
/// Basic tests that multiplication works.
#[test]
fn multiply() {
let one = Scalar::ONE;
let two = one + &one;
let three = two + &one;
let six = three + &three;
assert_eq!(six, two * &three);
let minus_two = -two;
let minus_three = -three;
assert_eq!(two, -minus_two);
assert_eq!(minus_three * &minus_two, minus_two * &minus_three);
assert_eq!(six, minus_two * &minus_three);
}
/// Tests that a Scalar can be safely converted to a SecretKey and back
#[test]
fn from_ec_secret() {
let scalar = Scalar::ONE;
let secret = SecretKey::from_bytes(&scalar.to_bytes()).unwrap();
let rederived_scalar = Scalar::from(&secret);
assert_eq!(scalar.0, rederived_scalar.0);
}
#[test]
#[cfg(all(feature = "bits", target_pointer_width = "32"))]
fn scalar_into_scalarbits() {
use crate::ScalarBits;
let minus_one = ScalarBits::from([
0xfc63_2550,
0xf3b9_cac2,
0xa717_9e84,
0xbce6_faad,
0xffff_ffff,
0xffff_ffff,
0x0000_0000,
0xffff_ffff,
]);
let scalar_bits = ScalarBits::from(&-Scalar::from(1u32));
assert_eq!(minus_one, scalar_bits);
}
}

188
vendor/p256/src/arithmetic/scalar/scalar32.rs vendored Normal file
View File

@@ -0,0 +1,188 @@
//! 32-bit secp256r1 scalar field algorithms.
// TODO(tarcieri): adapt 64-bit arithmetic to proper 32-bit arithmetic
use super::{MODULUS, MU};
use crate::{
arithmetic::util::{adc, mac, sbb},
U256,
};
/// Barrett Reduction
///
/// The general algorithm is:
/// ```text
/// p = n = order of group
/// b = 2^64 = 64bit machine word
/// k = 4
/// a \in [0, 2^512]
/// mu := floor(b^{2k} / p)
/// q1 := floor(a / b^{k - 1})
/// q2 := q1 * mu
/// q3 := <- floor(a / b^{k - 1})
/// r1 := a mod b^{k + 1}
/// r2 := q3 * m mod b^{k + 1}
/// r := r1 - r2
///
/// if r < 0: r := r + b^{k + 1}
/// while r >= p: do r := r - p (at most twice)
/// ```
///
/// References:
/// - Handbook of Applied Cryptography, Chapter 14
/// Algorithm 14.42
/// http://cacr.uwaterloo.ca/hac/about/chap14.pdf
///
/// - Efficient and Secure Elliptic Curve Cryptography Implementation of Curve P-256
/// Algorithm 6) Barrett Reduction modulo p
/// https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf
#[inline]
#[allow(clippy::too_many_arguments)]
pub(super) const fn barrett_reduce(lo: U256, hi: U256) -> U256 {
let lo = u256_to_u64x4(lo);
let hi = u256_to_u64x4(hi);
let a0 = lo[0];
let a1 = lo[1];
let a2 = lo[2];
let a3 = lo[3];
let a4 = hi[0];
let a5 = hi[1];
let a6 = hi[2];
let a7 = hi[3];
let q1: [u64; 5] = [a3, a4, a5, a6, a7];
let q3 = q1_times_mu_shift_five(&q1);
let r1: [u64; 5] = [a0, a1, a2, a3, a4];
let r2: [u64; 5] = q3_times_n_keep_five(&q3);
let r: [u64; 5] = sub_inner_five(r1, r2);
// Result is in range (0, 3*n - 1),
// and 90% of the time, no subtraction will be needed.
let r = subtract_n_if_necessary(r[0], r[1], r[2], r[3], r[4]);
let r = subtract_n_if_necessary(r[0], r[1], r[2], r[3], r[4]);
U256::from_words([
(r[0] & 0xFFFFFFFF) as u32,
(r[0] >> 32) as u32,
(r[1] & 0xFFFFFFFF) as u32,
(r[1] >> 32) as u32,
(r[2] & 0xFFFFFFFF) as u32,
(r[2] >> 32) as u32,
(r[3] & 0xFFFFFFFF) as u32,
(r[3] >> 32) as u32,
])
}
const fn q1_times_mu_shift_five(q1: &[u64; 5]) -> [u64; 5] {
// Schoolbook multiplication.
let (_w0, carry) = mac(0, q1[0], MU[0], 0);
let (w1, carry) = mac(0, q1[0], MU[1], carry);
let (w2, carry) = mac(0, q1[0], MU[2], carry);
let (w3, carry) = mac(0, q1[0], MU[3], carry);
let (w4, w5) = mac(0, q1[0], MU[4], carry);
let (_w1, carry) = mac(w1, q1[1], MU[0], 0);
let (w2, carry) = mac(w2, q1[1], MU[1], carry);
let (w3, carry) = mac(w3, q1[1], MU[2], carry);
let (w4, carry) = mac(w4, q1[1], MU[3], carry);
let (w5, w6) = mac(w5, q1[1], MU[4], carry);
let (_w2, carry) = mac(w2, q1[2], MU[0], 0);
let (w3, carry) = mac(w3, q1[2], MU[1], carry);
let (w4, carry) = mac(w4, q1[2], MU[2], carry);
let (w5, carry) = mac(w5, q1[2], MU[3], carry);
let (w6, w7) = mac(w6, q1[2], MU[4], carry);
let (_w3, carry) = mac(w3, q1[3], MU[0], 0);
let (w4, carry) = mac(w4, q1[3], MU[1], carry);
let (w5, carry) = mac(w5, q1[3], MU[2], carry);
let (w6, carry) = mac(w6, q1[3], MU[3], carry);
let (w7, w8) = mac(w7, q1[3], MU[4], carry);
let (_w4, carry) = mac(w4, q1[4], MU[0], 0);
let (w5, carry) = mac(w5, q1[4], MU[1], carry);
let (w6, carry) = mac(w6, q1[4], MU[2], carry);
let (w7, carry) = mac(w7, q1[4], MU[3], carry);
let (w8, w9) = mac(w8, q1[4], MU[4], carry);
// let q2 = [_w0, _w1, _w2, _w3, _w4, w5, w6, w7, w8, w9];
[w5, w6, w7, w8, w9]
}
const fn q3_times_n_keep_five(q3: &[u64; 5]) -> [u64; 5] {
// Schoolbook multiplication.
let modulus = u256_to_u64x4(MODULUS);
let (w0, carry) = mac(0, q3[0], modulus[0], 0);
let (w1, carry) = mac(0, q3[0], modulus[1], carry);
let (w2, carry) = mac(0, q3[0], modulus[2], carry);
let (w3, carry) = mac(0, q3[0], modulus[3], carry);
let (w4, _) = mac(0, q3[0], 0, carry);
let (w1, carry) = mac(w1, q3[1], modulus[0], 0);
let (w2, carry) = mac(w2, q3[1], modulus[1], carry);
let (w3, carry) = mac(w3, q3[1], modulus[2], carry);
let (w4, _) = mac(w4, q3[1], modulus[3], carry);
let (w2, carry) = mac(w2, q3[2], modulus[0], 0);
let (w3, carry) = mac(w3, q3[2], modulus[1], carry);
let (w4, _) = mac(w4, q3[2], modulus[2], carry);
let (w3, carry) = mac(w3, q3[3], modulus[0], 0);
let (w4, _) = mac(w4, q3[3], modulus[1], carry);
let (w4, _) = mac(w4, q3[4], modulus[0], 0);
[w0, w1, w2, w3, w4]
}
#[inline]
#[allow(clippy::too_many_arguments)]
const fn sub_inner_five(l: [u64; 5], r: [u64; 5]) -> [u64; 5] {
let (w0, borrow) = sbb(l[0], r[0], 0);
let (w1, borrow) = sbb(l[1], r[1], borrow);
let (w2, borrow) = sbb(l[2], r[2], borrow);
let (w3, borrow) = sbb(l[3], r[3], borrow);
let (w4, _borrow) = sbb(l[4], r[4], borrow);
// If underflow occurred on the final limb - don't care (= add b^{k+1}).
[w0, w1, w2, w3, w4]
}
#[inline]
#[allow(clippy::too_many_arguments)]
const fn subtract_n_if_necessary(r0: u64, r1: u64, r2: u64, r3: u64, r4: u64) -> [u64; 5] {
let modulus = u256_to_u64x4(MODULUS);
let (w0, borrow) = sbb(r0, modulus[0], 0);
let (w1, borrow) = sbb(r1, modulus[1], borrow);
let (w2, borrow) = sbb(r2, modulus[2], borrow);
let (w3, borrow) = sbb(r3, modulus[3], borrow);
let (w4, borrow) = sbb(r4, 0, borrow);
// If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise
// borrow = 0x000...000. Thus, we use it as a mask to conditionally add the
// modulus.
let (w0, carry) = adc(w0, modulus[0] & borrow, 0);
let (w1, carry) = adc(w1, modulus[1] & borrow, carry);
let (w2, carry) = adc(w2, modulus[2] & borrow, carry);
let (w3, carry) = adc(w3, modulus[3] & borrow, carry);
let (w4, _carry) = adc(w4, 0, carry);
[w0, w1, w2, w3, w4]
}
// TODO(tarcieri): replace this with proper 32-bit arithmetic
#[inline]
const fn u256_to_u64x4(u256: U256) -> [u64; 4] {
let words = u256.as_words();
[
(words[0] as u64) | ((words[1] as u64) << 32),
(words[2] as u64) | ((words[3] as u64) << 32),
(words[4] as u64) | ((words[5] as u64) << 32),
(words[6] as u64) | ((words[7] as u64) << 32),
]
}

163
vendor/p256/src/arithmetic/scalar/scalar64.rs vendored Normal file
View File

@@ -0,0 +1,163 @@
//! 64-bit secp256r1 scalar field algorithms.
use super::{MODULUS, MU};
use crate::{
arithmetic::util::{adc, mac, sbb},
U256,
};
/// Barrett Reduction
///
/// The general algorithm is:
/// ```text
/// p = n = order of group
/// b = 2^64 = 64bit machine word
/// k = 4
/// a \in [0, 2^512]
/// mu := floor(b^{2k} / p)
/// q1 := floor(a / b^{k - 1})
/// q2 := q1 * mu
/// q3 := <- floor(a / b^{k - 1})
/// r1 := a mod b^{k + 1}
/// r2 := q3 * m mod b^{k + 1}
/// r := r1 - r2
///
/// if r < 0: r := r + b^{k + 1}
/// while r >= p: do r := r - p (at most twice)
/// ```
///
/// References:
/// - Handbook of Applied Cryptography, Chapter 14
/// Algorithm 14.42
/// http://cacr.uwaterloo.ca/hac/about/chap14.pdf
///
/// - Efficient and Secure Elliptic Curve Cryptography Implementation of Curve P-256
/// Algorithm 6) Barrett Reduction modulo p
/// https://csrc.nist.gov/csrc/media/events/workshop-on-elliptic-curve-cryptography-standards/documents/papers/session6-adalier-mehmet.pdf
#[inline]
#[allow(clippy::too_many_arguments)]
pub(super) const fn barrett_reduce(lo: U256, hi: U256) -> U256 {
let lo = lo.as_words();
let hi = hi.as_words();
let a0 = lo[0];
let a1 = lo[1];
let a2 = lo[2];
let a3 = lo[3];
let a4 = hi[0];
let a5 = hi[1];
let a6 = hi[2];
let a7 = hi[3];
let q1: [u64; 5] = [a3, a4, a5, a6, a7];
let q3 = q1_times_mu_shift_five(&q1);
let r1: [u64; 5] = [a0, a1, a2, a3, a4];
let r2: [u64; 5] = q3_times_n_keep_five(&q3);
let r: [u64; 5] = sub_inner_five(r1, r2);
// Result is in range (0, 3*n - 1),
// and 90% of the time, no subtraction will be needed.
let r = subtract_n_if_necessary(r[0], r[1], r[2], r[3], r[4]);
let r = subtract_n_if_necessary(r[0], r[1], r[2], r[3], r[4]);
U256::from_words([r[0], r[1], r[2], r[3]])
}
const fn q1_times_mu_shift_five(q1: &[u64; 5]) -> [u64; 5] {
// Schoolbook multiplication.
let (_w0, carry) = mac(0, q1[0], MU[0], 0);
let (w1, carry) = mac(0, q1[0], MU[1], carry);
let (w2, carry) = mac(0, q1[0], MU[2], carry);
let (w3, carry) = mac(0, q1[0], MU[3], carry);
let (w4, w5) = mac(0, q1[0], MU[4], carry);
let (_w1, carry) = mac(w1, q1[1], MU[0], 0);
let (w2, carry) = mac(w2, q1[1], MU[1], carry);
let (w3, carry) = mac(w3, q1[1], MU[2], carry);
let (w4, carry) = mac(w4, q1[1], MU[3], carry);
let (w5, w6) = mac(w5, q1[1], MU[4], carry);
let (_w2, carry) = mac(w2, q1[2], MU[0], 0);
let (w3, carry) = mac(w3, q1[2], MU[1], carry);
let (w4, carry) = mac(w4, q1[2], MU[2], carry);
let (w5, carry) = mac(w5, q1[2], MU[3], carry);
let (w6, w7) = mac(w6, q1[2], MU[4], carry);
let (_w3, carry) = mac(w3, q1[3], MU[0], 0);
let (w4, carry) = mac(w4, q1[3], MU[1], carry);
let (w5, carry) = mac(w5, q1[3], MU[2], carry);
let (w6, carry) = mac(w6, q1[3], MU[3], carry);
let (w7, w8) = mac(w7, q1[3], MU[4], carry);
let (_w4, carry) = mac(w4, q1[4], MU[0], 0);
let (w5, carry) = mac(w5, q1[4], MU[1], carry);
let (w6, carry) = mac(w6, q1[4], MU[2], carry);
let (w7, carry) = mac(w7, q1[4], MU[3], carry);
let (w8, w9) = mac(w8, q1[4], MU[4], carry);
// let q2 = [_w0, _w1, _w2, _w3, _w4, w5, w6, w7, w8, w9];
[w5, w6, w7, w8, w9]
}
const fn q3_times_n_keep_five(q3: &[u64; 5]) -> [u64; 5] {
// Schoolbook multiplication.
let modulus = MODULUS.as_words();
let (w0, carry) = mac(0, q3[0], modulus[0], 0);
let (w1, carry) = mac(0, q3[0], modulus[1], carry);
let (w2, carry) = mac(0, q3[0], modulus[2], carry);
let (w3, carry) = mac(0, q3[0], modulus[3], carry);
let (w4, _) = mac(0, q3[0], 0, carry);
let (w1, carry) = mac(w1, q3[1], modulus[0], 0);
let (w2, carry) = mac(w2, q3[1], modulus[1], carry);
let (w3, carry) = mac(w3, q3[1], modulus[2], carry);
let (w4, _) = mac(w4, q3[1], modulus[3], carry);
let (w2, carry) = mac(w2, q3[2], modulus[0], 0);
let (w3, carry) = mac(w3, q3[2], modulus[1], carry);
let (w4, _) = mac(w4, q3[2], modulus[2], carry);
let (w3, carry) = mac(w3, q3[3], modulus[0], 0);
let (w4, _) = mac(w4, q3[3], modulus[1], carry);
let (w4, _) = mac(w4, q3[4], modulus[0], 0);
[w0, w1, w2, w3, w4]
}
#[inline]
#[allow(clippy::too_many_arguments)]
const fn sub_inner_five(l: [u64; 5], r: [u64; 5]) -> [u64; 5] {
let (w0, borrow) = sbb(l[0], r[0], 0);
let (w1, borrow) = sbb(l[1], r[1], borrow);
let (w2, borrow) = sbb(l[2], r[2], borrow);
let (w3, borrow) = sbb(l[3], r[3], borrow);
let (w4, _borrow) = sbb(l[4], r[4], borrow);
// If underflow occurred on the final limb - don't care (= add b^{k+1}).
[w0, w1, w2, w3, w4]
}
#[inline]
#[allow(clippy::too_many_arguments)]
const fn subtract_n_if_necessary(r0: u64, r1: u64, r2: u64, r3: u64, r4: u64) -> [u64; 5] {
let modulus = MODULUS.as_words();
let (w0, borrow) = sbb(r0, modulus[0], 0);
let (w1, borrow) = sbb(r1, modulus[1], borrow);
let (w2, borrow) = sbb(r2, modulus[2], borrow);
let (w3, borrow) = sbb(r3, modulus[3], borrow);
let (w4, borrow) = sbb(r4, 0, borrow);
// If underflow occurred on the final limb, borrow = 0xfff...fff, otherwise
// borrow = 0x000...000. Thus, we use it as a mask to conditionally add the
// modulus.
let (w0, carry) = adc(w0, modulus[0] & borrow, 0);
let (w1, carry) = adc(w1, modulus[1] & borrow, carry);
let (w2, carry) = adc(w2, modulus[2] & borrow, carry);
let (w3, carry) = adc(w3, modulus[3] & borrow, carry);
let (w4, _carry) = adc(w4, 0, carry);
[w0, w1, w2, w3, w4]
}

23
vendor/p256/src/arithmetic/util.rs vendored Normal file
View File

@@ -0,0 +1,23 @@
//! Helper functions.
// TODO(tarcieri): replace these with `crypto-bigint`
/// Computes `a + b + carry`, returning the result along with the new carry. 64-bit version.
#[inline(always)]
pub const fn adc(a: u64, b: u64, carry: u64) -> (u64, u64) {
let ret = (a as u128) + (b as u128) + (carry as u128);
(ret as u64, (ret >> 64) as u64)
}
/// Computes `a - (b + borrow)`, returning the result along with the new borrow. 64-bit version.
#[inline(always)]
pub const fn sbb(a: u64, b: u64, borrow: u64) -> (u64, u64) {
let ret = (a as u128).wrapping_sub((b as u128) + ((borrow >> 63) as u128));
(ret as u64, (ret >> 64) as u64)
}
/// Computes `a + (b * c) + carry`, returning the result along with the new carry.
#[inline(always)]
pub const fn mac(a: u64, b: u64, c: u64, carry: u64) -> (u64, u64) {
let ret = (a as u128) + ((b as u128) * (c as u128)) + (carry as u128);
(ret as u64, (ret >> 64) as u64)
}

47
vendor/p256/src/ecdh.rs vendored Normal file
View File

@@ -0,0 +1,47 @@
//! Elliptic Curve Diffie-Hellman (Ephemeral) Support.
//!
//! This module contains a high-level interface for performing ephemeral
//! Diffie-Hellman key exchanges using the secp256r1 elliptic curve.
//!
//! # Usage
//!
//! This usage example is from the perspective of two participants in the
//! exchange, nicknamed "Alice" and "Bob".
//!
//! ```
//! use p256::{EncodedPoint, PublicKey, ecdh::EphemeralSecret};
//! use rand_core::OsRng; // requires 'getrandom' feature
//!
//! // Alice
//! let alice_secret = EphemeralSecret::random(&mut OsRng);
//! let alice_pk_bytes = EncodedPoint::from(alice_secret.public_key());
//!
//! // Bob
//! let bob_secret = EphemeralSecret::random(&mut OsRng);
//! let bob_pk_bytes = EncodedPoint::from(bob_secret.public_key());
//!
//! // Alice decodes Bob's serialized public key and computes a shared secret from it
//! let bob_public = PublicKey::from_sec1_bytes(bob_pk_bytes.as_ref())
//! .expect("bob's public key is invalid!"); // In real usage, don't panic, handle this!
//!
//! let alice_shared = alice_secret.diffie_hellman(&bob_public);
//!
//! // Bob decodes Alice's serialized public key and computes the same shared secret
//! let alice_public = PublicKey::from_sec1_bytes(alice_pk_bytes.as_ref())
//! .expect("alice's public key is invalid!"); // In real usage, don't panic, handle this!
//!
//! let bob_shared = bob_secret.diffie_hellman(&alice_public);
//!
//! // Both participants arrive on the same shared secret
//! assert_eq!(alice_shared.raw_secret_bytes(), bob_shared.raw_secret_bytes());
//! ```
pub use elliptic_curve::ecdh::diffie_hellman;
use crate::NistP256;
/// NIST P-256 Ephemeral Diffie-Hellman Secret.
pub type EphemeralSecret = elliptic_curve::ecdh::EphemeralSecret<NistP256>;
/// Shared secret value computed via ECDH key agreement.
pub type SharedSecret = elliptic_curve::ecdh::SharedSecret<NistP256>;

198
vendor/p256/src/ecdsa.rs vendored Normal file
View File

@@ -0,0 +1,198 @@
//! Elliptic Curve Digital Signature Algorithm (ECDSA)
//!
//! This module contains support for computing and verifying ECDSA signatures.
//! To use it, you will need to enable one of the two following Cargo features:
//!
//! - `ecdsa-core`: provides only the [`Signature`] type (which represents an
//! ECDSA/P-256 signature). Does not require the `arithmetic` feature.
//! This is useful for 3rd-party crates which wish to use the `Signature`
//! type for interoperability purposes (particularly in conjunction with the
//! [`signature::Signer`] trait. Example use cases for this include other
//! software implementations of ECDSA/P-256 and wrappers for cloud KMS
//! services or hardware devices (HSM or crypto hardware wallet).
//! - `ecdsa`: provides `ecdsa-core` features plus the [`SigningKey`] and
//! [`VerifyingKey`] types which natively implement ECDSA/P-256 signing and
//! verification.
//!
//! ## Signing/Verification Example
//!
//! This example requires the `ecdsa` Cargo feature is enabled:
//!
//! ```
//! # #[cfg(feature = "ecdsa")]
//! # {
//! use p256::{
//! ecdsa::{SigningKey, Signature, signature::Signer},
//! };
//! use rand_core::OsRng; // requires 'getrandom' feature
//!
//! // Signing
//! let signing_key = SigningKey::random(&mut OsRng); // Serialize with `::to_bytes()`
//! let message = b"ECDSA proves knowledge of a secret number in the context of a single message";
//! let signature: Signature = signing_key.sign(message);
//!
//! // Verification
//! use p256::ecdsa::{VerifyingKey, signature::Verifier};
//!
//! let verifying_key = VerifyingKey::from(&signing_key); // Serialize with `::to_encoded_point()`
//! assert!(verifying_key.verify(message, &signature).is_ok());
//! # }
//! ```
pub use ecdsa_core::signature::{self, Error};
use super::NistP256;
#[cfg(feature = "ecdsa")]
use {
crate::{AffinePoint, Scalar},
ecdsa_core::hazmat::{SignPrimitive, VerifyPrimitive},
};
/// ECDSA/P-256 signature (fixed-size)
pub type Signature = ecdsa_core::Signature<NistP256>;
/// ECDSA/P-256 signature (ASN.1 DER encoded)
pub type DerSignature = ecdsa_core::der::Signature<NistP256>;
/// ECDSA/P-256 signing key
#[cfg(feature = "ecdsa")]
pub type SigningKey = ecdsa_core::SigningKey<NistP256>;
/// ECDSA/P-256 verification key (i.e. public key)
#[cfg(feature = "ecdsa")]
pub type VerifyingKey = ecdsa_core::VerifyingKey<NistP256>;
#[cfg(feature = "sha256")]
impl ecdsa_core::hazmat::DigestPrimitive for NistP256 {
type Digest = sha2::Sha256;
}
#[cfg(feature = "ecdsa")]
impl SignPrimitive<NistP256> for Scalar {}
#[cfg(feature = "ecdsa")]
impl VerifyPrimitive<NistP256> for AffinePoint {}
#[cfg(all(test, feature = "ecdsa"))]
mod tests {
use crate::{
ecdsa::{
signature::hazmat::{PrehashSigner, PrehashVerifier},
signature::Signer,
Signature, SigningKey, VerifyingKey,
},
test_vectors::ecdsa::ECDSA_TEST_VECTORS,
AffinePoint, BlindedScalar, EncodedPoint, Scalar,
};
use ecdsa_core::hazmat::SignPrimitive;
use elliptic_curve::{
generic_array::GenericArray, group::ff::PrimeField, rand_core::OsRng,
sec1::FromEncodedPoint,
};
use hex_literal::hex;
use sha2::Digest;
// Test vector from RFC 6979 Appendix 2.5 (NIST P-256 + SHA-256)
// <https://tools.ietf.org/html/rfc6979#appendix-A.2.5>
#[test]
fn rfc6979() {
let x = hex!("c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721");
let signer = SigningKey::from_bytes(&x.into()).unwrap();
let signature: Signature = signer.sign(b"sample");
assert_eq!(
signature.to_bytes().as_slice(),
&hex!(
"efd48b2aacb6a8fd1140dd9cd45e81d69d2c877b56aaf991c34d0ea84eaf3716
f7cb1c942d657c41d436c7a1b6e29f65f3e900dbb9aff4064dc4ab2f843acda8"
)
);
let signature: Signature = signer.sign(b"test");
assert_eq!(
signature.to_bytes().as_slice(),
&hex!(
"f1abb023518351cd71d881567b1ea663ed3efcf6c5132b354f28d3b0b7d38367
019f4113742a2b14bd25926b49c649155f267e60d3814b4c0cc84250e46f0083"
)
);
}
// Test signing with PrehashSigner using SHA-384 which output is larger than P-256 field size.
#[test]
fn prehash_signer_signing_with_sha384() {
let x = hex!("c9afa9d845ba75166b5c215767b1d6934e50c3db36e89b127b8a622b120f6721");
let signer = SigningKey::from_bytes(&x.into()).unwrap();
let digest = sha2::Sha384::digest(b"test");
let signature: Signature = signer.sign_prehash(&digest).unwrap();
assert_eq!(
signature.to_bytes().as_slice(),
&hex!(
"ebde85f1539af67e70dd7a8a6afeeb332aa7f08f01ebb6ab6e04e2a62d2fef75
871af45800daddf55619b005a601a7a84f544260f1d2625b2ef5aa7a4f4dd76f"
)
);
}
// Test verifying with PrehashVerifier using SHA-256 which output is larger than P-256 field size.
#[test]
fn prehash_signer_verification_with_sha384() {
// The following test vector adapted from the FIPS 186-4 ECDSA test vectors
// (P-256, SHA-384, from `SigGen.txt` in `186-4ecdsatestvectors.zip`)
// <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures>
let verifier = VerifyingKey::from_affine(
AffinePoint::from_encoded_point(&EncodedPoint::from_affine_coordinates(
GenericArray::from_slice(&hex!(
"e0e7b99bc62d8dd67883e39ed9fa0657789c5ff556cc1fd8dd1e2a55e9e3f243"
)),
GenericArray::from_slice(&hex!(
"63fbfd0232b95578075c903a4dbf85ad58f8350516e1ec89b0ee1f5e1362da69"
)),
false,
))
.unwrap(),
)
.unwrap();
let signature = Signature::from_scalars(
GenericArray::clone_from_slice(&hex!(
"f5087878e212b703578f5c66f434883f3ef414dc23e2e8d8ab6a8d159ed5ad83"
)),
GenericArray::clone_from_slice(&hex!(
"306b4c6c20213707982dffbb30fba99b96e792163dd59dbe606e734328dd7c8a"
)),
)
.unwrap();
let result = verifier.verify_prehash(
&hex!("d9c83b92fa0979f4a5ddbd8dd22ab9377801c3c31bf50f932ace0d2146e2574da0d5552dbed4b18836280e9f94558ea6"),
&signature,
);
assert!(result.is_ok());
}
#[test]
fn scalar_blinding() {
let vector = &ECDSA_TEST_VECTORS[0];
let d = Scalar::from_repr(GenericArray::clone_from_slice(vector.d)).unwrap();
let k = Scalar::from_repr(GenericArray::clone_from_slice(vector.k)).unwrap();
let k_blinded = BlindedScalar::new(k, &mut OsRng);
let z = GenericArray::clone_from_slice(vector.m);
let sig = d.try_sign_prehashed(k_blinded, &z).unwrap().0;
assert_eq!(vector.r, sig.r().to_bytes().as_slice());
assert_eq!(vector.s, sig.s().to_bytes().as_slice());
}
mod sign {
use crate::{test_vectors::ecdsa::ECDSA_TEST_VECTORS, NistP256};
ecdsa_core::new_signing_test!(NistP256, ECDSA_TEST_VECTORS);
}
mod verify {
use crate::{test_vectors::ecdsa::ECDSA_TEST_VECTORS, NistP256};
ecdsa_core::new_verification_test!(NistP256, ECDSA_TEST_VECTORS);
}
mod wycheproof {
use crate::NistP256;
ecdsa_core::new_wycheproof_test!(wycheproof, "wycheproof", NistP256);
}
}

183
vendor/p256/src/lib.rs vendored Normal file
View File

@@ -0,0 +1,183 @@
#![no_std]
#![cfg_attr(docsrs, feature(doc_auto_cfg))]
#![doc = include_str!("../README.md")]
#![doc(
html_logo_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg",
html_favicon_url = "https://raw.githubusercontent.com/RustCrypto/meta/master/logo.svg"
)]
#![forbid(unsafe_code)]
#![warn(
clippy::mod_module_files,
clippy::unwrap_used,
missing_docs,
rust_2018_idioms,
unused_lifetimes,
unused_qualifications
)]
//! ## `serde` support
//!
//! When the `serde` feature of this crate is enabled, `Serialize` and
//! `Deserialize` are impl'd for the following types:
//!
//! - [`AffinePoint`]
//! - [`Scalar`]
//! - [`ecdsa::VerifyingKey`]
//!
//! Please see type-specific documentation for more information.
#[cfg(feature = "arithmetic")]
mod arithmetic;
#[cfg(feature = "ecdh")]
pub mod ecdh;
#[cfg(feature = "ecdsa-core")]
pub mod ecdsa;
#[cfg(any(feature = "test-vectors", test))]
pub mod test_vectors;
pub use elliptic_curve::{self, bigint::U256, consts::U32};
#[cfg(feature = "arithmetic")]
pub use arithmetic::{scalar::Scalar, AffinePoint, ProjectivePoint};
#[cfg(feature = "expose-field")]
pub use arithmetic::field::FieldElement;
#[cfg(feature = "pkcs8")]
pub use elliptic_curve::pkcs8;
use elliptic_curve::{
bigint::ArrayEncoding, consts::U33, generic_array::GenericArray, FieldBytesEncoding,
};
/// Order of NIST P-256's elliptic curve group (i.e. scalar modulus) serialized
/// as hexadecimal.
///
/// ```text
/// n = FFFFFFFF 00000000 FFFFFFFF FFFFFFFF BCE6FAAD A7179E84 F3B9CAC2 FC632551
/// ```
///
/// # Calculating the order
/// One way to calculate the order is with `GP/PARI`:
///
/// ```text
/// p = (2^224) * (2^32 - 1) + 2^192 + 2^96 - 1
/// b = 41058363725152142129326129780047268409114441015993725554835256314039467401291
/// E = ellinit([Mod(-3, p), Mod(b, p)])
/// default(parisize, 120000000)
/// n = ellsea(E)
/// isprime(n)
/// ```
const ORDER_HEX: &str = "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551";
/// NIST P-256 elliptic curve.
///
/// This curve is also known as prime256v1 (ANSI X9.62) and secp256r1 (SECG)
/// and is specified in [NIST SP 800-186]:
/// Recommendations for Discrete Logarithm-based Cryptography:
/// Elliptic Curve Domain Parameters.
///
/// It's included in the US National Security Agency's "Suite B" and is widely
/// used in protocols like TLS and the associated X.509 PKI.
///
/// Its equation is `y² = x³ - 3x + b` over a ~256-bit prime field where `b` is
/// the "verifiably random"† constant:
///
/// ```text
/// b = 41058363725152142129326129780047268409114441015993725554835256314039467401291
/// ```
///
/// † *NOTE: the specific origins of this constant have never been fully disclosed
/// (it is the SHA-1 digest of an unknown NSA-selected constant)*
///
/// [NIST SP 800-186]: https://csrc.nist.gov/publications/detail/sp/800-186/final
#[derive(Copy, Clone, Debug, Default, Eq, PartialEq, PartialOrd, Ord)]
pub struct NistP256;
impl elliptic_curve::Curve for NistP256 {
/// 32-byte serialized field elements.
type FieldBytesSize = U32;
/// 256-bit integer type used for internally representing field elements.
type Uint = U256;
/// Order of NIST P-256's elliptic curve group (i.e. scalar modulus).
const ORDER: U256 = U256::from_be_hex(ORDER_HEX);
}
impl elliptic_curve::PrimeCurve for NistP256 {}
impl elliptic_curve::point::PointCompression for NistP256 {
/// NIST P-256 points are typically uncompressed.
const COMPRESS_POINTS: bool = false;
}
impl elliptic_curve::point::PointCompaction for NistP256 {
/// NIST P-256 points are typically uncompressed.
const COMPACT_POINTS: bool = false;
}
#[cfg(feature = "jwk")]
impl elliptic_curve::JwkParameters for NistP256 {
const CRV: &'static str = "P-256";
}
#[cfg(feature = "pkcs8")]
impl pkcs8::AssociatedOid for NistP256 {
const OID: pkcs8::ObjectIdentifier = pkcs8::ObjectIdentifier::new_unwrap("1.2.840.10045.3.1.7");
}
/// Blinded scalar.
#[cfg(feature = "arithmetic")]
pub type BlindedScalar = elliptic_curve::scalar::BlindedScalar<NistP256>;
/// Compressed SEC1-encoded NIST P-256 curve point.
pub type CompressedPoint = GenericArray<u8, U33>;
/// NIST P-256 SEC1 encoded point.
pub type EncodedPoint = elliptic_curve::sec1::EncodedPoint<NistP256>;
/// NIST P-256 field element serialized as bytes.
///
/// Byte array containing a serialized field element value (base field or scalar).
pub type FieldBytes = elliptic_curve::FieldBytes<NistP256>;
impl FieldBytesEncoding<NistP256> for U256 {
fn decode_field_bytes(field_bytes: &FieldBytes) -> Self {
U256::from_be_byte_array(*field_bytes)
}
fn encode_field_bytes(&self) -> FieldBytes {
self.to_be_byte_array()
}
}
/// Non-zero NIST P-256 scalar field element.
#[cfg(feature = "arithmetic")]
pub type NonZeroScalar = elliptic_curve::NonZeroScalar<NistP256>;
/// NIST P-256 public key.
#[cfg(feature = "arithmetic")]
pub type PublicKey = elliptic_curve::PublicKey<NistP256>;
/// NIST P-256 secret key.
pub type SecretKey = elliptic_curve::SecretKey<NistP256>;
#[cfg(not(feature = "arithmetic"))]
impl elliptic_curve::sec1::ValidatePublicKey for NistP256 {}
/// Bit representation of a NIST P-256 scalar field element.
#[cfg(feature = "bits")]
pub type ScalarBits = elliptic_curve::scalar::ScalarBits<NistP256>;
#[cfg(feature = "voprf")]
impl elliptic_curve::VoprfParameters for NistP256 {
/// See <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-19.html#section-4.3>.
const ID: &'static str = "P256-SHA256";
/// See <https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-08.html#section-4.3-1.2>.
type Hash = sha2::Sha256;
}

6
vendor/p256/src/test_vectors.rs vendored Normal file
View File

@@ -0,0 +1,6 @@
//! secp256r1 test vectors.
#[cfg(test)]
pub mod ecdsa;
pub mod field;
pub mod group;

BIN
vendor/p256/src/test_vectors/data/wycheproof.blb vendored Normal file
View File

Binary file not shown.

150
vendor/p256/src/test_vectors/ecdsa.rs vendored Normal file
View File

@@ -0,0 +1,150 @@
//! ECDSA/secp256r1 test vectors
use ecdsa_core::dev::TestVector;
use hex_literal::hex;
/// ECDSA/P-256 test vectors.
///
/// Adapted from the FIPS 186-4 ECDSA test vectors
/// (P-256, SHA-256, from `SigGen.txt` in `186-4ecdsatestvectors.zip`)
/// <https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures>
///
/// The `m` field contains a SHA-256 prehash of the `Msg` field in the
/// original `SigTen.txt`.
pub const ECDSA_TEST_VECTORS: &[TestVector] = &[
TestVector {
d: &hex!("519b423d715f8b581f4fa8ee59f4771a5b44c8130b4e3eacca54a56dda72b464"),
q_x: &hex!("1ccbe91c075fc7f4f033bfa248db8fccd3565de94bbfb12f3c59ff46c271bf83"),
q_y: &hex!("ce4014c68811f9a21a1fdb2c0e6113e06db7ca93b7404e78dc7ccd5ca89a4ca9"),
k: &hex!("94a1bbb14b906a61a280f245f9e93c7f3b4a6247824f5d33b9670787642a68de"),
m: &hex!("44acf6b7e36c1342c2c5897204fe09504e1e2efb1a900377dbc4e7a6a133ec56"),
r: &hex!("f3ac8061b514795b8843e3d6629527ed2afd6b1f6a555a7acabb5e6f79c8c2ac"),
s: &hex!("8bf77819ca05a6b2786c76262bf7371cef97b218e96f175a3ccdda2acc058903"),
},
TestVector {
d: &hex!("0f56db78ca460b055c500064824bed999a25aaf48ebb519ac201537b85479813"),
q_x: &hex!("e266ddfdc12668db30d4ca3e8f7749432c416044f2d2b8c10bf3d4012aeffa8a"),
q_y: &hex!("bfa86404a2e9ffe67d47c587ef7a97a7f456b863b4d02cfc6928973ab5b1cb39"),
k: &hex!("6d3e71882c3b83b156bb14e0ab184aa9fb728068d3ae9fac421187ae0b2f34c6"),
m: &hex!("9b2db89cb0e8fa3cc7608b4d6cc1dec0114e0b9ff4080bea12b134f489ab2bbc"),
r: &hex!("976d3a4e9d23326dc0baa9fa560b7c4e53f42864f508483a6473b6a11079b2db"),
s: &hex!("1b766e9ceb71ba6c01dcd46e0af462cd4cfa652ae5017d4555b8eeefe36e1932"),
},
TestVector {
d: &hex!("e283871239837e13b95f789e6e1af63bf61c918c992e62bca040d64cad1fc2ef"),
q_x: &hex!("74ccd8a62fba0e667c50929a53f78c21b8ff0c3c737b0b40b1750b2302b0bde8"),
q_y: &hex!("29074e21f3a0ef88b9efdf10d06aa4c295cc1671f758ca0e4cd108803d0f2614"),
k: &hex!("ad5e887eb2b380b8d8280ad6e5ff8a60f4d26243e0124c2f31a297b5d0835de2"),
m: &hex!("b804cf88af0c2eff8bbbfb3660ebb3294138e9d3ebd458884e19818061dacff0"),
r: &hex!("35fb60f5ca0f3ca08542fb3cc641c8263a2cab7a90ee6a5e1583fac2bb6f6bd1"),
s: &hex!("ee59d81bc9db1055cc0ed97b159d8784af04e98511d0a9a407b99bb292572e96"),
},
TestVector {
d: &hex!("a3d2d3b7596f6592ce98b4bfe10d41837f10027a90d7bb75349490018cf72d07"),
q_x: &hex!("322f80371bf6e044bc49391d97c1714ab87f990b949bc178cb7c43b7c22d89e1"),
q_y: &hex!("3c15d54a5cc6b9f09de8457e873eb3deb1fceb54b0b295da6050294fae7fd999"),
k: &hex!("24fc90e1da13f17ef9fe84cc96b9471ed1aaac17e3a4bae33a115df4e5834f18"),
m: &hex!("85b957d92766235e7c880ac5447cfbe97f3cb499f486d1e43bcb5c2ff9608a1a"),
r: &hex!("d7c562370af617b581c84a2468cc8bd50bb1cbf322de41b7887ce07c0e5884ca"),
s: &hex!("b46d9f2d8c4bf83546ff178f1d78937c008d64e8ecc5cbb825cb21d94d670d89"),
},
TestVector {
d: &hex!("53a0e8a8fe93db01e7ae94e1a9882a102ebd079b3a535827d583626c272d280d"),
q_x: &hex!("1bcec4570e1ec2436596b8ded58f60c3b1ebc6a403bc5543040ba82963057244"),
q_y: &hex!("8af62a4c683f096b28558320737bf83b9959a46ad2521004ef74cf85e67494e1"),
k: &hex!("5d833e8d24cc7a402d7ee7ec852a3587cddeb48358cea71b0bedb8fabe84e0c4"),
m: &hex!("3360d699222f21840827cf698d7cb635bee57dc80cd7733b682d41b55b666e22"),
r: &hex!("18caaf7b663507a8bcd992b836dec9dc5703c080af5e51dfa3a9a7c387182604"),
s: &hex!("77c68928ac3b88d985fb43fb615fb7ff45c18ba5c81af796c613dfa98352d29c"),
},
TestVector {
d: &hex!("4af107e8e2194c830ffb712a65511bc9186a133007855b49ab4b3833aefc4a1d"),
q_x: &hex!("a32e50be3dae2c8ba3f5e4bdae14cf7645420d425ead94036c22dd6c4fc59e00"),
q_y: &hex!("d623bf641160c289d6742c6257ae6ba574446dd1d0e74db3aaa80900b78d4ae9"),
k: &hex!("e18f96f84dfa2fd3cdfaec9159d4c338cd54ad314134f0b31e20591fc238d0ab"),
m: &hex!("c413c4908cd0bc6d8e32001aa103043b2cf5be7fcbd61a5cec9488c3a577ca57"),
r: &hex!("8524c5024e2d9a73bde8c72d9129f57873bbad0ed05215a372a84fdbc78f2e68"),
s: &hex!("d18c2caf3b1072f87064ec5e8953f51301cada03469c640244760328eb5a05cb"),
},
TestVector {
d: &hex!("78dfaa09f1076850b3e206e477494cddcfb822aaa0128475053592c48ebaf4ab"),
q_x: &hex!("8bcfe2a721ca6d753968f564ec4315be4857e28bef1908f61a366b1f03c97479"),
q_y: &hex!("0f67576a30b8e20d4232d8530b52fb4c89cbc589ede291e499ddd15fe870ab96"),
k: &hex!("295544dbb2da3da170741c9b2c6551d40af7ed4e891445f11a02b66a5c258a77"),
m: &hex!("88fc1e7d849794fc51b135fa135deec0db02b86c3cd8cebdaa79e8689e5b2898"),
r: &hex!("c5a186d72df452015480f7f338970bfe825087f05c0088d95305f87aacc9b254"),
s: &hex!("84a58f9e9d9e735344b316b1aa1ab5185665b85147dc82d92e969d7bee31ca30"),
},
TestVector {
d: &hex!("80e692e3eb9fcd8c7d44e7de9f7a5952686407f90025a1d87e52c7096a62618a"),
q_x: &hex!("a88bc8430279c8c0400a77d751f26c0abc93e5de4ad9a4166357952fe041e767"),
q_y: &hex!("2d365a1eef25ead579cc9a069b6abc1b16b81c35f18785ce26a10ba6d1381185"),
k: &hex!("7c80fd66d62cc076cef2d030c17c0a69c99611549cb32c4ff662475adbe84b22"),
m: &hex!("41fa8d8b4cd0a5fdf021f4e4829d6d1e996bab6b4a19dcb85585fe76c582d2bc"),
r: &hex!("9d0c6afb6df3bced455b459cc21387e14929392664bb8741a3693a1795ca6902"),
s: &hex!("d7f9ddd191f1f412869429209ee3814c75c72fa46a9cccf804a2f5cc0b7e739f"),
},
TestVector {
d: &hex!("5e666c0db0214c3b627a8e48541cc84a8b6fd15f300da4dff5d18aec6c55b881"),
q_x: &hex!("1bc487570f040dc94196c9befe8ab2b6de77208b1f38bdaae28f9645c4d2bc3a"),
q_y: &hex!("ec81602abd8345e71867c8210313737865b8aa186851e1b48eaca140320f5d8f"),
k: &hex!("2e7625a48874d86c9e467f890aaa7cd6ebdf71c0102bfdcfa24565d6af3fdce9"),
m: &hex!("2d72947c1731543b3d62490866a893952736757746d9bae13e719079299ae192"),
r: &hex!("2f9e2b4e9f747c657f705bffd124ee178bbc5391c86d056717b140c153570fd9"),
s: &hex!("f5413bfd85949da8d83de83ab0d19b2986613e224d1901d76919de23ccd03199"),
},
TestVector {
d: &hex!("f73f455271c877c4d5334627e37c278f68d143014b0a05aa62f308b2101c5308"),
q_x: &hex!("b8188bd68701fc396dab53125d4d28ea33a91daf6d21485f4770f6ea8c565dde"),
q_y: &hex!("423f058810f277f8fe076f6db56e9285a1bf2c2a1dae145095edd9c04970bc4a"),
k: &hex!("62f8665fd6e26b3fa069e85281777a9b1f0dfd2c0b9f54a086d0c109ff9fd615"),
m: &hex!("e138bd577c3729d0e24a98a82478bcc7482499c4cdf734a874f7208ddbc3c116"),
r: &hex!("1cc628533d0004b2b20e7f4baad0b8bb5e0673db159bbccf92491aef61fc9620"),
s: &hex!("880e0bbf82a8cf818ed46ba03cf0fc6c898e36fca36cc7fdb1d2db7503634430"),
},
TestVector {
d: &hex!("b20d705d9bd7c2b8dc60393a5357f632990e599a0975573ac67fd89b49187906"),
q_x: &hex!("51f99d2d52d4a6e734484a018b7ca2f895c2929b6754a3a03224d07ae61166ce"),
q_y: &hex!("4737da963c6ef7247fb88d19f9b0c667cac7fe12837fdab88c66f10d3c14cad1"),
k: &hex!("72b656f6b35b9ccbc712c9f1f3b1a14cbbebaec41c4bca8da18f492a062d6f6f"),
m: &hex!("17b03f9f00f6692ccdde485fc63c4530751ef35da6f71336610944b0894fcfb8"),
r: &hex!("9886ae46c1415c3bc959e82b760ad760aab66885a84e620aa339fdf102465c42"),
s: &hex!("2bf3a80bc04faa35ebecc0f4864ac02d349f6f126e0f988501b8d3075409a26c"),
},
TestVector {
d: &hex!("d4234bebfbc821050341a37e1240efe5e33763cbbb2ef76a1c79e24724e5a5e7"),
q_x: &hex!("8fb287f0202ad57ae841aea35f29b2e1d53e196d0ddd9aec24813d64c0922fb7"),
q_y: &hex!("1f6daff1aa2dd2d6d3741623eecb5e7b612997a1039aab2e5cf2de969cfea573"),
k: &hex!("d926fe10f1bfd9855610f4f5a3d666b1a149344057e35537373372ead8b1a778"),
m: &hex!("c25beae638ff8dcd370e03a6f89c594c55bed1277ee14d83bbb0ef783a0517c7"),
r: &hex!("490efd106be11fc365c7467eb89b8d39e15d65175356775deab211163c2504cb"),
s: &hex!("644300fc0da4d40fb8c6ead510d14f0bd4e1321a469e9c0a581464c7186b7aa7"),
},
TestVector {
d: &hex!("b58f5211dff440626bb56d0ad483193d606cf21f36d9830543327292f4d25d8c"),
q_x: &hex!("68229b48c2fe19d3db034e4c15077eb7471a66031f28a980821873915298ba76"),
q_y: &hex!("303e8ee3742a893f78b810991da697083dd8f11128c47651c27a56740a80c24c"),
k: &hex!("e158bf4a2d19a99149d9cdb879294ccb7aaeae03d75ddd616ef8ae51a6dc1071"),
m: &hex!("5eb28029ebf3c7025ff2fc2f6de6f62aecf6a72139e1cba5f20d11bbef036a7f"),
r: &hex!("e67a9717ccf96841489d6541f4f6adb12d17b59a6bef847b6183b8fcf16a32eb"),
s: &hex!("9ae6ba6d637706849a6a9fc388cf0232d85c26ea0d1fe7437adb48de58364333"),
},
TestVector {
d: &hex!("54c066711cdb061eda07e5275f7e95a9962c6764b84f6f1f3ab5a588e0a2afb1"),
q_x: &hex!("0a7dbb8bf50cb605eb2268b081f26d6b08e012f952c4b70a5a1e6e7d46af98bb"),
q_y: &hex!("f26dd7d799930062480849962ccf5004edcfd307c044f4e8f667c9baa834eeae"),
k: &hex!("646fe933e96c3b8f9f507498e907fdd201f08478d0202c752a7c2cfebf4d061a"),
m: &hex!("12135386c09e0bf6fd5c454a95bcfe9b3edb25c71e455c73a212405694b29002"),
r: &hex!("b53ce4da1aa7c0dc77a1896ab716b921499aed78df725b1504aba1597ba0c64b"),
s: &hex!("d7c246dc7ad0e67700c373edcfdd1c0a0495fc954549ad579df6ed1438840851"),
},
TestVector {
d: &hex!("34fa4682bf6cb5b16783adcd18f0e6879b92185f76d7c920409f904f522db4b1"),
q_x: &hex!("105d22d9c626520faca13e7ced382dcbe93498315f00cc0ac39c4821d0d73737"),
q_y: &hex!("6c47f3cbbfa97dfcebe16270b8c7d5d3a5900b888c42520d751e8faf3b401ef4"),
k: &hex!("a6f463ee72c9492bc792fe98163112837aebd07bab7a84aaed05be64db3086f4"),
m: &hex!("aea3e069e03c0ff4d6b3fa2235e0053bbedc4c7e40efbc686d4dfb5efba4cfed"),
r: &hex!("542c40a18140a6266d6f0286e24e9a7bad7650e72ef0e2131e629c076d962663"),
s: &hex!("4f7f65305e24a6bbb5cff714ba8f5a2cee5bdc89ba8d75dcbf21966ce38eb66f"),
},
];

257
vendor/p256/src/test_vectors/field.rs vendored Normal file
View File

@@ -0,0 +1,257 @@
//! Test vectors for the secp256r1 base field.
use hex_literal::hex;
/// Repeated doubling of the multiplicative identity.
pub const DBL_TEST_VECTORS: &[[u8; 32]] = &[
hex!("0000000000000000000000000000000000000000000000000000000000000001"),
hex!("0000000000000000000000000000000000000000000000000000000000000002"),
hex!("0000000000000000000000000000000000000000000000000000000000000004"),
hex!("0000000000000000000000000000000000000000000000000000000000000008"),
hex!("0000000000000000000000000000000000000000000000000000000000000010"),
hex!("0000000000000000000000000000000000000000000000000000000000000020"),
hex!("0000000000000000000000000000000000000000000000000000000000000040"),
hex!("0000000000000000000000000000000000000000000000000000000000000080"),
hex!("0000000000000000000000000000000000000000000000000000000000000100"),
hex!("0000000000000000000000000000000000000000000000000000000000000200"),
hex!("0000000000000000000000000000000000000000000000000000000000000400"),
hex!("0000000000000000000000000000000000000000000000000000000000000800"),
hex!("0000000000000000000000000000000000000000000000000000000000001000"),
hex!("0000000000000000000000000000000000000000000000000000000000002000"),
hex!("0000000000000000000000000000000000000000000000000000000000004000"),
hex!("0000000000000000000000000000000000000000000000000000000000008000"),
hex!("0000000000000000000000000000000000000000000000000000000000010000"),
hex!("0000000000000000000000000000000000000000000000000000000000020000"),
hex!("0000000000000000000000000000000000000000000000000000000000040000"),
hex!("0000000000000000000000000000000000000000000000000000000000080000"),
hex!("0000000000000000000000000000000000000000000000000000000000100000"),
hex!("0000000000000000000000000000000000000000000000000000000000200000"),
hex!("0000000000000000000000000000000000000000000000000000000000400000"),
hex!("0000000000000000000000000000000000000000000000000000000000800000"),
hex!("0000000000000000000000000000000000000000000000000000000001000000"),
hex!("0000000000000000000000000000000000000000000000000000000002000000"),
hex!("0000000000000000000000000000000000000000000000000000000004000000"),
hex!("0000000000000000000000000000000000000000000000000000000008000000"),
hex!("0000000000000000000000000000000000000000000000000000000010000000"),
hex!("0000000000000000000000000000000000000000000000000000000020000000"),
hex!("0000000000000000000000000000000000000000000000000000000040000000"),
hex!("0000000000000000000000000000000000000000000000000000000080000000"),
hex!("0000000000000000000000000000000000000000000000000000000100000000"),
hex!("0000000000000000000000000000000000000000000000000000000200000000"),
hex!("0000000000000000000000000000000000000000000000000000000400000000"),
hex!("0000000000000000000000000000000000000000000000000000000800000000"),
hex!("0000000000000000000000000000000000000000000000000000001000000000"),
hex!("0000000000000000000000000000000000000000000000000000002000000000"),
hex!("0000000000000000000000000000000000000000000000000000004000000000"),
hex!("0000000000000000000000000000000000000000000000000000008000000000"),
hex!("0000000000000000000000000000000000000000000000000000010000000000"),
hex!("0000000000000000000000000000000000000000000000000000020000000000"),
hex!("0000000000000000000000000000000000000000000000000000040000000000"),
hex!("0000000000000000000000000000000000000000000000000000080000000000"),
hex!("0000000000000000000000000000000000000000000000000000100000000000"),
hex!("0000000000000000000000000000000000000000000000000000200000000000"),
hex!("0000000000000000000000000000000000000000000000000000400000000000"),
hex!("0000000000000000000000000000000000000000000000000000800000000000"),
hex!("0000000000000000000000000000000000000000000000000001000000000000"),
hex!("0000000000000000000000000000000000000000000000000002000000000000"),
hex!("0000000000000000000000000000000000000000000000000004000000000000"),
hex!("0000000000000000000000000000000000000000000000000008000000000000"),
hex!("0000000000000000000000000000000000000000000000000010000000000000"),
hex!("0000000000000000000000000000000000000000000000000020000000000000"),
hex!("0000000000000000000000000000000000000000000000000040000000000000"),
hex!("0000000000000000000000000000000000000000000000000080000000000000"),
hex!("0000000000000000000000000000000000000000000000000100000000000000"),
hex!("0000000000000000000000000000000000000000000000000200000000000000"),
hex!("0000000000000000000000000000000000000000000000000400000000000000"),
hex!("0000000000000000000000000000000000000000000000000800000000000000"),
hex!("0000000000000000000000000000000000000000000000001000000000000000"),
hex!("0000000000000000000000000000000000000000000000002000000000000000"),
hex!("0000000000000000000000000000000000000000000000004000000000000000"),
hex!("0000000000000000000000000000000000000000000000008000000000000000"),
hex!("0000000000000000000000000000000000000000000000010000000000000000"),
hex!("0000000000000000000000000000000000000000000000020000000000000000"),
hex!("0000000000000000000000000000000000000000000000040000000000000000"),
hex!("0000000000000000000000000000000000000000000000080000000000000000"),
hex!("0000000000000000000000000000000000000000000000100000000000000000"),
hex!("0000000000000000000000000000000000000000000000200000000000000000"),
hex!("0000000000000000000000000000000000000000000000400000000000000000"),
hex!("0000000000000000000000000000000000000000000000800000000000000000"),
hex!("0000000000000000000000000000000000000000000001000000000000000000"),
hex!("0000000000000000000000000000000000000000000002000000000000000000"),
hex!("0000000000000000000000000000000000000000000004000000000000000000"),
hex!("0000000000000000000000000000000000000000000008000000000000000000"),
hex!("0000000000000000000000000000000000000000000010000000000000000000"),
hex!("0000000000000000000000000000000000000000000020000000000000000000"),
hex!("0000000000000000000000000000000000000000000040000000000000000000"),
hex!("0000000000000000000000000000000000000000000080000000000000000000"),
hex!("0000000000000000000000000000000000000000000100000000000000000000"),
hex!("0000000000000000000000000000000000000000000200000000000000000000"),
hex!("0000000000000000000000000000000000000000000400000000000000000000"),
hex!("0000000000000000000000000000000000000000000800000000000000000000"),
hex!("0000000000000000000000000000000000000000001000000000000000000000"),
hex!("0000000000000000000000000000000000000000002000000000000000000000"),
hex!("0000000000000000000000000000000000000000004000000000000000000000"),
hex!("0000000000000000000000000000000000000000008000000000000000000000"),
hex!("0000000000000000000000000000000000000000010000000000000000000000"),
hex!("0000000000000000000000000000000000000000020000000000000000000000"),
hex!("0000000000000000000000000000000000000000040000000000000000000000"),
hex!("0000000000000000000000000000000000000000080000000000000000000000"),
hex!("0000000000000000000000000000000000000000100000000000000000000000"),
hex!("0000000000000000000000000000000000000000200000000000000000000000"),
hex!("0000000000000000000000000000000000000000400000000000000000000000"),
hex!("0000000000000000000000000000000000000000800000000000000000000000"),
hex!("0000000000000000000000000000000000000001000000000000000000000000"),
hex!("0000000000000000000000000000000000000002000000000000000000000000"),
hex!("0000000000000000000000000000000000000004000000000000000000000000"),
hex!("0000000000000000000000000000000000000008000000000000000000000000"),
hex!("0000000000000000000000000000000000000010000000000000000000000000"),
hex!("0000000000000000000000000000000000000020000000000000000000000000"),
hex!("0000000000000000000000000000000000000040000000000000000000000000"),
hex!("0000000000000000000000000000000000000080000000000000000000000000"),
hex!("0000000000000000000000000000000000000100000000000000000000000000"),
hex!("0000000000000000000000000000000000000200000000000000000000000000"),
hex!("0000000000000000000000000000000000000400000000000000000000000000"),
hex!("0000000000000000000000000000000000000800000000000000000000000000"),
hex!("0000000000000000000000000000000000001000000000000000000000000000"),
hex!("0000000000000000000000000000000000002000000000000000000000000000"),
hex!("0000000000000000000000000000000000004000000000000000000000000000"),
hex!("0000000000000000000000000000000000008000000000000000000000000000"),
hex!("0000000000000000000000000000000000010000000000000000000000000000"),
hex!("0000000000000000000000000000000000020000000000000000000000000000"),
hex!("0000000000000000000000000000000000040000000000000000000000000000"),
hex!("0000000000000000000000000000000000080000000000000000000000000000"),
hex!("0000000000000000000000000000000000100000000000000000000000000000"),
hex!("0000000000000000000000000000000000200000000000000000000000000000"),
hex!("0000000000000000000000000000000000400000000000000000000000000000"),
hex!("0000000000000000000000000000000000800000000000000000000000000000"),
hex!("0000000000000000000000000000000001000000000000000000000000000000"),
hex!("0000000000000000000000000000000002000000000000000000000000000000"),
hex!("0000000000000000000000000000000004000000000000000000000000000000"),
hex!("0000000000000000000000000000000008000000000000000000000000000000"),
hex!("0000000000000000000000000000000010000000000000000000000000000000"),
hex!("0000000000000000000000000000000020000000000000000000000000000000"),
hex!("0000000000000000000000000000000040000000000000000000000000000000"),
hex!("0000000000000000000000000000000080000000000000000000000000000000"),
hex!("0000000000000000000000000000000100000000000000000000000000000000"),
hex!("0000000000000000000000000000000200000000000000000000000000000000"),
hex!("0000000000000000000000000000000400000000000000000000000000000000"),
hex!("0000000000000000000000000000000800000000000000000000000000000000"),
hex!("0000000000000000000000000000001000000000000000000000000000000000"),
hex!("0000000000000000000000000000002000000000000000000000000000000000"),
hex!("0000000000000000000000000000004000000000000000000000000000000000"),
hex!("0000000000000000000000000000008000000000000000000000000000000000"),
hex!("0000000000000000000000000000010000000000000000000000000000000000"),
hex!("0000000000000000000000000000020000000000000000000000000000000000"),
hex!("0000000000000000000000000000040000000000000000000000000000000000"),
hex!("0000000000000000000000000000080000000000000000000000000000000000"),
hex!("0000000000000000000000000000100000000000000000000000000000000000"),
hex!("0000000000000000000000000000200000000000000000000000000000000000"),
hex!("0000000000000000000000000000400000000000000000000000000000000000"),
hex!("0000000000000000000000000000800000000000000000000000000000000000"),
hex!("0000000000000000000000000001000000000000000000000000000000000000"),
hex!("0000000000000000000000000002000000000000000000000000000000000000"),
hex!("0000000000000000000000000004000000000000000000000000000000000000"),
hex!("0000000000000000000000000008000000000000000000000000000000000000"),
hex!("0000000000000000000000000010000000000000000000000000000000000000"),
hex!("0000000000000000000000000020000000000000000000000000000000000000"),
hex!("0000000000000000000000000040000000000000000000000000000000000000"),
hex!("0000000000000000000000000080000000000000000000000000000000000000"),
hex!("0000000000000000000000000100000000000000000000000000000000000000"),
hex!("0000000000000000000000000200000000000000000000000000000000000000"),
hex!("0000000000000000000000000400000000000000000000000000000000000000"),
hex!("0000000000000000000000000800000000000000000000000000000000000000"),
hex!("0000000000000000000000001000000000000000000000000000000000000000"),
hex!("0000000000000000000000002000000000000000000000000000000000000000"),
hex!("0000000000000000000000004000000000000000000000000000000000000000"),
hex!("0000000000000000000000008000000000000000000000000000000000000000"),
hex!("0000000000000000000000010000000000000000000000000000000000000000"),
hex!("0000000000000000000000020000000000000000000000000000000000000000"),
hex!("0000000000000000000000040000000000000000000000000000000000000000"),
hex!("0000000000000000000000080000000000000000000000000000000000000000"),
hex!("0000000000000000000000100000000000000000000000000000000000000000"),
hex!("0000000000000000000000200000000000000000000000000000000000000000"),
hex!("0000000000000000000000400000000000000000000000000000000000000000"),
hex!("0000000000000000000000800000000000000000000000000000000000000000"),
hex!("0000000000000000000001000000000000000000000000000000000000000000"),
hex!("0000000000000000000002000000000000000000000000000000000000000000"),
hex!("0000000000000000000004000000000000000000000000000000000000000000"),
hex!("0000000000000000000008000000000000000000000000000000000000000000"),
hex!("0000000000000000000010000000000000000000000000000000000000000000"),
hex!("0000000000000000000020000000000000000000000000000000000000000000"),
hex!("0000000000000000000040000000000000000000000000000000000000000000"),
hex!("0000000000000000000080000000000000000000000000000000000000000000"),
hex!("0000000000000000000100000000000000000000000000000000000000000000"),
hex!("0000000000000000000200000000000000000000000000000000000000000000"),
hex!("0000000000000000000400000000000000000000000000000000000000000000"),
hex!("0000000000000000000800000000000000000000000000000000000000000000"),
hex!("0000000000000000001000000000000000000000000000000000000000000000"),
hex!("0000000000000000002000000000000000000000000000000000000000000000"),
hex!("0000000000000000004000000000000000000000000000000000000000000000"),
hex!("0000000000000000008000000000000000000000000000000000000000000000"),
hex!("0000000000000000010000000000000000000000000000000000000000000000"),
hex!("0000000000000000020000000000000000000000000000000000000000000000"),
hex!("0000000000000000040000000000000000000000000000000000000000000000"),
hex!("0000000000000000080000000000000000000000000000000000000000000000"),
hex!("0000000000000000100000000000000000000000000000000000000000000000"),
hex!("0000000000000000200000000000000000000000000000000000000000000000"),
hex!("0000000000000000400000000000000000000000000000000000000000000000"),
hex!("0000000000000000800000000000000000000000000000000000000000000000"),
hex!("0000000000000001000000000000000000000000000000000000000000000000"),
hex!("0000000000000002000000000000000000000000000000000000000000000000"),
hex!("0000000000000004000000000000000000000000000000000000000000000000"),
hex!("0000000000000008000000000000000000000000000000000000000000000000"),
hex!("0000000000000010000000000000000000000000000000000000000000000000"),
hex!("0000000000000020000000000000000000000000000000000000000000000000"),
hex!("0000000000000040000000000000000000000000000000000000000000000000"),
hex!("0000000000000080000000000000000000000000000000000000000000000000"),
hex!("0000000000000100000000000000000000000000000000000000000000000000"),
hex!("0000000000000200000000000000000000000000000000000000000000000000"),
hex!("0000000000000400000000000000000000000000000000000000000000000000"),
hex!("0000000000000800000000000000000000000000000000000000000000000000"),
hex!("0000000000001000000000000000000000000000000000000000000000000000"),
hex!("0000000000002000000000000000000000000000000000000000000000000000"),
hex!("0000000000004000000000000000000000000000000000000000000000000000"),
hex!("0000000000008000000000000000000000000000000000000000000000000000"),
hex!("0000000000010000000000000000000000000000000000000000000000000000"),
hex!("0000000000020000000000000000000000000000000000000000000000000000"),
hex!("0000000000040000000000000000000000000000000000000000000000000000"),
hex!("0000000000080000000000000000000000000000000000000000000000000000"),
hex!("0000000000100000000000000000000000000000000000000000000000000000"),
hex!("0000000000200000000000000000000000000000000000000000000000000000"),
hex!("0000000000400000000000000000000000000000000000000000000000000000"),
hex!("0000000000800000000000000000000000000000000000000000000000000000"),
hex!("0000000001000000000000000000000000000000000000000000000000000000"),
hex!("0000000002000000000000000000000000000000000000000000000000000000"),
hex!("0000000004000000000000000000000000000000000000000000000000000000"),
hex!("0000000008000000000000000000000000000000000000000000000000000000"),
hex!("0000000010000000000000000000000000000000000000000000000000000000"),
hex!("0000000020000000000000000000000000000000000000000000000000000000"),
hex!("0000000040000000000000000000000000000000000000000000000000000000"),
hex!("0000000080000000000000000000000000000000000000000000000000000000"),
hex!("0000000100000000000000000000000000000000000000000000000000000000"),
hex!("0000000200000000000000000000000000000000000000000000000000000000"),
hex!("0000000400000000000000000000000000000000000000000000000000000000"),
hex!("0000000800000000000000000000000000000000000000000000000000000000"),
hex!("0000001000000000000000000000000000000000000000000000000000000000"),
hex!("0000002000000000000000000000000000000000000000000000000000000000"),
hex!("0000004000000000000000000000000000000000000000000000000000000000"),
hex!("0000008000000000000000000000000000000000000000000000000000000000"),
hex!("0000010000000000000000000000000000000000000000000000000000000000"),
hex!("0000020000000000000000000000000000000000000000000000000000000000"),
hex!("0000040000000000000000000000000000000000000000000000000000000000"),
hex!("0000080000000000000000000000000000000000000000000000000000000000"),
hex!("0000100000000000000000000000000000000000000000000000000000000000"),
hex!("0000200000000000000000000000000000000000000000000000000000000000"),
hex!("0000400000000000000000000000000000000000000000000000000000000000"),
hex!("0000800000000000000000000000000000000000000000000000000000000000"),
hex!("0001000000000000000000000000000000000000000000000000000000000000"),
hex!("0002000000000000000000000000000000000000000000000000000000000000"),
hex!("0004000000000000000000000000000000000000000000000000000000000000"),
hex!("0008000000000000000000000000000000000000000000000000000000000000"),
hex!("0010000000000000000000000000000000000000000000000000000000000000"),
hex!("0020000000000000000000000000000000000000000000000000000000000000"),
hex!("0040000000000000000000000000000000000000000000000000000000000000"),
hex!("0080000000000000000000000000000000000000000000000000000000000000"),
hex!("0100000000000000000000000000000000000000000000000000000000000000"),
hex!("0200000000000000000000000000000000000000000000000000000000000000"),
];

256
vendor/p256/src/test_vectors/group.rs vendored Normal file
View File

@@ -0,0 +1,256 @@
//! Test vectors for the secp256r1 group.
use hex_literal::hex;
/// Repeated addition of the generator.
///
/// These are the first 20 test vectors from <http://point-at-infinity.org/ecc/nisttv>
pub const ADD_TEST_VECTORS: &[([u8; 32], [u8; 32])] = &[
(
hex!("6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"),
hex!("4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"),
),
(
hex!("7CF27B188D034F7E8A52380304B51AC3C08969E277F21B35A60B48FC47669978"),
hex!("07775510DB8ED040293D9AC69F7430DBBA7DADE63CE982299E04B79D227873D1"),
),
(
hex!("5ECBE4D1A6330A44C8F7EF951D4BF165E6C6B721EFADA985FB41661BC6E7FD6C"),
hex!("8734640C4998FF7E374B06CE1A64A2ECD82AB036384FB83D9A79B127A27D5032"),
),
(
hex!("E2534A3532D08FBBA02DDE659EE62BD0031FE2DB785596EF509302446B030852"),
hex!("E0F1575A4C633CC719DFEE5FDA862D764EFC96C3F30EE0055C42C23F184ED8C6"),
),
(
hex!("51590B7A515140D2D784C85608668FDFEF8C82FD1F5BE52421554A0DC3D033ED"),
hex!("E0C17DA8904A727D8AE1BF36BF8A79260D012F00D4D80888D1D0BB44FDA16DA4"),
),
(
hex!("B01A172A76A4602C92D3242CB897DDE3024C740DEBB215B4C6B0AAE93C2291A9"),
hex!("E85C10743237DAD56FEC0E2DFBA703791C00F7701C7E16BDFD7C48538FC77FE2"),
),
(
hex!("8E533B6FA0BF7B4625BB30667C01FB607EF9F8B8A80FEF5B300628703187B2A3"),
hex!("73EB1DBDE03318366D069F83A6F5900053C73633CB041B21C55E1A86C1F400B4"),
),
(
hex!("62D9779DBEE9B0534042742D3AB54CADC1D238980FCE97DBB4DD9DC1DB6FB393"),
hex!("AD5ACCBD91E9D8244FF15D771167CEE0A2ED51F6BBE76A78DA540A6A0F09957E"),
),
(
hex!("EA68D7B6FEDF0B71878938D51D71F8729E0ACB8C2C6DF8B3D79E8A4B90949EE0"),
hex!("2A2744C972C9FCE787014A964A8EA0C84D714FEAA4DE823FE85A224A4DD048FA"),
),
(
hex!("CEF66D6B2A3A993E591214D1EA223FB545CA6C471C48306E4C36069404C5723F"),
hex!("878662A229AAAE906E123CDD9D3B4C10590DED29FE751EEECA34BBAA44AF0773"),
),
(
hex!("3ED113B7883B4C590638379DB0C21CDA16742ED0255048BF433391D374BC21D1"),
hex!("9099209ACCC4C8A224C843AFA4F4C68A090D04DA5E9889DAE2F8EEFCE82A3740"),
),
(
hex!("741DD5BDA817D95E4626537320E5D55179983028B2F82C99D500C5EE8624E3C4"),
hex!("0770B46A9C385FDC567383554887B1548EEB912C35BA5CA71995FF22CD4481D3"),
),
(
hex!("177C837AE0AC495A61805DF2D85EE2FC792E284B65EAD58A98E15D9D46072C01"),
hex!("63BB58CD4EBEA558A24091ADB40F4E7226EE14C3A1FB4DF39C43BBE2EFC7BFD8"),
),
(
hex!("54E77A001C3862B97A76647F4336DF3CF126ACBE7A069C5E5709277324D2920B"),
hex!("F599F1BB29F4317542121F8C05A2E7C37171EA77735090081BA7C82F60D0B375"),
),
(
hex!("F0454DC6971ABAE7ADFB378999888265AE03AF92DE3A0EF163668C63E59B9D5F"),
hex!("B5B93EE3592E2D1F4E6594E51F9643E62A3B21CE75B5FA3F47E59CDE0D034F36"),
),
(
hex!("76A94D138A6B41858B821C629836315FCD28392EFF6CA038A5EB4787E1277C6E"),
hex!("A985FE61341F260E6CB0A1B5E11E87208599A0040FC78BAA0E9DDD724B8C5110"),
),
(
hex!("47776904C0F1CC3A9C0984B66F75301A5FA68678F0D64AF8BA1ABCE34738A73E"),
hex!("AA005EE6B5B957286231856577648E8381B2804428D5733F32F787FF71F1FCDC"),
),
(
hex!("1057E0AB5780F470DEFC9378D1C7C87437BB4C6F9EA55C63D936266DBD781FDA"),
hex!("F6F1645A15CBE5DC9FA9B7DFD96EE5A7DCC11B5C5EF4F1F78D83B3393C6A45A2"),
),
(
hex!("CB6D2861102C0C25CE39B7C17108C507782C452257884895C1FC7B74AB03ED83"),
hex!("58D7614B24D9EF515C35E7100D6D6CE4A496716E30FA3E03E39150752BCECDAA"),
),
(
hex!("83A01A9378395BAB9BCD6A0AD03CC56D56E6B19250465A94A234DC4C6B28DA9A"),
hex!("76E49B6DE2F73234AE6A5EB9D612B75C9F2202BB6923F54FF8240AAA86F640B8"),
),
];
/// Scalar multiplication with the generator.
///
/// These are the test vectors from <http://point-at-infinity.org/ecc/nisttv> that are not
/// part of [`ADD_TEST_VECTORS`].
pub const MUL_TEST_VECTORS: &[([u8; 32], [u8; 32], [u8; 32])] = &[
(
hex!("000000000000000000000000000000000000000000000000018EBBB95EED0E13"),
hex!("339150844EC15234807FE862A86BE77977DBFB3AE3D96F4C22795513AEAAB82F"),
hex!("B1C14DDFDC8EC1B2583F51E85A5EB3A155840F2034730E9B5ADA38B674336A21"),
),
(
hex!("0000000000000000000000000000000000159D893D4CDD747246CDCA43590E13"),
hex!("1B7E046A076CC25E6D7FA5003F6729F665CC3241B5ADAB12B498CD32F2803264"),
hex!("BFEA79BE2B666B073DB69A2A241ADAB0738FE9D2DD28B5604EB8C8CF097C457B"),
),
(
hex!("41FFC1FFFFFE01FFFC0003FFFE0007C001FFF00003FFF07FFE0007C000000003"),
hex!("9EACE8F4B071E677C5350B02F2BB2B384AAE89D58AA72CA97A170572E0FB222F"),
hex!("1BBDAEC2430B09B93F7CB08678636CE12EAAFD58390699B5FD2F6E1188FC2A78"),
),
(
hex!("7FFFFFC03FFFC003FFFFFC007FFF00000000070000100000000E00FFFFFFF3FF"),
hex!("878F22CC6DB6048D2B767268F22FFAD8E56AB8E2DC615F7BD89F1E350500DD8D"),
hex!("714A5D7BB901C9C5853400D12341A892EF45D87FC553786756C4F0C9391D763E"),
),
(
hex!("0000FFFFF01FFFF8FFFFC00FFFFFFFFFC000000FFFFFC007FFFFFC000FFFE3FF"),
hex!("659A379625AB122F2512B8DADA02C6348D53B54452DFF67AC7ACE4E8856295CA"),
hex!("49D81AB97B648464D0B4A288BD7818FAB41A16426E943527C4FED8736C53D0F6"),
),
(
hex!("4000008000FFFFFC000003F00000FFFFFFFF800003800F8000E0000E000000FF"),
hex!("CBCEAAA8A4DD44BBCE58E8DB7740A5510EC2CB7EA8DA8D8F036B3FB04CDA4DE4"),
hex!("4BD7AA301A80D7F59FD983FEDBE59BB7B2863FE46494935E3745B360E32332FA"),
),
(
hex!("003FFFFFF0001F80000003F80003FFFFC0000000000FFE0000007FF818000F80"),
hex!("F0C4A0576154FF3A33A3460D42EAED806E854DFA37125221D37935124BA462A4"),
hex!("5B392FA964434D29EEC6C9DBC261CF116796864AA2FAADB984A2DF38D1AEF7A3"),
),
(
hex!("000001C000000000001001F803FFFFFF80000000000007FF0000000000000000"),
hex!("5E6C8524B6369530B12C62D31EC53E0288173BD662BDF680B53A41ECBCAD00CC"),
hex!("447FE742C2BFEF4D0DB14B5B83A2682309B5618E0064A94804E9282179FE089F"),
),
(
hex!("7FC0007FFFFFFC0003FFFFFFFFFFFFFE00003FFFFF07FFFFFFFFFFFFC007FFFF"),
hex!("03792E541BC209076A3D7920A915021ECD396A6EB5C3960024BE5575F3223484"),
hex!("FC774AE092403101563B712F68170312304F20C80B40C06282063DB25F268DE4"),
),
(
hex!("7FFFFC03FF807FFFE0001FFFFF800FFF800001FFFF0001FFFFFE001FFFC00000"),
hex!("2379FF85AB693CDF901D6CE6F2473F39C04A2FE3DCD842CE7AAB0E002095BCF8"),
hex!("F8B476530A634589D5129E46F322B02FBC610A703D80875EE70D7CE1877436A1"),
),
(
hex!("00FFFFFFFE03FFFC07FFFC800070000FC0007FFC00000000000FFFE1FBFF81FF"),
hex!("C1E4072C529BF2F44DA769EFC934472848003B3AF2C0F5AA8F8DDBD53E12ED7C"),
hex!("39A6EE77812BB37E8079CD01ED649D3830FCA46F718C1D3993E4A591824ABCDB"),
),
(
hex!("01FFF81FC000000000FF801FFFC0F81F01FFF8001FC005FFFFFF800000FFFFFC"),
hex!("34DFBC09404C21E250A9B40FA8772897AC63A094877DB65862B61BD1507B34F3"),
hex!("CF6F8A876C6F99CEAEC87148F18C7E1E0DA6E165FFC8ED82ABB65955215F77D3"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63253D"),
hex!("83A01A9378395BAB9BCD6A0AD03CC56D56E6B19250465A94A234DC4C6B28DA9A"),
hex!("891B64911D08CDCC5195A14629ED48A360DDFD4596DC0AB007DBF5557909BF47"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63253E"),
hex!("CB6D2861102C0C25CE39B7C17108C507782C452257884895C1FC7B74AB03ED83"),
hex!("A7289EB3DB2610AFA3CA18EFF292931B5B698E92CF05C1FC1C6EAF8AD4313255"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63253F"),
hex!("1057E0AB5780F470DEFC9378D1C7C87437BB4C6F9EA55C63D936266DBD781FDA"),
hex!("090E9BA4EA341A246056482026911A58233EE4A4A10B0E08727C4CC6C395BA5D"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632540"),
hex!("47776904C0F1CC3A9C0984B66F75301A5FA68678F0D64AF8BA1ABCE34738A73E"),
hex!("55FFA1184A46A8D89DCE7A9A889B717C7E4D7FBCD72A8CC0CD0878008E0E0323"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632541"),
hex!("76A94D138A6B41858B821C629836315FCD28392EFF6CA038A5EB4787E1277C6E"),
hex!("567A019DCBE0D9F2934F5E4A1EE178DF7A665FFCF0387455F162228DB473AEEF"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632542"),
hex!("F0454DC6971ABAE7ADFB378999888265AE03AF92DE3A0EF163668C63E59B9D5F"),
hex!("4A46C11BA6D1D2E1B19A6B1AE069BC19D5C4DE328A4A05C0B81A6321F2FCB0C9"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632543"),
hex!("54E77A001C3862B97A76647F4336DF3CF126ACBE7A069C5E5709277324D2920B"),
hex!("0A660E43D60BCE8BBDEDE073FA5D183C8E8E15898CAF6FF7E45837D09F2F4C8A"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632544"),
hex!("177C837AE0AC495A61805DF2D85EE2FC792E284B65EAD58A98E15D9D46072C01"),
hex!("9C44A731B1415AA85DBF6E524BF0B18DD911EB3D5E04B20C63BC441D10384027"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632545"),
hex!("741DD5BDA817D95E4626537320E5D55179983028B2F82C99D500C5EE8624E3C4"),
hex!("F88F4B9463C7A024A98C7CAAB7784EAB71146ED4CA45A358E66A00DD32BB7E2C"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632546"),
hex!("3ED113B7883B4C590638379DB0C21CDA16742ED0255048BF433391D374BC21D1"),
hex!("6F66DF64333B375EDB37BC505B0B3975F6F2FB26A16776251D07110317D5C8BF"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632547"),
hex!("CEF66D6B2A3A993E591214D1EA223FB545CA6C471C48306E4C36069404C5723F"),
hex!("78799D5CD655517091EDC32262C4B3EFA6F212D7018AE11135CB4455BB50F88C"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632548"),
hex!("EA68D7B6FEDF0B71878938D51D71F8729E0ACB8C2C6DF8B3D79E8A4B90949EE0"),
hex!("D5D8BB358D36031978FEB569B5715F37B28EB0165B217DC017A5DDB5B22FB705"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632549"),
hex!("62D9779DBEE9B0534042742D3AB54CADC1D238980FCE97DBB4DD9DC1DB6FB393"),
hex!("52A533416E1627DCB00EA288EE98311F5D12AE0A4418958725ABF595F0F66A81"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254A"),
hex!("8E533B6FA0BF7B4625BB30667C01FB607EF9F8B8A80FEF5B300628703187B2A3"),
hex!("8C14E2411FCCE7CA92F9607C590A6FFFAC38C9CD34FBE4DE3AA1E5793E0BFF4B"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254B"),
hex!("B01A172A76A4602C92D3242CB897DDE3024C740DEBB215B4C6B0AAE93C2291A9"),
hex!("17A3EF8ACDC8252B9013F1D20458FC86E3FF0890E381E9420283B7AC7038801D"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254C"),
hex!("51590B7A515140D2D784C85608668FDFEF8C82FD1F5BE52421554A0DC3D033ED"),
hex!("1F3E82566FB58D83751E40C9407586D9F2FED1002B27F7772E2F44BB025E925B"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254D"),
hex!("E2534A3532D08FBBA02DDE659EE62BD0031FE2DB785596EF509302446B030852"),
hex!("1F0EA8A4B39CC339E62011A02579D289B103693D0CF11FFAA3BD3DC0E7B12739"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254E"),
hex!("5ECBE4D1A6330A44C8F7EF951D4BF165E6C6B721EFADA985FB41661BC6E7FD6C"),
hex!("78CB9BF2B6670082C8B4F931E59B5D1327D54FCAC7B047C265864ED85D82AFCD"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC63254F"),
hex!("7CF27B188D034F7E8A52380304B51AC3C08969E277F21B35A60B48FC47669978"),
hex!("F888AAEE24712FC0D6C26539608BCF244582521AC3167DD661FB4862DD878C2E"),
),
(
hex!("FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632550"),
hex!("6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296"),
hex!("B01CBD1C01E58065711814B583F061E9D431CCA994CEA1313449BF97C840AE0A"),
),
];

BIN
vendor/p256/target/package/p256-0.13.2.crate vendored Normal file
View File

Binary file not shown.

0
vendor/p256/target/package/tmp-registry/.cargo-lock vendored Normal file
View File

1
vendor/p256/target/package/tmp-registry/index/p2/56/p256 vendored Normal file
View File

@@ -0,0 +1 @@
{"name":"p256","vers":"0.13.2","deps":[{"name":"ecdsa-core","req":"^0.16","features":["der"],"optional":true,"default_features":false,"target":null,"kind":"normal","registry":"https://github.com/rust-lang/crates.io-index","package":"ecdsa","public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"elliptic-curve","req":"^0.13.1","features":["hazmat","sec1"],"optional":false,"default_features":false,"target":null,"kind":"normal","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"hex-literal","req":"^0.4","features":[],"optional":true,"default_features":true,"target":null,"kind":"normal","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"primeorder","req":"^0.13","features":[],"optional":true,"default_features":true,"target":null,"kind":"normal","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"serdect","req":"^0.2","features":[],"optional":true,"default_features":false,"target":null,"kind":"normal","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"sha2","req":"^0.10","features":[],"optional":true,"default_features":false,"target":null,"kind":"normal","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"blobby","req":"^0.3","features":[],"optional":false,"default_features":true,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"criterion","req":"^0.4","features":[],"optional":false,"default_features":true,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"ecdsa-core","req":"^0.16","features":["dev"],"optional":false,"default_features":false,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":"ecdsa","public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"hex-literal","req":"^0.4","features":[],"optional":false,"default_features":true,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"primeorder","req":"^0.13","features":["dev"],"optional":false,"default_features":true,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"proptest","req":"^1","features":[],"optional":false,"default_features":true,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false},{"name":"rand_core","req":"^0.6","features":["getrandom"],"optional":false,"default_features":true,"target":null,"kind":"dev","registry":"https://github.com/rust-lang/crates.io-index","package":null,"public":null,"artifact":null,"bindep_target":null,"lib":false}],"features":{"alloc":["ecdsa-core?/alloc","elliptic-curve/alloc"],"arithmetic":["dep:primeorder","elliptic-curve/arithmetic"],"bits":["arithmetic","elliptic-curve/bits"],"default":["arithmetic","ecdsa","pem","std"],"digest":["ecdsa-core/digest","ecdsa-core/hazmat"],"ecdh":["arithmetic","elliptic-curve/ecdh"],"ecdsa":["arithmetic","ecdsa-core/signing","ecdsa-core/verifying","sha256"],"expose-field":["arithmetic"],"hash2curve":["arithmetic","elliptic-curve/hash2curve"],"jwk":["elliptic-curve/jwk"],"pem":["elliptic-curve/pem","ecdsa-core/pem","pkcs8"],"pkcs8":["ecdsa-core?/pkcs8","elliptic-curve/pkcs8"],"serde":["ecdsa-core?/serde","elliptic-curve/serde","primeorder?/serde","serdect"],"sha256":["digest","sha2"],"std":["alloc","ecdsa-core?/std","elliptic-curve/std"],"test-vectors":["dep:hex-literal"],"voprf":["elliptic-curve/voprf","sha2"]},"features2":null,"cksum":"7cb5e130d1fde95761c5569cfb4eeaa2d5668cba30fa8edddd5cae3f713f5607","yanked":null,"links":null,"rust_version":null,"v":2}

BIN
vendor/p256/target/package/tmp-registry/p256-0.13.2.crate vendored Normal file
View File

Binary file not shown.

136
vendor/p256/tests/affine.rs vendored Normal file
View File

@@ -0,0 +1,136 @@
//! Affine arithmetic tests.
#![cfg(all(feature = "arithmetic"))]
use elliptic_curve::{
group::{prime::PrimeCurveAffine, GroupEncoding},
sec1::{FromEncodedPoint, ToCompactEncodedPoint, ToEncodedPoint},
};
use hex_literal::hex;
use p256::{AffinePoint, EncodedPoint};
const UNCOMPRESSED_BASEPOINT: &[u8] = &hex!(
"04 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296
4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5"
);
const COMPRESSED_BASEPOINT: &[u8] =
&hex!("03 6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296");
// Tag compact with 05 as the first byte, to trigger tag based compaction
const COMPACT_BASEPOINT: &[u8] =
&hex!("05 8e38fc4ffe677662dde8e1a63fbcd45959d2a4c3004d27e98c4fedf2d0c14c01");
// Tag uncompact basepoint with 04 as the first byte as it is uncompressed
const UNCOMPACT_BASEPOINT: &[u8] = &hex!(
"04 8e38fc4ffe677662dde8e1a63fbcd45959d2a4c3004d27e98c4fedf2d0c14c0
13ca9d8667de0c07aa71d98b3c8065d2e97ab7bb9cb8776bcc0577a7ac58acd4e"
);
#[test]
fn uncompressed_round_trip() {
let pubkey = EncodedPoint::from_bytes(UNCOMPRESSED_BASEPOINT).unwrap();
let point = AffinePoint::from_encoded_point(&pubkey).unwrap();
assert_eq!(point, AffinePoint::generator());
let res: EncodedPoint = point.into();
assert_eq!(res, pubkey);
}
#[test]
fn compressed_round_trip() {
let pubkey = EncodedPoint::from_bytes(COMPRESSED_BASEPOINT).unwrap();
let point = AffinePoint::from_encoded_point(&pubkey).unwrap();
assert_eq!(point, AffinePoint::generator());
let res: EncodedPoint = point.to_encoded_point(true);
assert_eq!(res, pubkey);
}
#[test]
fn uncompressed_to_compressed() {
let encoded = EncodedPoint::from_bytes(UNCOMPRESSED_BASEPOINT).unwrap();
let res = AffinePoint::from_encoded_point(&encoded)
.unwrap()
.to_encoded_point(true);
assert_eq!(res.as_bytes(), COMPRESSED_BASEPOINT);
}
#[test]
fn compressed_to_uncompressed() {
let encoded = EncodedPoint::from_bytes(COMPRESSED_BASEPOINT).unwrap();
let res = AffinePoint::from_encoded_point(&encoded)
.unwrap()
.to_encoded_point(false);
assert_eq!(res.as_bytes(), UNCOMPRESSED_BASEPOINT);
}
#[test]
fn affine_negation() {
let basepoint = AffinePoint::generator();
assert_eq!(-(-basepoint), basepoint);
}
#[test]
fn compact_round_trip() {
let pubkey = EncodedPoint::from_bytes(COMPACT_BASEPOINT).unwrap();
assert!(pubkey.is_compact());
let point = AffinePoint::from_encoded_point(&pubkey).unwrap();
let res = point.to_compact_encoded_point().unwrap();
assert_eq!(res, pubkey)
}
#[test]
fn uncompact_to_compact() {
let pubkey = EncodedPoint::from_bytes(UNCOMPACT_BASEPOINT).unwrap();
assert_eq!(false, pubkey.is_compact());
let point = AffinePoint::from_encoded_point(&pubkey).unwrap();
let res = point.to_compact_encoded_point().unwrap();
assert_eq!(res.as_bytes(), COMPACT_BASEPOINT)
}
#[test]
fn compact_to_uncompact() {
let pubkey = EncodedPoint::from_bytes(COMPACT_BASEPOINT).unwrap();
assert!(pubkey.is_compact());
let point = AffinePoint::from_encoded_point(&pubkey).unwrap();
// Do not do compact encoding as we want to keep uncompressed point
let res = point.to_encoded_point(false);
assert_eq!(res.as_bytes(), UNCOMPACT_BASEPOINT);
}
#[test]
fn identity_encoding() {
// This is technically an invalid SEC1 encoding, but is preferable to panicking.
assert_eq!([0; 33], AffinePoint::IDENTITY.to_bytes().as_slice());
assert!(bool::from(
AffinePoint::from_bytes(&AffinePoint::IDENTITY.to_bytes())
.unwrap()
.is_identity()
))
}
#[test]
fn noncompatible_is_none() {
use elliptic_curve::generic_array::GenericArray;
let noncompactable_secret = GenericArray::from([
175, 232, 180, 255, 91, 106, 124, 191, 224, 31, 177, 208, 236, 127, 191, 169, 201, 217, 75,
141, 184, 175, 120, 85, 171, 8, 54, 57, 33, 177, 83, 211,
]);
let public_key = p256::SecretKey::from_bytes(&noncompactable_secret)
.unwrap()
.public_key();
let is_compactable = public_key
.as_affine()
.to_compact_encoded_point()
.is_some()
.unwrap_u8();
assert_eq!(is_compactable, 0);
}

26
vendor/p256/tests/ecdsa.rs vendored Normal file
View File

@@ -0,0 +1,26 @@
//! ECDSA tests.
#![cfg(feature = "arithmetic")]
use elliptic_curve::ops::Reduce;
use p256::{
ecdsa::{SigningKey, VerifyingKey},
NonZeroScalar, U256,
};
use proptest::prelude::*;
prop_compose! {
fn signing_key()(bytes in any::<[u8; 32]>()) -> SigningKey {
<NonZeroScalar as Reduce<U256>>::reduce_bytes(&bytes.into()).into()
}
}
proptest! {
#[test]
fn recover_from_msg(sk in signing_key()) {
let msg = b"example";
let (signature, v) = sk.sign_recoverable(msg).unwrap();
let recovered_vk = VerifyingKey::recover_from_msg(msg, &signature, v).unwrap();
prop_assert_eq!(sk.verifying_key(), &recovered_vk);
}
}

BIN
vendor/p256/tests/examples/pkcs8-private-key.der vendored Normal file
View File

Binary file not shown.

5
vendor/p256/tests/examples/pkcs8-private-key.pem vendored Normal file
View File

@@ -0,0 +1,5 @@
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgaWJBcVYaYzQN4OfY
afKgVJJVjhoEhotqn4VKhmeIGI2hRANCAAQcrP+1Xy8s79idies3SyaBFSRSgC3u
oJkWBoE32DnPf8SBpESSME1+9mrBF77+g6jQjxVfK1L59hjdRHApBI4P
-----END PRIVATE KEY-----

BIN
vendor/p256/tests/examples/pkcs8-public-key.der vendored Normal file
View File

Binary file not shown.

4
vendor/p256/tests/examples/pkcs8-public-key.pem vendored Normal file
View File

@@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHKz/tV8vLO/YnYnrN0smgRUkUoAt
7qCZFgaBN9g5z3/EgaREkjBNfvZqwRe+/oOo0I8VXytS+fYY3URwKQSODw==
-----END PUBLIC KEY-----

99
vendor/p256/tests/pkcs8.rs vendored Normal file
View File

@@ -0,0 +1,99 @@
//! PKCS#8 tests
#![cfg(feature = "pkcs8")]
use hex_literal::hex;
use p256::{
elliptic_curve::sec1::ToEncodedPoint,
pkcs8::{DecodePrivateKey, DecodePublicKey},
};
#[cfg(feature = "pem")]
use p256::elliptic_curve::pkcs8::{EncodePrivateKey, EncodePublicKey};
/// DER-encoded PKCS#8 private key
const PKCS8_PRIVATE_KEY_DER: &[u8; 138] = include_bytes!("examples/pkcs8-private-key.der");
/// DER-encoded PKCS#8 public key
const PKCS8_PUBLIC_KEY_DER: &[u8; 91] = include_bytes!("examples/pkcs8-public-key.der");
/// PEM-encoded PKCS#8 private key
#[cfg(feature = "pem")]
const PKCS8_PRIVATE_KEY_PEM: &str = include_str!("examples/pkcs8-private-key.pem");
/// PEM-encoded PKCS#8 public key
#[cfg(feature = "pem")]
const PKCS8_PUBLIC_KEY_PEM: &str = include_str!("examples/pkcs8-public-key.pem");
#[test]
fn decode_pkcs8_private_key_from_der() {
let secret_key = p256::SecretKey::from_pkcs8_der(&PKCS8_PRIVATE_KEY_DER[..]).unwrap();
let expected_scalar = hex!("69624171561A63340DE0E7D869F2A05492558E1A04868B6A9F854A866788188D");
assert_eq!(secret_key.to_bytes().as_slice(), &expected_scalar[..]);
}
#[test]
fn decode_pkcs8_public_key_from_der() {
let public_key = p256::PublicKey::from_public_key_der(&PKCS8_PUBLIC_KEY_DER[..]).unwrap();
let expected_sec1_point = hex!("041CACFFB55F2F2CEFD89D89EB374B2681152452802DEEA09916068137D839CF7FC481A44492304D7EF66AC117BEFE83A8D08F155F2B52F9F618DD447029048E0F");
assert_eq!(
public_key.to_encoded_point(false).as_bytes(),
&expected_sec1_point[..]
);
}
#[test]
#[cfg(feature = "pem")]
fn decode_pkcs8_private_key_from_pem() {
let secret_key = PKCS8_PRIVATE_KEY_PEM.parse::<p256::SecretKey>().unwrap();
// Ensure key parses equivalently to DER
let der_key = p256::SecretKey::from_pkcs8_der(&PKCS8_PRIVATE_KEY_DER[..]).unwrap();
assert_eq!(secret_key.to_bytes(), der_key.to_bytes());
}
#[test]
#[cfg(feature = "pem")]
fn decode_pkcs8_public_key_from_pem() {
let public_key = PKCS8_PUBLIC_KEY_PEM.parse::<p256::PublicKey>().unwrap();
// Ensure key parses equivalently to DER
let der_key = p256::PublicKey::from_public_key_der(&PKCS8_PUBLIC_KEY_DER[..]).unwrap();
assert_eq!(public_key, der_key);
}
#[test]
#[cfg(feature = "pem")]
fn encode_pkcs8_private_key_to_der() {
let original_secret_key = p256::SecretKey::from_pkcs8_der(&PKCS8_PRIVATE_KEY_DER[..]).unwrap();
let reencoded_secret_key = original_secret_key.to_pkcs8_der().unwrap();
assert_eq!(reencoded_secret_key.as_bytes(), &PKCS8_PRIVATE_KEY_DER[..]);
}
#[test]
#[cfg(feature = "pem")]
fn encode_pkcs8_public_key_to_der() {
let original_public_key =
p256::PublicKey::from_public_key_der(&PKCS8_PUBLIC_KEY_DER[..]).unwrap();
let reencoded_public_key = original_public_key.to_public_key_der().unwrap();
assert_eq!(reencoded_public_key.as_ref(), &PKCS8_PUBLIC_KEY_DER[..]);
}
#[test]
#[cfg(feature = "pem")]
fn encode_pkcs8_private_key_to_pem() {
let original_secret_key = p256::SecretKey::from_pkcs8_der(&PKCS8_PRIVATE_KEY_DER[..]).unwrap();
let reencoded_secret_key = original_secret_key
.to_pkcs8_pem(Default::default())
.unwrap();
assert_eq!(reencoded_secret_key.as_str(), PKCS8_PRIVATE_KEY_PEM);
}
#[test]
#[cfg(feature = "pem")]
fn encode_pkcs8_public_key_to_pem() {
let original_public_key =
p256::PublicKey::from_public_key_der(&PKCS8_PUBLIC_KEY_DER[..]).unwrap();
let reencoded_public_key = original_public_key.to_string();
assert_eq!(reencoded_public_key.as_str(), PKCS8_PUBLIC_KEY_PEM);
}

27
vendor/p256/tests/projective.rs vendored Normal file
View File

@@ -0,0 +1,27 @@
//! Projective arithmetic tests.
#![cfg(all(feature = "arithmetic", feature = "test-vectors"))]
use elliptic_curve::{
group::{ff::PrimeField, GroupEncoding},
sec1::{self, ToEncodedPoint},
};
use p256::{
test_vectors::group::{ADD_TEST_VECTORS, MUL_TEST_VECTORS},
AffinePoint, ProjectivePoint, Scalar,
};
use primeorder::{impl_projective_arithmetic_tests, Double};
impl_projective_arithmetic_tests!(
AffinePoint,
ProjectivePoint,
Scalar,
ADD_TEST_VECTORS,
MUL_TEST_VECTORS
);
#[test]
fn projective_identity_to_bytes() {
// This is technically an invalid SEC1 encoding, but is preferable to panicking.
assert_eq!([0; 33], ProjectivePoint::IDENTITY.to_bytes().as_slice());
}

22
vendor/p256/tests/scalar.rs vendored Normal file
View File

@@ -0,0 +1,22 @@
//! Scalar arithmetic tests.
#![cfg(feature = "arithmetic")]
use elliptic_curve::ops::{Invert, Reduce};
use p256::{Scalar, U256};
use proptest::prelude::*;
prop_compose! {
fn scalar()(bytes in any::<[u8; 32]>()) -> Scalar {
<Scalar as Reduce<U256>>::reduce_bytes(&bytes.into())
}
}
proptest! {
#[test]
fn invert_and_invert_vartime_are_equivalent(w in scalar()) {
let inv: Option<Scalar> = w.invert().into();
let inv_vartime: Option<Scalar> = w.invert_vartime().into();
prop_assert_eq!(inv, inv_vartime);
}
}