new manual page BN_GF2m_add(3)

concerning arithmetic in Galois fields of power-of-2 order
author: schwarze <> 2022-11-18 01:21:40 +0000
committer: schwarze <> 2022-11-18 01:21:40 +0000
commit: 3244e3d0912b7dadf1bf04a3f571bd072f22ac5e (patch)
tree: 85c46ead5e509b64e8b1743d62c7d0dfc85b3eec /src
parent: d440d72b21e530c551ae61a06e5167defa7b08f9 (diff)
download: openbsd-3244e3d0912b7dadf1bf04a3f571bd072f22ac5e.tar.gz
openbsd-3244e3d0912b7dadf1bf04a3f571bd072f22ac5e.tar.bz2
openbsd-3244e3d0912b7dadf1bf04a3f571bd072f22ac5e.zip
3 files changed, 527 insertions, 3 deletions
diff --git a/src/lib/libcrypto/man/BN_GF2m_add.3 b/src/lib/libcrypto/man/BN_GF2m_add.3
new file mode 100644
index 0000000000..0442f7b6f4
--- /dev/null
+++ b/src/lib/libcrypto/man/BN_GF2m_add.3
@@ -0,0 +1,522 @@
+.\" $OpenBSD: BN_GF2m_add.3,v 1.1 2022/11/18 01:21:40 schwarze Exp $
+.\"
+.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\"
+.Dd $Mdocdate: November 18 2022 $
+.Dt BN_GF2M_ADD 3
+.Os
+.Sh NAME
+.Nm BN_GF2m_add ,
+.Nm BN_GF2m_sub ,
+.Nm BN_GF2m_cmp ,
+.Nm BN_GF2m_mod_arr ,
+.Nm BN_GF2m_mod ,
+.Nm BN_GF2m_mod_mul_arr ,
+.Nm BN_GF2m_mod_mul ,
+.Nm BN_GF2m_mod_sqr_arr ,
+.Nm BN_GF2m_mod_sqr ,
+.Nm BN_GF2m_mod_inv ,
+.Nm BN_GF2m_mod_inv_arr ,
+.Nm BN_GF2m_mod_div ,
+.Nm BN_GF2m_mod_div_arr ,
+.Nm BN_GF2m_mod_exp_arr ,
+.Nm BN_GF2m_mod_exp ,
+.Nm BN_GF2m_mod_sqrt_arr ,
+.Nm BN_GF2m_mod_sqrt ,
+.Nm BN_GF2m_mod_solve_quad_arr ,
+.Nm BN_GF2m_mod_solve_quad ,
+.Nm BN_GF2m_poly2arr ,
+.Nm BN_GF2m_arr2poly
+.Nd arithmetic in Galois fields of power-of-2 order
+.Sh SYNOPSIS
+.In openssl/bn.h
+.Ft int
+.Fo BN_GF2m_add
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fc
+.Ft int
+.Fo BN_GF2m_sub
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fc
+.Ft int
+.Fo BN_GF2m_cmp
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const int p[]"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *p"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_mul_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_mul
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_sqr_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_sqr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_inv
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *b"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_inv_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *b"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_div
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_div_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *b"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_exp_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *exponent"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_exp
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *exponent"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_sqrt_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_sqrt
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_solve_quad_arr
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const int p[]"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_mod_solve_quad
+.Fa "BIGNUM *r"
+.Fa "const BIGNUM *a"
+.Fa "const BIGNUM *p"
+.Fa "BN_CTX *ctx"
+.Fc
+.Ft int
+.Fo BN_GF2m_poly2arr
+.Fa "const BIGNUM *poly_in"
+.Fa "int arr_out[]"
+.Fa "int arr_size"
+.Fc
+.Ft int
+.Fo BN_GF2m_arr2poly
+.Fa "const int arr_in[]"
+.Fa "BIGNUM *poly_out"
+.Fc
+.Sh DESCRIPTION
+Two fields containing the same, finite number of elements are isomorphic,
+and the number of elements is called their order.
+The unique field of a given finite order is called the Galois field
+of that order.
+.EQ
+delim $$
+.EN
+The following functions perform arithmetic operations
+on $roman GF left ( 2 sup m right )$, the Galois fields of order $2 sup m$,
+where $m$ is a natural number.
+.Pp
+The $2 sup m$ elements of $roman GF left ( 2 sup m right )$
+are usually represented by the $2 sup m$ polynominals
+of a degrees less than $m$ with binary coefficients.
+Such a polynominal can either be specified by storing the coefficients
+in a
+.Vt BIGNUM
+object, using the $m$ lowest bits with bit numbers corresponding to degrees,
+or by storing the degrees that have
+coefficients of 1 in an integer array of at most $m + 1$ elements.
+For the functions below, the array needs to be sorted in decreasing
+order and terminated by the delimiter element \-1.
+.Pp
+A specific representation of $roman GF left ( 2 sup m right )$
+is selected by choosing a polynominal of degree $m$ that is irreducible
+with binary coefficients, called the reducing polynominal.
+Making sure that $p$ is of the correct degree and indeed irreducible
+is the responsibility of the user.
+Typically, the following functions silently produce nonsensical results
+when given a
+.Fa p
+argument that is of the wrong degree or that is reducible.
+Storing the reducing polynominal requires $m + 1$ bits in a
+.Vt BIGNUM
+object or an
+.Vt int
+array of up to $m + 2$ elements, including the terminating \-1 element.
+.Pp
+All functions produce correct results even if some or all of the arguments
+.Fa r ,
+.Fa a ,
+and
+.Fa b
+point to the same object.
+.Pp
+.Fn BN_GF2m_add
+adds the two polynominals
+.Fa a
+and
+.Fa b
+with binary coefficients, which is equivalent to a pairwise exclusive OR
+operation on the coefficients, and places the result into
+.Fa r .
+In particular, if
+.Fa a
+and
+.Fa b
+are elements of the same representation
+of the same $roman GF left ( 2 sup m right )$ group,
+the sum of both in that representation of that group is computed
+.Po
+$r = a + b$
+.Pc .
+In contrast to most of the other functions described here, no modulo
+operation is performed.
+Consequently, if the degree of at least one of the arguments may be larger
+than or equal to $m$, a follow-up call to
+.Fn BN_GF2m_mod_arr
+or
+.Fn BN_GF2m_mod
+may occasionally be useful.
+.Pp
+.Fn BN_GF2m_sub
+calculates the difference of
+.Fa a
+and
+.Fa b
+.Po
+$r = a - b = a + b$
+.Pc .
+Since \-1 is the same as 1 in binary arithmethic,
+.Fn BN_GF2m_sub
+does exactly the same as
+.Fn BN_GF2m_add .
+It is implemented as a macro.
+.Pp
+.Fn BN_GF2m_cmp
+is an alias for
+.Xr BN_ucmp 3 .
+Despite its name, it does not attempt to find out whether the two
+polynominals belong to the same congruence class with respect to some
+Galois group.
+.Pp
+.Fn BN_GF2m_mod_arr
+and its wrapper
+.Fn BN_GF2m_mod
+divide the polynominal with binary coefficients
+.Fa a
+by the polynominal with binary coefficients
+.Fa p
+and place the remainder into
+.Fa r
+.Po
+$r = a ( roman mod p )$
+.Pc .
+If
+.Fa r
+and
+.Fa a
+point to the same object, the modular reduction is done in place.
+.Pp
+.Fn BN_GF2m_mod_mul_arr
+and its wrapper
+.Fn BN_GF2m_mod_mul
+multiply
+.Fa a
+and
+.Fa b ,
+divide the result by
+.Fa p ,
+and place the remainder in
+.Fa r
+.Po
+$r = a * b ( roman mod p )$
+.Pc .
+.Pp
+.Fn BN_GF2m_mod_sqr_arr
+and its wrapper
+.Fn BN_GF2m_mod_sqr
+divide the square of
+.Fa a
+by
+.Fa p
+and place the remainder in
+.Fa r
+.Po
+$r = a * a ( roman mod p )$
+.Pc .
+.Pp
+.Fn BN_GF2m_mod_inv
+and its wrapper
+.Fn BN_GF2m_mod_inv_arr
+reduce
+.Fa b
+modulo
+.Fa p ,
+find the multiplicative inverse element
+in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
+and place the result into
+.Fa r
+.Po
+$r = 1 / b ( roman mod p )$
+.Pc .
+.Pp
+.Fn BN_GF2m_mod_div
+and its wrapper
+.Fn BN_GF2m_mod_div_arr
+reduce
+.Fa a
+and
+.Fa b
+modulo
+.Fa p ,
+compute their quotient
+in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
+and place the result into
+.Fa r
+.Po
+$r = a / b ( roman mod p )$
+.Pc .
+.Pp
+.Fn BN_GF2m_mod_exp_arr
+and its wrapper
+.Fn BN_GF2m_mod_exp
+reduce
+.Fa a
+modulo
+.Fa p ,
+raise it to the power of
+.Fa exponent
+in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
+and place the result into
+.Fa r
+.Po
+$r = a sup exponent ( roman mod p )$
+.Pc .
+.Pp
+.Fn BN_GF2m_mod_sqrt_arr
+and its wrapper
+.Fn BN_GF2m_mod_sqrt
+reduce
+.Fa a
+modulo
+.Fa p ,
+calculate the square root
+in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$
+by raising it to the power of $2 sup { m - 1 }$,
+and place the result into
+.Fa r
+.Po
+$r = sqrt a ( roman mod p )$
+.Pc .
+This works because of the identity $a sup {2 sup m} = a$
+which holds for all group elements $a$.
+.Pp
+.Fn BN_GF2m_mod_solve_quad_arr
+and its wrapper
+.Fn BN_GF2m_mod_solve_quad
+reduce
+.Fa a
+modulo
+.Fa p ,
+solve the quadratic equation $r sup 2 + r = a ( roman mod p )$
+in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
+and place the solution into
+.Fa r .
+.Pp
+.Fn BN_GF2m_poly2arr
+converts a polynominal from a bit string stored in the
+.Vt BIGNUM
+object
+.Fa poly_in
+to an array containing the degrees of the non-zero terms.
+It is the responsibility of the caller to provide an array
+.Fa arr_out
+of sufficient size and to provide the number of elements
+that can be stored in the array as the
+.Fa arr_size
+argument.
+The array is filled with the degrees in decreasing order,
+followed by an element with the value \-1.
+.Pp
+.Fn BN_GF2m_arr2poly
+converts a polynominal from the array
+.Fa arr_in
+containing degrees to a bit string placed in the
+.Vt BIGNUM
+object
+.Ft poly_out .
+It is the responsibility of the caller to provide the storage for
+.Fa poly_out
+and to make sure that
+.Fa arr_in
+is terminated with a \-1 element.
+.Sh RETURN VALUES
+.Fn BN_GF2m_cmp
+interprets
+.Fa a
+and
+.Fa b
+as integer numbers and returns
+\-1 if $left | a right | < left | b right |$,
+0 if $left | a right | = left | b right |$,
+or 1 if $left | a right | > left | b right |$.
+.Pp
+.Fn BN_GF2m_poly2arr
+returns:
+.Bl -bullet -compact -offset 2n -width 1n
+.It
+0 if
+.Fa poly_in
+has the value 0;
+.It
+a number in the range from 2 to
+.Fa arr_size ,
+inclusive, in case of success, specifying the number of elements
+that have been stored into the array;
+.It
+a number greater than
+.Fa arr_size
+if the function failed because the array was too small,
+specifying the array size that would have been needed.
+.El
+.Pp
+The other functions return 1 for success or 0 for failure.
+.Sh ERRORS
+After some cases of failure, the following diagnostics can be retrieved with
+.Xr ERR_get_error 3 ,
+.Xr ERR_GET_REASON 3 ,
+and
+.Xr ERR_reason_error_string 3 :
+.Bl -tag -width Ds
+.It Dv BN_R_NO_SOLUTION Qq "no solution"
+No solution exists for the equation that
+.Fn BN_GF2m_mod_solve_quad_arr
+or
+.Fn BN_GF2m_mod_solve_quad
+attempted to solve.
+.It Dv BN_R_INVALID_LENGTH Qq "invalid length"
+In one of the functions wrapping an
+.Fn *_arr
+variant, the
+.Fa "BIGNUM *p"
+argument had a value of zero, or in
+.Fn BN_GF2m_mod ,
+it contained more than five non-zero coefficients.
+.El
+.Sh SEE ALSO
+.Xr BN_add 3 ,
+.Xr BN_CTX_new 3 ,
+.Xr BN_new 3 ,
+.Xr BN_set_bit 3 ,
+.Xr EC_POINT_new 3
+.Rs
+.%A Darrel Hankerson
+.%A Julio L\('opez Hernandez
+.%A Alfred Menezes
+.%T Software Implementation of Elliptic Curve Cryptography over Binary Fields
+.%B CHES 2000: International Workshop on Cryptographic Hardware\
+ and Embedded Systems
+.%U https://doi.org/10.1007/3-540-44499-8_1
+.%C Worcester, MA, USA
+.%D August 2000
+.%I Springer
+.%J Lecture Notes in Computer Science
+.%V vol 1965
+.%O Algorithm 10: Modified Almost Inverse Algorithm for inversion in FP(2\(ham)
+.Re
+.Rs
+.%V IEEE Standard 1363
+.%B Specifications for Public-Key Cryptography
+.%D August 29, 2000
+.%U https://doi.org/10.1109/IEEESTD.2000.92292
+.%O square-and-multiply algorithm A.5.1 for exponentiation,\
+ exponentiation algorithm A.4.1 for square roots, and\
+ algorithms A.4.7 and A.4.6 for the quadratic equation
+.Re
+.Sh BUGS
+.Fn BN_GF2m_mod
+is arbitrarily limited to reducing polynominals containing at most five
+non-zero coefficients and returns failure if
+.Fa p
+contains six or more non-zero coefficients.
diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3
index 4d73b73030..1913b75ec5 100644
--- a/src/lib/libcrypto/man/BN_new.3
+++ b/src/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: BN_new.3,v 1.20 2022/11/15 17:55:00 schwarze Exp $
+.\" $OpenBSD: BN_new.3,v 1.21 2022/11/18 01:21:40 schwarze Exp $
 .\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
 .\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
 .\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
@@ -50,7 +50,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: November 15 2022 $
+.Dd $Mdocdate: November 18 2022 $
 .Dt BN_NEW 3
 .Os
 .Sh NAME
@@ -155,6 +155,7 @@ and sets an error code that can be obtained by
 .Xr BN_CTX_start 3 ,
 .Xr BN_generate_prime 3 ,
 .Xr BN_get0_nist_prime_521 3 ,
+.Xr BN_GF2m_add 3 ,
 .Xr BN_kronecker 3 ,
 .Xr BN_mod_inverse 3 ,
 .Xr BN_mod_mul_montgomery 3 ,
diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile
index f1142ab014..8c799cf564 100644
--- a/src/lib/libcrypto/man/Makefile
+++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.236 2022/11/15 17:55:00 schwarze Exp $
+# $OpenBSD: Makefile,v 1.237 2022/11/18 01:21:40 schwarze Exp $
 .include <bsd.own.mk>
@@ -72,6 +72,7 @@ MAN=	\
        BN_copy.3 \
        BN_generate_prime.3 \
        BN_get0_nist_prime_521.3 \
+        BN_GF2m_add.3 \
        BN_kronecker.3 \
        BN_mod_inverse.3 \
        BN_mod_mul_montgomery.3 \
author	schwarze <>	2022-11-18 01:21:40 +0000
committer	schwarze <>	2022-11-18 01:21:40 +0000
commit	3244e3d0912b7dadf1bf04a3f571bd072f22ac5e (patch)
tree	85c46ead5e509b64e8b1743d62c7d0dfc85b3eec /src
parent	d440d72b21e530c551ae61a06e5167defa7b08f9 (diff)
download	openbsd-3244e3d0912b7dadf1bf04a3f571bd072f22ac5e.tar.gz openbsd-3244e3d0912b7dadf1bf04a3f571bd072f22ac5e.tar.bz2 openbsd-3244e3d0912b7dadf1bf04a3f571bd072f22ac5e.zip

diff --git a/src/lib/libcrypto/man/BN_GF2m_add.3 b/src/lib/libcrypto/man/BN_GF2m_add.3 new file mode 100644 index 0000000000..0442f7b6f4 --- /dev/null +++ b/src/lib/libcrypto/man/BN_GF2m_add.3
@@ -0,0 +1,522 @@
		1	.\" $OpenBSD: BN_GF2m_add.3,v 1.1 2022/11/18 01:21:40 schwarze Exp $
		2	.\"
		3	.\" Copyright (c) 2022 Ingo Schwarze <schwarze@openbsd.org>
		4	.\"
		5	.\" Permission to use, copy, modify, and distribute this software for any
		6	.\" purpose with or without fee is hereby granted, provided that the above
		7	.\" copyright notice and this permission notice appear in all copies.
		8	.\"
		9	.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
		10	.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
		11	.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
		12	.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
		13	.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
		14	.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
		15	.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
		16	.\"
		17	.Dd $Mdocdate: November 18 2022 $
		18	.Dt BN_GF2M_ADD 3
		19	.Os
		20	.Sh NAME
		21	.Nm BN_GF2m_add ,
		22	.Nm BN_GF2m_sub ,
		23	.Nm BN_GF2m_cmp ,
		24	.Nm BN_GF2m_mod_arr ,
		25	.Nm BN_GF2m_mod ,
		26	.Nm BN_GF2m_mod_mul_arr ,
		27	.Nm BN_GF2m_mod_mul ,
		28	.Nm BN_GF2m_mod_sqr_arr ,
		29	.Nm BN_GF2m_mod_sqr ,
		30	.Nm BN_GF2m_mod_inv ,
		31	.Nm BN_GF2m_mod_inv_arr ,
		32	.Nm BN_GF2m_mod_div ,
		33	.Nm BN_GF2m_mod_div_arr ,
		34	.Nm BN_GF2m_mod_exp_arr ,
		35	.Nm BN_GF2m_mod_exp ,
		36	.Nm BN_GF2m_mod_sqrt_arr ,
		37	.Nm BN_GF2m_mod_sqrt ,
		38	.Nm BN_GF2m_mod_solve_quad_arr ,
		39	.Nm BN_GF2m_mod_solve_quad ,
		40	.Nm BN_GF2m_poly2arr ,
		41	.Nm BN_GF2m_arr2poly
		42	.Nd arithmetic in Galois fields of power-of-2 order
		43	.Sh SYNOPSIS
		44	.In openssl/bn.h
		45	.Ft int
		46	.Fo BN_GF2m_add
		47	.Fa "BIGNUM *r"
		48	.Fa "const BIGNUM *a"
		49	.Fa "const BIGNUM *b"
		50	.Fc
		51	.Ft int
		52	.Fo BN_GF2m_sub
		53	.Fa "BIGNUM *r"
		54	.Fa "const BIGNUM *a"
		55	.Fa "const BIGNUM *b"
		56	.Fc
		57	.Ft int
		58	.Fo BN_GF2m_cmp
		59	.Fa "const BIGNUM *a"
		60	.Fa "const BIGNUM *b"
		61	.Fc
		62	.Ft int
		63	.Fo BN_GF2m_mod_arr
		64	.Fa "BIGNUM *r"
		65	.Fa "const BIGNUM *a"
		66	.Fa "const int p[]"
		67	.Fc
		68	.Ft int
		69	.Fo BN_GF2m_mod
		70	.Fa "BIGNUM *r"
		71	.Fa "const BIGNUM *a"
		72	.Fa "const BIGNUM *p"
		73	.Fc
		74	.Ft int
		75	.Fo BN_GF2m_mod_mul_arr
		76	.Fa "BIGNUM *r"
		77	.Fa "const BIGNUM *a"
		78	.Fa "const BIGNUM *b"
		79	.Fa "const int p[]"
		80	.Fa "BN_CTX *ctx"
		81	.Fc
		82	.Ft int
		83	.Fo BN_GF2m_mod_mul
		84	.Fa "BIGNUM *r"
		85	.Fa "const BIGNUM *a"
		86	.Fa "const BIGNUM *b"
		87	.Fa "const BIGNUM *p"
		88	.Fa "BN_CTX *ctx"
		89	.Fc
		90	.Ft int
		91	.Fo BN_GF2m_mod_sqr_arr
		92	.Fa "BIGNUM *r"
		93	.Fa "const BIGNUM *a"
		94	.Fa "const int p[]"
		95	.Fa "BN_CTX *ctx"
		96	.Fc
		97	.Ft int
		98	.Fo BN_GF2m_mod_sqr
		99	.Fa "BIGNUM *r"
		100	.Fa "const BIGNUM *a"
		101	.Fa "const BIGNUM *p"
		102	.Fa "BN_CTX *ctx"
		103	.Fc
		104	.Ft int
		105	.Fo BN_GF2m_mod_inv
		106	.Fa "BIGNUM *r"
		107	.Fa "const BIGNUM *b"
		108	.Fa "const BIGNUM *p"
		109	.Fa "BN_CTX *ctx"
		110	.Fc
		111	.Ft int
		112	.Fo BN_GF2m_mod_inv_arr
		113	.Fa "BIGNUM *r"
		114	.Fa "const BIGNUM *b"
		115	.Fa "const int p[]"
		116	.Fa "BN_CTX *ctx"
		117	.Fc
		118	.Ft int
		119	.Fo BN_GF2m_mod_div
		120	.Fa "BIGNUM *r"
		121	.Fa "const BIGNUM *a"
		122	.Fa "const BIGNUM *b"
		123	.Fa "const BIGNUM *p"
		124	.Fa "BN_CTX *ctx"
		125	.Fc
		126	.Ft int
		127	.Fo BN_GF2m_mod_div_arr
		128	.Fa "BIGNUM *r"
		129	.Fa "const BIGNUM *a"
		130	.Fa "const BIGNUM *b"
		131	.Fa "const int p[]"
		132	.Fa "BN_CTX *ctx"
		133	.Fc
		134	.Ft int
		135	.Fo BN_GF2m_mod_exp_arr
		136	.Fa "BIGNUM *r"
		137	.Fa "const BIGNUM *a"
		138	.Fa "const BIGNUM *exponent"
		139	.Fa "const int p[]"
		140	.Fa "BN_CTX *ctx"
		141	.Fc
		142	.Ft int
		143	.Fo BN_GF2m_mod_exp
		144	.Fa "BIGNUM *r"
		145	.Fa "const BIGNUM *a"
		146	.Fa "const BIGNUM *exponent"
		147	.Fa "const BIGNUM *p"
		148	.Fa "BN_CTX *ctx"
		149	.Fc
		150	.Ft int
		151	.Fo BN_GF2m_mod_sqrt_arr
		152	.Fa "BIGNUM *r"
		153	.Fa "const BIGNUM *a"
		154	.Fa "const int p[]"
		155	.Fa "BN_CTX *ctx"
		156	.Fc
		157	.Ft int
		158	.Fo BN_GF2m_mod_sqrt
		159	.Fa "BIGNUM *r"
		160	.Fa "const BIGNUM *a"
		161	.Fa "const BIGNUM *p"
		162	.Fa "BN_CTX *ctx"
		163	.Fc
		164	.Ft int
		165	.Fo BN_GF2m_mod_solve_quad_arr
		166	.Fa "BIGNUM *r"
		167	.Fa "const BIGNUM *a"
		168	.Fa "const int p[]"
		169	.Fa "BN_CTX *ctx"
		170	.Fc
		171	.Ft int
		172	.Fo BN_GF2m_mod_solve_quad
		173	.Fa "BIGNUM *r"
		174	.Fa "const BIGNUM *a"
		175	.Fa "const BIGNUM *p"
		176	.Fa "BN_CTX *ctx"
		177	.Fc
		178	.Ft int
		179	.Fo BN_GF2m_poly2arr
		180	.Fa "const BIGNUM *poly_in"
		181	.Fa "int arr_out[]"
		182	.Fa "int arr_size"
		183	.Fc
		184	.Ft int
		185	.Fo BN_GF2m_arr2poly
		186	.Fa "const int arr_in[]"
		187	.Fa "BIGNUM *poly_out"
		188	.Fc
		189	.Sh DESCRIPTION
		190	Two fields containing the same, finite number of elements are isomorphic,
		191	and the number of elements is called their order.
		192	The unique field of a given finite order is called the Galois field
		193	of that order.
		194	.EQ
		195	delim $$
		196	.EN
		197	The following functions perform arithmetic operations
		198	on $roman GF left ( 2 sup m right )$, the Galois fields of order $2 sup m$,
		199	where $m$ is a natural number.
		200	.Pp
		201	The $2 sup m$ elements of $roman GF left ( 2 sup m right )$
		202	are usually represented by the $2 sup m$ polynominals
		203	of a degrees less than $m$ with binary coefficients.
		204	Such a polynominal can either be specified by storing the coefficients
		205	in a
		206	.Vt BIGNUM
		207	object, using the $m$ lowest bits with bit numbers corresponding to degrees,
		208	or by storing the degrees that have
		209	coefficients of 1 in an integer array of at most $m + 1$ elements.
		210	For the functions below, the array needs to be sorted in decreasing
		211	order and terminated by the delimiter element \-1.
		212	.Pp
		213	A specific representation of $roman GF left ( 2 sup m right )$
		214	is selected by choosing a polynominal of degree $m$ that is irreducible
		215	with binary coefficients, called the reducing polynominal.
		216	Making sure that $p$ is of the correct degree and indeed irreducible
		217	is the responsibility of the user.
		218	Typically, the following functions silently produce nonsensical results
		219	when given a
		220	.Fa p
		221	argument that is of the wrong degree or that is reducible.
		222	Storing the reducing polynominal requires $m + 1$ bits in a
		223	.Vt BIGNUM
		224	object or an
		225	.Vt int
		226	array of up to $m + 2$ elements, including the terminating \-1 element.
		227	.Pp
		228	All functions produce correct results even if some or all of the arguments
		229	.Fa r ,
		230	.Fa a ,
		231	and
		232	.Fa b
		233	point to the same object.
		234	.Pp
		235	.Fn BN_GF2m_add
		236	adds the two polynominals
		237	.Fa a
		238	and
		239	.Fa b
		240	with binary coefficients, which is equivalent to a pairwise exclusive OR
		241	operation on the coefficients, and places the result into
		242	.Fa r .
		243	In particular, if
		244	.Fa a
		245	and
		246	.Fa b
		247	are elements of the same representation
		248	of the same $roman GF left ( 2 sup m right )$ group,
		249	the sum of both in that representation of that group is computed
		250	.Po
		251	$r = a + b$
		252	.Pc .
		253	In contrast to most of the other functions described here, no modulo
		254	operation is performed.
		255	Consequently, if the degree of at least one of the arguments may be larger
		256	than or equal to $m$, a follow-up call to
		257	.Fn BN_GF2m_mod_arr
		258	or
		259	.Fn BN_GF2m_mod
		260	may occasionally be useful.
		261	.Pp
		262	.Fn BN_GF2m_sub
		263	calculates the difference of
		264	.Fa a
		265	and
		266	.Fa b
		267	.Po
		268	$r = a - b = a + b$
		269	.Pc .
		270	Since \-1 is the same as 1 in binary arithmethic,
		271	.Fn BN_GF2m_sub
		272	does exactly the same as
		273	.Fn BN_GF2m_add .
		274	It is implemented as a macro.
		275	.Pp
		276	.Fn BN_GF2m_cmp
		277	is an alias for
		278	.Xr BN_ucmp 3 .
		279	Despite its name, it does not attempt to find out whether the two
		280	polynominals belong to the same congruence class with respect to some
		281	Galois group.
		282	.Pp
		283	.Fn BN_GF2m_mod_arr
		284	and its wrapper
		285	.Fn BN_GF2m_mod
		286	divide the polynominal with binary coefficients
		287	.Fa a
		288	by the polynominal with binary coefficients
		289	.Fa p
		290	and place the remainder into
		291	.Fa r
		292	.Po
		293	$r = a ( roman mod p )$
		294	.Pc .
		295	If
		296	.Fa r
		297	and
		298	.Fa a
		299	point to the same object, the modular reduction is done in place.
		300	.Pp
		301	.Fn BN_GF2m_mod_mul_arr
		302	and its wrapper
		303	.Fn BN_GF2m_mod_mul
		304	multiply
		305	.Fa a
		306	and
		307	.Fa b ,
		308	divide the result by
		309	.Fa p ,
		310	and place the remainder in
		311	.Fa r
		312	.Po
		313	$r = a * b ( roman mod p )$
		314	.Pc .
		315	.Pp
		316	.Fn BN_GF2m_mod_sqr_arr
		317	and its wrapper
		318	.Fn BN_GF2m_mod_sqr
		319	divide the square of
		320	.Fa a
		321	by
		322	.Fa p
		323	and place the remainder in
		324	.Fa r
		325	.Po
		326	$r = a * a ( roman mod p )$
		327	.Pc .
		328	.Pp
		329	.Fn BN_GF2m_mod_inv
		330	and its wrapper
		331	.Fn BN_GF2m_mod_inv_arr
		332	reduce
		333	.Fa b
		334	modulo
		335	.Fa p ,
		336	find the multiplicative inverse element
		337	in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
		338	and place the result into
		339	.Fa r
		340	.Po
		341	$r = 1 / b ( roman mod p )$
		342	.Pc .
		343	.Pp
		344	.Fn BN_GF2m_mod_div
		345	and its wrapper
		346	.Fn BN_GF2m_mod_div_arr
		347	reduce
		348	.Fa a
		349	and
		350	.Fa b
		351	modulo
		352	.Fa p ,
		353	compute their quotient
		354	in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
		355	and place the result into
		356	.Fa r
		357	.Po
		358	$r = a / b ( roman mod p )$
		359	.Pc .
		360	.Pp
		361	.Fn BN_GF2m_mod_exp_arr
		362	and its wrapper
		363	.Fn BN_GF2m_mod_exp
		364	reduce
		365	.Fa a
		366	modulo
		367	.Fa p ,
		368	raise it to the power of
		369	.Fa exponent
		370	in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
		371	and place the result into
		372	.Fa r
		373	.Po
		374	$r = a sup exponent ( roman mod p )$
		375	.Pc .
		376	.Pp
		377	.Fn BN_GF2m_mod_sqrt_arr
		378	and its wrapper
		379	.Fn BN_GF2m_mod_sqrt
		380	reduce
		381	.Fa a
		382	modulo
		383	.Fa p ,
		384	calculate the square root
		385	in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$
		386	by raising it to the power of $2 sup { m - 1 }$,
		387	and place the result into
		388	.Fa r
		389	.Po
		390	$r = sqrt a ( roman mod p )$
		391	.Pc .
		392	This works because of the identity $a sup {2 sup m} = a$
		393	which holds for all group elements $a$.
		394	.Pp
		395	.Fn BN_GF2m_mod_solve_quad_arr
		396	and its wrapper
		397	.Fn BN_GF2m_mod_solve_quad
		398	reduce
		399	.Fa a
		400	modulo
		401	.Fa p ,
		402	solve the quadratic equation $r sup 2 + r = a ( roman mod p )$
		403	in $roman GF left ( 2 sup m right )$ using the reducing polynominal $p$,
		404	and place the solution into
		405	.Fa r .
		406	.Pp
		407	.Fn BN_GF2m_poly2arr
		408	converts a polynominal from a bit string stored in the
		409	.Vt BIGNUM
		410	object
		411	.Fa poly_in
		412	to an array containing the degrees of the non-zero terms.
		413	It is the responsibility of the caller to provide an array
		414	.Fa arr_out
		415	of sufficient size and to provide the number of elements
		416	that can be stored in the array as the
		417	.Fa arr_size
		418	argument.
		419	The array is filled with the degrees in decreasing order,
		420	followed by an element with the value \-1.
		421	.Pp
		422	.Fn BN_GF2m_arr2poly
		423	converts a polynominal from the array
		424	.Fa arr_in
		425	containing degrees to a bit string placed in the
		426	.Vt BIGNUM
		427	object
		428	.Ft poly_out .
		429	It is the responsibility of the caller to provide the storage for
		430	.Fa poly_out
		431	and to make sure that
		432	.Fa arr_in
		433	is terminated with a \-1 element.
		434	.Sh RETURN VALUES
		435	.Fn BN_GF2m_cmp
		436	interprets
		437	.Fa a
		438	and
		439	.Fa b
		440	as integer numbers and returns
		441	\-1 if $left \| a right \| < left \| b right \|$,
		442	0 if $left \| a right \| = left \| b right \|$,
		443	or 1 if $left \| a right \| > left \| b right \|$.
		444	.Pp
		445	.Fn BN_GF2m_poly2arr
		446	returns:
		447	.Bl -bullet -compact -offset 2n -width 1n
		448	.It
		449	0 if
		450	.Fa poly_in
		451	has the value 0;
		452	.It
		453	a number in the range from 2 to
		454	.Fa arr_size ,
		455	inclusive, in case of success, specifying the number of elements
		456	that have been stored into the array;
		457	.It
		458	a number greater than
		459	.Fa arr_size
		460	if the function failed because the array was too small,
		461	specifying the array size that would have been needed.
		462	.El
		463	.Pp
		464	The other functions return 1 for success or 0 for failure.
		465	.Sh ERRORS
		466	After some cases of failure, the following diagnostics can be retrieved with
		467	.Xr ERR_get_error 3 ,
		468	.Xr ERR_GET_REASON 3 ,
		469	and
		470	.Xr ERR_reason_error_string 3 :
		471	.Bl -tag -width Ds
		472	.It Dv BN_R_NO_SOLUTION Qq "no solution"
		473	No solution exists for the equation that
		474	.Fn BN_GF2m_mod_solve_quad_arr
		475	or
		476	.Fn BN_GF2m_mod_solve_quad
		477	attempted to solve.
		478	.It Dv BN_R_INVALID_LENGTH Qq "invalid length"
		479	In one of the functions wrapping an
		480	.Fn *_arr
		481	variant, the
		482	.Fa "BIGNUM *p"
		483	argument had a value of zero, or in
		484	.Fn BN_GF2m_mod ,
		485	it contained more than five non-zero coefficients.
		486	.El
		487	.Sh SEE ALSO
		488	.Xr BN_add 3 ,
		489	.Xr BN_CTX_new 3 ,
		490	.Xr BN_new 3 ,
		491	.Xr BN_set_bit 3 ,
		492	.Xr EC_POINT_new 3
		493	.Rs
		494	.%A Darrel Hankerson
		495	.%A Julio L\('opez Hernandez
		496	.%A Alfred Menezes
		497	.%T Software Implementation of Elliptic Curve Cryptography over Binary Fields
		498	.%B CHES 2000: International Workshop on Cryptographic Hardware\
		499	and Embedded Systems
		500	.%U https://doi.org/10.1007/3-540-44499-8_1
		501	.%C Worcester, MA, USA
		502	.%D August 2000
		503	.%I Springer
		504	.%J Lecture Notes in Computer Science
		505	.%V vol 1965
		506	.%O Algorithm 10: Modified Almost Inverse Algorithm for inversion in FP(2\(ham)
		507	.Re
		508	.Rs
		509	.%V IEEE Standard 1363
		510	.%B Specifications for Public-Key Cryptography
		511	.%D August 29, 2000
		512	.%U https://doi.org/10.1109/IEEESTD.2000.92292
		513	.%O square-and-multiply algorithm A.5.1 for exponentiation,\
		514	exponentiation algorithm A.4.1 for square roots, and\
		515	algorithms A.4.7 and A.4.6 for the quadratic equation
		516	.Re
		517	.Sh BUGS
		518	.Fn BN_GF2m_mod
		519	is arbitrarily limited to reducing polynominals containing at most five
		520	non-zero coefficients and returns failure if
		521	.Fa p
		522	contains six or more non-zero coefficients.


diff --git a/src/lib/libcrypto/man/BN_new.3 b/src/lib/libcrypto/man/BN_new.3 index 4d73b73030..1913b75ec5 100644 --- a/src/lib/libcrypto/man/BN_new.3 +++ b/src/lib/libcrypto/man/BN_new.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: BN_new.3,v 1.20 2022/11/15 17:55:00 schwarze Exp $	1	.\" $OpenBSD: BN_new.3,v 1.21 2022/11/18 01:21:40 schwarze Exp $
2	.\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000	2	.\" full merge up to: OpenSSL man3/BN_new 2457c19d Mar 6 08:43:36 2004 +0000
3	.\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200	3	.\" selective merge up to: man3/BN_new 681acb31 Sep 29 13:10:34 2017 +0200
4	.\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400	4	.\" full merge up to: OpenSSL man7/bn 05ea606a May 20 20:52:46 2016 -0400
@@ -50,7 +50,7 @@
50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	50	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	51	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
52	.\"	52	.\"
53	.Dd $Mdocdate: November 15 2022 $	53	.Dd $Mdocdate: November 18 2022 $
54	.Dt BN_NEW 3	54	.Dt BN_NEW 3
55	.Os	55	.Os
56	.Sh NAME	56	.Sh NAME
@@ -155,6 +155,7 @@ and sets an error code that can be obtained by
155	.Xr BN_CTX_start 3 ,	155	.Xr BN_CTX_start 3 ,
156	.Xr BN_generate_prime 3 ,	156	.Xr BN_generate_prime 3 ,
157	.Xr BN_get0_nist_prime_521 3 ,	157	.Xr BN_get0_nist_prime_521 3 ,
		158	.Xr BN_GF2m_add 3 ,
158	.Xr BN_kronecker 3 ,	159	.Xr BN_kronecker 3 ,
159	.Xr BN_mod_inverse 3 ,	160	.Xr BN_mod_inverse 3 ,
160	.Xr BN_mod_mul_montgomery 3 ,	161	.Xr BN_mod_mul_montgomery 3 ,


diff --git a/src/lib/libcrypto/man/Makefile b/src/lib/libcrypto/man/Makefile index f1142ab014..8c799cf564 100644 --- a/src/lib/libcrypto/man/Makefile +++ b/src/lib/libcrypto/man/Makefile
@@ -1,4 +1,4 @@
1	# $OpenBSD: Makefile,v 1.236 2022/11/15 17:55:00 schwarze Exp $	1	# $OpenBSD: Makefile,v 1.237 2022/11/18 01:21:40 schwarze Exp $
2		2
3	.include <bsd.own.mk>	3	.include <bsd.own.mk>
4		4
@@ -72,6 +72,7 @@ MAN= \
72	BN_copy.3 \	72	BN_copy.3 \
73	BN_generate_prime.3 \	73	BN_generate_prime.3 \
74	BN_get0_nist_prime_521.3 \	74	BN_get0_nist_prime_521.3 \
		75	BN_GF2m_add.3 \
75	BN_kronecker.3 \	76	BN_kronecker.3 \
76	BN_mod_inverse.3 \	77	BN_mod_inverse.3 \
77	BN_mod_mul_montgomery.3 \	78	BN_mod_mul_montgomery.3 \