fast reduction for NIST curves

Submitted by: Nils Larsch

fast reduction for NIST curves
Submitted by: Nils Larsch
5c6bf031 · Bodo Möller · f72ed615 · 5c6bf031 · 5c6bf031 · 5c6bf031
12 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,12 @@

 Changes between 0.9.7 and 0.9.8  [xx XXX 2002]

+  *) Implement fast modular reduction for pseudo-Mersenne primes
+     used in NIST curves (crypto/bn/bn_nist.c, crypto/ec/ecp_nist.c).
+     EC_GROUP_new_curve_GFp() will now automatically use this
+     if applicable.
+     [Nils Larsch <nla@trustcenter.de>]
+
  *) Change the ENGINE framework to automatically load engines
     dynamically from specific directories unless they could be
     found to already be built in or loaded.  Move all the

--- a/apps/speed.c
+++ b/apps/speed.c
@@ -261,7 +261,7 @@ static int do_multi(int multi);
 #define RSA_NUM		4
 #define DSA_NUM		3

-#define EC_NUM       15
+#define EC_NUM       16
 #define MAX_ECDH_SIZE 256

 static const char *names[ALGOR_NUM]={
@@ -520,20 +520,21 @@ int MAIN(int argc, char **argv)
 #define	R_RSA_4096	3

 #define R_EC_P160    0
-#define R_EC_P224    1
-#define R_EC_P256    2
-#define R_EC_P384    3
-#define R_EC_P521    4
-#define R_EC_K163    5
-#define R_EC_K233    6
-#define R_EC_K283    7
-#define R_EC_K409    8
-#define R_EC_K571    9
-#define R_EC_B163    10
-#define R_EC_B233    11
-#define R_EC_B283    12
-#define R_EC_B409    13
-#define R_EC_B571    14
+#define R_EC_P192    1	
+#define R_EC_P224    2
+#define R_EC_P256    3
+#define R_EC_P384    4
+#define R_EC_P521    5
+#define R_EC_K163    6
+#define R_EC_K233    7
+#define R_EC_K283    8
+#define R_EC_K409    9
+#define R_EC_K571    10
+#define R_EC_B163    11
+#define R_EC_B233    12
+#define R_EC_B283    13
+#define R_EC_B409    14
+#define R_EC_B571    15

 #ifndef OPENSSL_NO_RSA
 	RSA *rsa_key[RSA_NUM];
@@ -560,6 +561,7 @@ int MAIN(int argc, char **argv)
 	{	
 	/* Prime Curves */
 	NID_secp160r1,
+	NID_X9_62_prime192v1,
 	NID_secp224r1,
 	NID_X9_62_prime256v1,
 	NID_secp384r1,
@@ -580,6 +582,7 @@ int MAIN(int argc, char **argv)
 	{
 	/* Prime Curves */
 	"secp160r1",
+	"nistp192",
 	"nistp224",
 	"nistp256",
 	"nistp384",
@@ -598,7 +601,7 @@ int MAIN(int argc, char **argv)
 	};
 	static int test_curves_bits[EC_NUM] =
        {
-        160, 224, 256, 384, 521,
+        160, 192, 224, 256, 384, 521,
        163, 233, 283, 409, 571,
        163, 233, 283, 409, 571
        };

--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -39,12 +39,12 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
 	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
 	bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
-	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c
+	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c

 LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
 	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
 	bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
-	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o
+	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o

 SRC= $(LIBSRC)

@@ -286,6 +286,8 @@ bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_mul.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_mul.o: ../cryptlib.h bn_lcl.h bn_mul.c
+bn_nist.o: ../../include/openssl/bn.h ../../include/openssl/e_os2.h
+bn_nist.o: ../../include/openssl/opensslconf.h bn_lcl.h bn_nist.c
 bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -355,6 +355,8 @@ BIGNUM *BN_new(void);
 void	BN_init(BIGNUM *);
 void	BN_clear_free(BIGNUM *a);
 BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b);
+/* BN_ncopy(): like BN_copy() but copies at most the first n BN_ULONGs */
+BIGNUM *BN_ncopy(BIGNUM *a, const BIGNUM *b, size_t n);
 void	BN_swap(BIGNUM *a, BIGNUM *b);
 BIGNUM *BN_bin2bn(const unsigned char *s,int len,BIGNUM *ret);
 int	BN_bn2bin(const BIGNUM *a, unsigned char *to);
@@ -513,6 +515,20 @@ int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a, const unsigned int p[
 int BN_GF2m_poly2arr(const BIGNUM *a, unsigned int p[], int max);
 int BN_GF2m_arr2poly(const unsigned int p[], BIGNUM *a);

+/* faster mod functions for the 'NIST primes' 
+ * 0 <= a < p^2 */
+int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx);
+
+const BIGNUM *BN_get0_nist_prime_192(void);
+const BIGNUM *BN_get0_nist_prime_224(void);
+const BIGNUM *BN_get0_nist_prime_256(void);
+const BIGNUM *BN_get0_nist_prime_384(void);
+const BIGNUM *BN_get0_nist_prime_521(void);
+
 /* library internal functions */

 #define bn_expand(a,bits) ((((((bits+BN_BITS2-1))/BN_BITS2)) <= (a)->dmax)?\
@@ -531,6 +547,14 @@ BIGNUM *bn_dup_expand(const BIGNUM *a, int words);
 		} \
 	}

+#define bn_clear_top2max(a) \
+	{ \
+	int      index = (a)->dmax - (a)->top; \
+	BN_ULONG *ftl = &(a)->d[(a)->top-1]; \
+	for (; index != 0; index--) \
+		*(++ftl) = 0x0; \
+	}
+
 BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
 BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w);
 void     bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num);

--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -522,6 +522,51 @@ BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
 	return(a);
 	}

+BIGNUM *BN_ncopy(BIGNUM *a, const BIGNUM *b, size_t n)
+	{
+	int i, min;
+	BN_ULONG *A;
+	const BN_ULONG *B;
+
+	bn_check_top(b);
+
+	if (a == b)
+		return a;
+
+	min = (b->top < (int)n)? b->top: (int)n;
+
+	if (!min)
+		{
+		BN_zero(a);
+		return a;
+		}
+
+	if (bn_wexpand(a, min) == NULL)
+		return NULL;
+
+	A=a->d;
+	B=b->d;
+	for (i=min>>2; i>0; i--, A+=4, B+=4)
+		{
+		BN_ULONG a0,a1,a2,a3;
+		a0=B[0]; a1=B[1]; a2=B[2]; a3=B[3];
+		A[0]=a0; A[1]=a1; A[2]=a2; A[3]=a3;
+		}
+	switch (min&3)
+		{
+		case 3: A[2]=B[2];
+		case 2: A[1]=B[1];
+		case 1: A[0]=B[0];
+		case 0: ;
+		}
+	a->top = min;
+
+	a->neg = b->neg;
+	bn_fix_top(a);
+
+	return(a);
+	}
+
 void BN_swap(BIGNUM *a, BIGNUM *b)
 	{
 	int flags_old_a, flags_old_b;

--- a/crypto/bn/bn_nist.c
+++ b/crypto/bn/bn_nist.c
--- a/crypto/ec/Makefile.ssl
+++ b/crypto/ec/Makefile.ssl
@@ -129,6 +129,7 @@ ec_curve.o: ../../include/openssl/symhacks.h ec_curve.c ec_lcl.h
 ec_cvt.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ec_cvt.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ec_cvt.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ec_cvt.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 ec_cvt.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
 ec_cvt.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ec_cvt.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
@@ -183,6 +184,7 @@ ecp_mont.o: ../../include/openssl/symhacks.h ec_lcl.h ecp_mont.c
 ecp_nist.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
 ecp_nist.o: ../../include/openssl/bn.h ../../include/openssl/crypto.h
 ecp_nist.o: ../../include/openssl/e_os2.h ../../include/openssl/ec.h
+ecp_nist.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 ecp_nist.o: ../../include/openssl/obj_mac.h ../../include/openssl/opensslconf.h
 ecp_nist.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 ecp_nist.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h

--- a/crypto/ec/ec.h
+++ b/crypto/ec/ec.h
@@ -127,9 +127,9 @@ typedef struct ec_point_st EC_POINT;
 */
 const EC_METHOD *EC_GFp_simple_method(void);
 const EC_METHOD *EC_GFp_mont_method(void);
+const EC_METHOD *EC_GFp_nist_method(void);
 #if 0
 const EC_METHOD *EC_GFp_recp_method(void); /* TODO */
-const EC_METHOD *EC_GFp_nist_method(void); /* TODO */
 #endif

 /* EC_METHOD for curves over GF(2^m).
@@ -370,6 +370,10 @@ void ERR_load_EC_strings(void);
 #define EC_F_ECPKPARAMETERS_PRINT_FP			 150
 #define EC_F_ECPUBLICKEY_GET_OCTET			 151
 #define EC_F_ECPUBLICKEY_SET_OCTET			 152
+#define EC_F_ECP_NIST_MOD_192				 203
+#define EC_F_ECP_NIST_MOD_224				 204
+#define EC_F_ECP_NIST_MOD_256				 205
+#define EC_F_ECP_NIST_MOD_521				 206
 #define EC_F_EC_ASN1_GROUP2CURVE			 153
 #define EC_F_EC_ASN1_GROUP2FIELDID			 154
 #define EC_F_EC_ASN1_GROUP2PARAMETERS			 155
@@ -387,6 +391,9 @@ void ERR_load_EC_strings(void);
 #define EC_F_EC_GFP_MONT_FIELD_ENCODE			 134
 #define EC_F_EC_GFP_MONT_FIELD_MUL			 131
 #define EC_F_EC_GFP_MONT_FIELD_SQR			 132
+#define EC_F_EC_GFP_NIST_FIELD_MUL			 200
+#define EC_F_EC_GFP_NIST_FIELD_SQR			 201
+#define EC_F_EC_GFP_NIST_GROUP_SET_CURVE_GFP		 202
 #define EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT	 165
 #define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE		 166
 #define EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP		 100
@@ -468,6 +475,7 @@ void ERR_load_EC_strings(void);
 #define EC_R_GROUP2PKPARAMETERS_FAILURE			 120
 #define EC_R_I2D_ECPKPARAMETERS_FAILURE			 121
 #define EC_R_INCOMPATIBLE_OBJECTS			 101
+#define EC_R_INTERNAL_ERROR				 132
 #define EC_R_INVALID_ARGUMENT				 112
 #define EC_R_INVALID_COMPRESSED_POINT			 110
 #define EC_R_INVALID_COMPRESSION_BIT			 109
@@ -480,10 +488,13 @@ void ERR_load_EC_strings(void);
 #define EC_R_MISSING_PRIVATE_KEY			 125
 #define EC_R_NOT_IMPLEMENTED				 126
 #define EC_R_NOT_INITIALIZED				 111
+#define EC_R_NO_FIELD_MOD				 133
 #define EC_R_NO_SUCH_EXTRA_DATA				 105
+#define EC_R_PASSED_NULL_PARAMETER			 134
 #define EC_R_PKPARAMETERS2GROUP_FAILURE			 127
 #define EC_R_POINT_AT_INFINITY				 106
 #define EC_R_POINT_IS_NOT_ON_CURVE			 107
+#define EC_R_PRIME_IS_NOT_A_NIST_PRIME			 135
 #define EC_R_SLOT_FULL					 108
 #define EC_R_UNDEFINED_GENERATOR			 113
 #define EC_R_UNDEFINED_ORDER				 128

--- a/crypto/ec/ec_cvt.c
+++ b/crypto/ec/ec_cvt.c
@@ -82,6 +82,7 @@
 *
 */

+#include <openssl/err.h>
 #include "ec_lcl.h"


@@ -89,11 +90,8 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM
 	{
 	const EC_METHOD *meth;
 	EC_GROUP *ret;
-	
-	/* Finally, this will use EC_GFp_nist_method if 'p' is a special
-	 * prime with optimized modular arithmetics (for NIST curves)
-	 */
-	meth = EC_GFp_mont_method();
+
+	meth = EC_GFp_nist_method();
 	
 	ret = EC_GROUP_new(meth);
 	if (ret == NULL)
@@ -101,8 +99,21 @@ EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM

 	if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
 		{
+		/* remove the last error code form the error queue */
+		ERR_get_error();
+		/* try the normal mont method */
 		EC_GROUP_clear_free(ret);
-		return NULL;
+		meth = EC_GFp_mont_method();
+
+		ret = EC_GROUP_new(meth);
+		if (ret == NULL)
+			return NULL;
+
+		if (!EC_GROUP_set_curve_GFp(ret, p, a, b, ctx))
+			{
+			EC_GROUP_clear_free(ret);
+			return NULL;
+			}
 		}

 	return ret;

--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -76,6 +76,10 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_PACK(0,EC_F_ECPKPARAMETERS_PRINT_FP,0),	"ECPKParameters_print_fp"},
 {ERR_PACK(0,EC_F_ECPUBLICKEY_GET_OCTET,0),	"ECPUBLICKEY_GET_OCTET"},
 {ERR_PACK(0,EC_F_ECPUBLICKEY_SET_OCTET,0),	"ECPUBLICKEY_SET_OCTET"},
+{ERR_PACK(0,EC_F_ECP_NIST_MOD_192,0),	"ECP_NIST_MOD_192"},
+{ERR_PACK(0,EC_F_ECP_NIST_MOD_224,0),	"ECP_NIST_MOD_224"},
+{ERR_PACK(0,EC_F_ECP_NIST_MOD_256,0),	"ECP_NIST_MOD_256"},
+{ERR_PACK(0,EC_F_ECP_NIST_MOD_521,0),	"ECP_NIST_MOD_521"},
 {ERR_PACK(0,EC_F_EC_ASN1_GROUP2CURVE,0),	"EC_ASN1_GROUP2CURVE"},
 {ERR_PACK(0,EC_F_EC_ASN1_GROUP2FIELDID,0),	"EC_ASN1_GROUP2FIELDID"},
 {ERR_PACK(0,EC_F_EC_ASN1_GROUP2PARAMETERS,0),	"EC_ASN1_GROUP2PARAMETERS"},
@@ -93,6 +97,9 @@ static ERR_STRING_DATA EC_str_functs[]=
 {ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_ENCODE,0),	"ec_GFp_mont_field_encode"},
 {ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_MUL,0),	"ec_GFp_mont_field_mul"},
 {ERR_PACK(0,EC_F_EC_GFP_MONT_FIELD_SQR,0),	"ec_GFp_mont_field_sqr"},
+{ERR_PACK(0,EC_F_EC_GFP_NIST_FIELD_MUL,0),	"ec_GFp_nist_field_mul"},
+{ERR_PACK(0,EC_F_EC_GFP_NIST_FIELD_SQR,0),	"ec_GFp_nist_field_sqr"},
+{ERR_PACK(0,EC_F_EC_GFP_NIST_GROUP_SET_CURVE_GFP,0),	"EC_GFP_NIST_GROUP_SET_CURVE_GFP"},
 {ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_CHECK_DISCRIMINANT,0),	"ec_GFp_simple_group_check_discriminant"},
 {ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE,0),	"ec_GFp_simple_group_set_curve"},
 {ERR_PACK(0,EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP,0),	"EC_GFP_SIMPLE_GROUP_SET_CURVE_GFP"},
@@ -177,6 +184,7 @@ static ERR_STRING_DATA EC_str_reasons[]=
 {EC_R_GROUP2PKPARAMETERS_FAILURE         ,"group2pkparameters failure"},
 {EC_R_I2D_ECPKPARAMETERS_FAILURE         ,"i2d ecpkparameters failure"},
 {EC_R_INCOMPATIBLE_OBJECTS               ,"incompatible objects"},
+{EC_R_INTERNAL_ERROR                     ,"internal error"},
 {EC_R_INVALID_ARGUMENT                   ,"invalid argument"},
 {EC_R_INVALID_COMPRESSED_POINT           ,"invalid compressed point"},
 {EC_R_INVALID_COMPRESSION_BIT            ,"invalid compression bit"},
@@ -189,10 +197,13 @@ static ERR_STRING_DATA EC_str_reasons[]=
 {EC_R_MISSING_PRIVATE_KEY                ,"missing private key"},
 {EC_R_NOT_IMPLEMENTED                    ,"not implemented"},
 {EC_R_NOT_INITIALIZED                    ,"not initialized"},
+{EC_R_NO_FIELD_MOD                       ,"no field mod"},
 {EC_R_NO_SUCH_EXTRA_DATA                 ,"no such extra data"},
+{EC_R_PASSED_NULL_PARAMETER              ,"passed null parameter"},
 {EC_R_PKPARAMETERS2GROUP_FAILURE         ,"pkparameters2group failure"},
 {EC_R_POINT_AT_INFINITY                  ,"point at infinity"},
 {EC_R_POINT_IS_NOT_ON_CURVE              ,"point is not on curve"},
+{EC_R_PRIME_IS_NOT_A_NIST_PRIME          ,"prime is not a nist prime"},
 {EC_R_SLOT_FULL                          ,"slot full"},
 {EC_R_UNDEFINED_GENERATOR                ,"undefined generator"},
 {EC_R_UNDEFINED_ORDER                    ,"undefined order"},

--- a/crypto/ec/ecp_nist.c
+++ b/crypto/ec/ecp_nist.c
 /* crypto/ec/ecp_nist.c */
+/*
+ * Written by Nils Larsch for the OpenSSL project.
+ */
 /* ====================================================================
- * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -58,12 +61,14 @@
 * and contributed to the OpenSSL project.
 */

+#include <openssl/err.h>
+#include <openssl/obj_mac.h>
 #include "ec_lcl.h"

-#if 0
 const EC_METHOD *EC_GFp_nist_method(void)
 	{
 	static const EC_METHOD ret = {
+		NID_X9_62_prime_field,
 		ec_GFp_nist_group_init,
 		ec_GFp_nist_group_finish,
 		ec_GFp_nist_group_clear_finish,
@@ -71,10 +76,6 @@ const EC_METHOD *EC_GFp_nist_method(void)
 		ec_GFp_nist_group_set_curve,
 		ec_GFp_simple_group_get_curve,
 		ec_GFp_simple_group_get_degree,
-		ec_GFp_simple_group_set_generator,
-		ec_GFp_simple_group_get0_generator,
-		ec_GFp_simple_group_get_order,
-		ec_GFp_simple_group_get_cofactor,
 		ec_GFp_simple_group_check_discriminant,
 		ec_GFp_simple_point_init,
 		ec_GFp_simple_point_finish,
@@ -107,8 +108,13 @@ const EC_METHOD *EC_GFp_nist_method(void)

 	return &ret;
 	}
-#endif

+#define	ECP_MOD_CAST	\
+	(int (*)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *))
+
+#if BN_BITS2 == 64 && UINT_MAX != 4294967295UL && ULONG_MAX != 4294967295UL
+#define	NO_32_BIT_TYPE
+#endif

 int ec_GFp_nist_group_init(EC_GROUP *group)
 	{
@@ -119,26 +125,154 @@ int ec_GFp_nist_group_init(EC_GROUP *group)
 	return ok;
 	}

+void ec_GFp_nist_group_finish(EC_GROUP *group)
+	{
+	BN_free(&group->field);
+	BN_free(&group->a);
+	BN_free(&group->b);
+	}
+
+
+void ec_GFp_nist_group_clear_finish(EC_GROUP *group)
+	{
+	BN_clear_free(&group->field);
+	BN_clear_free(&group->a);
+	BN_clear_free(&group->b);
+	}
+
+
+int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p,
+	const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx)
+	{
+	int ret = 0;
+	BN_CTX *new_ctx = NULL;
+	BIGNUM *tmp_bn;
+	
+	if (ctx == NULL)
+		if ((ctx = new_ctx = BN_CTX_new()) == NULL) return 0;
+
+	BN_CTX_start(ctx);
+	if ((tmp_bn = BN_CTX_get(ctx)) == NULL) goto err;
+
+	if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0)
+		group->field_data1 = (void *)BN_nist_mod_192;
+	else if (BN_ucmp(BN_get0_nist_prime_224(), p) == 0)
+#if !defined(ECP_NO_32_BIT_TYPE) || defined(OPENSSL_NO_ASM)
+		group->field_data1 = (void *)BN_nist_mod_224;
+#else
+		goto err;
+#endif
+	else if (BN_ucmp(BN_get0_nist_prime_256(), p) == 0)
+#if !defined(ECP_NO_32_BIT_TYPE) || defined(OPENSSL_NO_ASM)
+		group->field_data1 = (void *)BN_nist_mod_256;
+#else
+		goto err;
+#endif
+	else if (BN_ucmp(BN_get0_nist_prime_384(), p) == 0)
+#if !defined(ECP_NO_32_BIT_TYPE) || defined(OPENSSL_NO_ASM)
+		group->field_data1 = (void *)BN_nist_mod_384;
+#else
+		goto err;
+#endif
+	else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0)
+		group->field_data1 = (void *)BN_nist_mod_521;
+	else
+		{
+		ECerr(EC_F_EC_GFP_NIST_GROUP_SET_CURVE_GFP, 
+			EC_R_PRIME_IS_NOT_A_NIST_PRIME);
+		goto err;
+		}
+
+	/* group->field */
+	if (!BN_copy(&group->field, p)) goto err;
+	group->field.neg = 0;
+
+	/* group->a */
+	(ECP_MOD_CAST group->field_data1)(&group->a, a, p, ctx);
+
+	/* group->b */
+	(ECP_MOD_CAST group->field_data1)(&group->b, b, p, ctx);
+
+	/* group->a_is_minus3 */
+	if (!BN_add_word(tmp_bn, 3)) goto err;
+	group->a_is_minus3 = (0 == BN_cmp(tmp_bn, &group->field));
+
+	ret = 1;
+
+ err:
+	BN_CTX_end(ctx);
+	if (new_ctx != NULL)
+		BN_CTX_free(new_ctx);
+	return ret;
+	}
+
+int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src)
+	{
+	if (dest == NULL || src == NULL)
+		return 0;
+
+	if (!BN_copy(&dest->field, &src->field))
+		return 0;
+	if (!BN_copy(&dest->a, &src->a))
+		return 0;
+	if (!BN_copy(&dest->b, &src->b))
+		return 0;

-int ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
-/* TODO */
+	dest->curve_name  = src->curve_name;

+	dest->a_is_minus3 = src->a_is_minus3;

-void ec_GFp_nist_group_finish(EC_GROUP *group);
-/* TODO */
+	dest->field_data1 = src->field_data1;
+
+	return 1;
+	}

+int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+	const BIGNUM *b, BN_CTX *ctx)
+	{
+	int	ret=0;
+	BN_CTX	*ctx_new=NULL;

-void ec_GFp_nist_group_clear_finish(EC_GROUP *group);
-/* TODO */
+	if (!group || !r || !a || !b)
+		{
+		ECerr(EC_F_EC_GFP_NIST_FIELD_MUL, ERR_R_PASSED_NULL_PARAMETER);
+		goto err;
+		}
+	if (!ctx)
+		if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err;

+	if (!BN_mul(r, a, b, ctx)) goto err;
+	if (!(ECP_MOD_CAST group->field_data1)(r, r, &group->field, ctx))
+		goto err;

-int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src);
-/* TODO */
+	ret=1;
+err:
+	if (ctx_new)
+		BN_CTX_free(ctx_new);
+	return ret;
+	}

+int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a,
+	BN_CTX *ctx)
+	{
+	int	ret=0;
+	BN_CTX	*ctx_new=NULL;

-int ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx);
-/* TODO */
+	if (!group || !r || !a)
+		{
+		ECerr(EC_F_EC_GFP_NIST_FIELD_SQR, EC_R_PASSED_NULL_PARAMETER);
+		goto err;
+		}
+	if (!ctx)
+		if ((ctx_new = ctx = BN_CTX_new()) == NULL) goto err;

+	if (!BN_sqr(r, a, ctx)) goto err;
+	if (!(ECP_MOD_CAST group->field_data1)(r, r, &group->field, ctx))
+		goto err;

-int ec_GFp_nist_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx);
-/* TODO */
+	ret=1;
+err:
+	if (ctx_new)
+		BN_CTX_free(ctx_new);
+	return ret;
+	}
--- a/util/libeay.num
+++ b/util/libeay.num
@@ -3022,3 +3022,15 @@ ASN1_item_ndef_i2d                      3454	EXIST::FUNCTION:
 i2d_PKCS7_NDEF                          3455	EXIST::FUNCTION:
 ENGINE_up_ref                           3456	EXIST::FUNCTION:
 ENGINE_get_static_state                 3457	EXIST::FUNCTION:
+BN_get0_nist_prime_384                  3458	EXIST::FUNCTION:
+BN_ncopy                                3459	EXIST::FUNCTION:
+BN_nist_mod_224                         3460	EXIST::FUNCTION:
+BN_nist_mod_256                         3461	EXIST::FUNCTION:
+EC_GFp_nist_method                      3462	EXIST::FUNCTION:EC
+BN_nist_mod_384                         3463	EXIST::FUNCTION:
+BN_get0_nist_prime_192                  3464	EXIST::FUNCTION:
+BN_get0_nist_prime_521                  3465	EXIST::FUNCTION:
+BN_get0_nist_prime_224                  3466	EXIST::FUNCTION:
+BN_get0_nist_prime_256                  3467	EXIST::FUNCTION:
+BN_nist_mod_192                         3468	EXIST::FUNCTION:
+BN_nist_mod_521                         3469	EXIST::FUNCTION: