#include <pcurves_impl.h>

Public Member Functions
size_t	bits () const
	BlindedScalarBits (BlindedScalarBits &&other)=delete
	BlindedScalarBits (const BlindedScalarBits &other)=delete
	BlindedScalarBits (const typename C::Scalar &scalar, RandomNumberGenerator &rng)
size_t	get_window (size_t offset) const
BlindedScalarBits &	operator= (BlindedScalarBits &&other)=delete
BlindedScalarBits &	operator= (const BlindedScalarBits &other)=delete
	~BlindedScalarBits ()

Static Public Attributes
static constexpr size_t	Bits = C::Scalar::BITS + BlindingBits

Detailed Description

template<typename C, size_t WindowBits>
class Botan::BlindedScalarBits< C, WindowBits >

Blinded Scalar

This randomizes the scalar representation by computing s + n*k, where n is the group order and k is a random value

Note that the field arithmetic and point multiplication algorithms implemented in this file are already constant time; blinding is used here as an additional precaution to guard against compilers introducing conditional jumps where not expected.

If the provided RNG is not seeded, blinding is skipped and the scalar is used directly. This allows blinding to be disabled at runtime.

Definition at line 1293 of file pcurves_impl.h.

Constructor & Destructor Documentation

◆ BlindedScalarBits() [1/3]

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::BlindedScalarBits	(	const typename C::Scalar &	scalar,
		RandomNumberGenerator &	rng )

inline

Definition at line 1307 of file pcurves_impl.h.

                                                                                    {
         if(BlindingBits > 0 && rng.is_seeded()) {
            constexpr size_t MaskWords = (BlindingBits + WordInfo<W>::bits - 1) / WordInfo<W>::bits;
            constexpr size_t MaskBytes = MaskWords * WordInfo<W>::bytes;
 
            constexpr size_t n_words = C::Words;
 
            uint8_t maskb[MaskBytes + (BlindingBits == 0 ? 1 : 0)] = {0};
            rng.randomize(maskb, MaskBytes);
 
            W mask[n_words] = {0};
            load_le(mask, maskb, MaskWords);
 
            // Mask to exactly BlindingBits
            constexpr size_t ExcessBits = MaskWords * WordInfo<W>::bits - BlindingBits;
            if constexpr(ExcessBits > 0) {
               constexpr W ExcessMask = (static_cast<W>(1) << (WordInfo<W>::bits - ExcessBits)) - 1;
               mask[MaskWords - 1] &= ExcessMask;
            }
 
            // Set top and bottom bits of mask
            constexpr size_t TopMaskBit = (BlindingBits - 1) % WordInfo<W>::bits;
            mask[(BlindingBits - 1) / WordInfo<W>::bits] |= static_cast<W>(1) << TopMaskBit;
            mask[0] |= 1;
 
            W mask_n[2 * n_words] = {0};
 
            const auto sw = scalar.to_words();
 
            // Compute masked scalar s + k*n
            comba_mul<n_words>(mask_n, mask, C::NW.data());
            bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size());
 
            std::reverse(mask_n, mask_n + 2 * n_words);
            m_bytes = store_be<std::vector<uint8_t>>(mask_n);
            m_bits = C::Scalar::BITS + BlindingBits;
         } else {
            // No RNG available, skip blinding
            m_bytes.resize(C::Scalar::BYTES);
            scalar.serialize_to(std::span{m_bytes}.template first<C::Scalar::BYTES>());
            m_bits = C::Scalar::BITS;
         }
 
         CT::poison(m_bytes.data(), m_bytes.size());
      }

◆ ~BlindedScalarBits()

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::~BlindedScalarBits ( )

inline

Definition at line 1358 of file pcurves_impl.h.

                           {
         secure_zeroize_buffer(m_bytes.data(), m_bytes.size());
         CT::unpoison(m_bytes.data(), m_bytes.size());
      }

◆ BlindedScalarBits() [2/3]

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::BlindedScalarBits ( const BlindedScalarBits< C, WindowBits > & other )

delete

◆ BlindedScalarBits() [3/3]

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::BlindedScalarBits ( BlindedScalarBits< C, WindowBits > && other )

delete

Member Function Documentation

◆ bits()

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::bits ( ) const

inline

Definition at line 1305 of file pcurves_impl.h.

1305{ return m_bits; }

Referenced by Botan::WindowedBoothMulTable< C, W >::mul().

◆ get_window()

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::get_window ( size_t offset ) const

inline

Definition at line 1353 of file pcurves_impl.h.

                                             {
         // Extract a WindowBits sized window out of s, depending on offset.
         return read_window_bits<WindowBits>(std::span{m_bytes}, offset);
      }

Referenced by Botan::WindowedBoothMulTable< C, W >::mul().

◆ operator=() [1/2]

template<typename C, size_t WindowBits>

BlindedScalarBits & Botan::BlindedScalarBits< C, WindowBits >::operator= ( BlindedScalarBits< C, WindowBits > && other )

delete

◆ operator=() [2/2]

template<typename C, size_t WindowBits>

BlindedScalarBits & Botan::BlindedScalarBits< C, WindowBits >::operator= ( const BlindedScalarBits< C, WindowBits > & other )

delete

Member Data Documentation

◆ Bits

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::Bits = C::Scalar::BITS + BlindingBits

staticconstexpr

Definition at line 1303 of file pcurves_impl.h.

The documentation for this class was generated from the following file:

src/lib/math/pcurves/pcurves_impl/pcurves_impl.h

Public Member Functions

Static Public Attributes

Detailed Description

Constructor & Destructor Documentation

◆ BlindedScalarBits() [1/3]

◆ ~BlindedScalarBits()

◆ BlindedScalarBits() [2/3]

◆ BlindedScalarBits() [3/3]

Member Function Documentation

◆ bits()

◆ get_window()

◆ operator=() [1/2]

◆ operator=() [2/2]

Member Data Documentation

◆ Bits