Botan::BlindedScalarBits< C, WindowBits > Class Template Reference

#include <pcurves_impl.h>

Public Member Functions
constexpr size_t	bits () const
	BlindedScalarBits (BlindedScalarBits &&other)=delete
	BlindedScalarBits (const BlindedScalarBits &other)=delete
	BlindedScalarBits (const typename C::Scalar &scalar, RandomNumberGenerator &rng)
size_t	get_window (size_t offset) const
BlindedScalarBits &	operator= (BlindedScalarBits &&other)=delete
BlindedScalarBits &	operator= (const BlindedScalarBits &other)=delete
	~BlindedScalarBits ()

Static Public Attributes
static constexpr size_t	Bits = C::Scalar::BITS + (BlindingEnabled ? BlindingBits : 0)
static constexpr size_t	Bytes = (Bits + 7) / 8

Detailed Description

template<typename C, size_t WindowBits>
class Botan::BlindedScalarBits< C, WindowBits >

Blinded Scalar

This randomizes the scalar representation by computing s + n*k, where n is the group order and k is a random value

Note that the field arithmetic and point multiplication algorithms implemented in this file are already constant time; blinding is used here as an additional precaution to guard against compilers introducing conditional jumps where not expected.

If you would like a "go faster" button, change the BlindingEnabled variable below to false.

Definition at line 1259 of file pcurves_impl.h.

Constructor & Destructor Documentation

BlindedScalarBits() [1/3]

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::BlindedScalarBits ( const typename C::Scalar & scalar, RandomNumberGenerator & rng )

inline

Definition at line 1301 of file pcurves_impl.h.

                                                                                    {
         if constexpr(BlindingEnabled) {
            constexpr size_t mask_words = BlindingBits / WordInfo<W>::bits;
            constexpr size_t mask_bytes = mask_words * WordInfo<W>::bytes;
 
            constexpr size_t n_words = C::Words;
 
            uint8_t maskb[mask_bytes] = {0};
            if(rng.is_seeded()) {
               rng.randomize(maskb, mask_bytes);
            } else {
               // If we don't have an RNG we don't have many good options. We
               // could just omit the blinding entirely, but this changes the
               // size of the blinded scalar, which we're expecting otherwise is
               // knowable at compile time. So generate a mask by XORing the
               // bytes of the scalar together. At worst, it's equivalent to
               // omitting the blinding entirely.
 
               std::array<uint8_t, C::Scalar::BYTES> sbytes = {};
               scalar.serialize_to(sbytes);
               for(size_t i = 0; i != sbytes.size(); ++i) {
                  maskb[i % mask_bytes] ^= sbytes[i];
               }
            }
 
            W mask[n_words] = {0};
            load_le(mask, maskb, mask_words);
            mask[mask_words - 1] |= WordInfo<W>::top_bit;
            mask[0] |= 1;
 
            W mask_n[2 * n_words] = {0};
 
            const auto sw = scalar.to_words();
 
            // Compute masked scalar s + k*n
            comba_mul<n_words>(mask_n, mask, C::NW.data());
            bigint_add2(mask_n, 2 * n_words, sw.data(), sw.size());
 
            std::reverse(mask_n, mask_n + 2 * n_words);
            m_bytes = store_be<std::vector<uint8_t>>(mask_n);
         } else {
            static_assert(Bytes == C::Scalar::BYTES);
            m_bytes.resize(Bytes);
            scalar.serialize_to(std::span{m_bytes}.template first<Bytes>());
         }
 
         CT::poison(m_bytes.data(), m_bytes.size());
      }

~BlindedScalarBits()

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::~BlindedScalarBits ( )

inline

Definition at line 1355 of file pcurves_impl.h.

                           {
         secure_scrub_memory(m_bytes.data(), m_bytes.size());
         CT::unpoison(m_bytes.data(), m_bytes.size());
      }

BlindedScalarBits() [2/3]

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::BlindedScalarBits ( const BlindedScalarBits< C, WindowBits > & other )

delete

BlindedScalarBits() [3/3]

template<typename C, size_t WindowBits>

Botan::BlindedScalarBits< C, WindowBits >::BlindedScalarBits ( BlindedScalarBits< C, WindowBits > && other )

delete

Member Function Documentation

bits()

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::bits ( ) const

inlineconstexpr

Definition at line 1299 of file pcurves_impl.h.

{ return Bits; }

get_window()

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::get_window ( size_t offset ) const

inline

Definition at line 1350 of file pcurves_impl.h.

                                             {
         // Extract a WindowBits sized window out of s, depending on offset.
         return read_window_bits<WindowBits>(std::span{m_bytes}, offset);
      }

Referenced by Botan::WindowedBoothMulTable< C, W >::mul().

operator=() [1/2]

template<typename C, size_t WindowBits>

BlindedScalarBits & Botan::BlindedScalarBits< C, WindowBits >::operator= ( BlindedScalarBits< C, WindowBits > && other )

delete

operator=() [2/2]

template<typename C, size_t WindowBits>

BlindedScalarBits & Botan::BlindedScalarBits< C, WindowBits >::operator= ( const BlindedScalarBits< C, WindowBits > & other )

delete

Member Data Documentation

Bits

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::Bits = C::Scalar::BITS + (BlindingEnabled ? BlindingBits : 0)

staticconstexpr

Definition at line 1296 of file pcurves_impl.h.

Bytes

template<typename C, size_t WindowBits>

size_t Botan::BlindedScalarBits< C, WindowBits >::Bytes = (Bits + 7) / 8

staticconstexpr

Definition at line 1297 of file pcurves_impl.h.

---

The documentation for this class was generated from the following file:

• src/lib/math/pcurves/pcurves_impl/pcurves_impl.h