Botan  2.4.0
Crypto and TLS for C++11
Public Member Functions | List of all members
Botan::Blinded_Point_Multiply Class Referencefinal

#include <point_gfp.h>

Public Member Functions

PointGFp blinded_multiply (const BigInt &scalar, RandomNumberGenerator &rng)
 
 Blinded_Point_Multiply (const PointGFp &base, const BigInt &order, size_t h=0)
 

Detailed Description

Definition at line 291 of file point_gfp.h.

Constructor & Destructor Documentation

◆ Blinded_Point_Multiply()

Botan::Blinded_Point_Multiply::Blinded_Point_Multiply ( const PointGFp base,
const BigInt order,
size_t  h = 0 
)

Definition at line 307 of file point_gfp.cpp.

307  :
308  m_h(h > 0 ? h : 4), m_order(order), m_ws(9)
309  {
310  // Upper bound is a sanity check rather than hard limit
311  if(m_h < 1 || m_h > 8)
312  throw Invalid_Argument("Blinded_Point_Multiply invalid h param");
313 
314  const CurveGFp& curve = base.get_curve();
315 
316  const PointGFp inv = -base;
317 
318  m_U.resize(6*m_h + 3);
319 
320  m_U[3*m_h+0] = inv;
321  m_U[3*m_h+1] = PointGFp::zero_of(curve);
322  m_U[3*m_h+2] = base;
323 
324  for(size_t i = 1; i <= 3 * m_h + 1; ++i)
325  {
326  m_U[3*m_h+1+i] = m_U[3*m_h+i];
327  m_U[3*m_h+1+i].add(base, m_ws);
328 
329  m_U[3*m_h+1-i] = m_U[3*m_h+2-i];
330  m_U[3*m_h+1-i].add(inv, m_ws);
331  }
332  }
static PointGFp zero_of(const CurveGFp &curve)
Definition: point_gfp.h:63

Member Function Documentation

◆ blinded_multiply()

PointGFp Botan::Blinded_Point_Multiply::blinded_multiply ( const BigInt scalar,
RandomNumberGenerator rng 
)

Definition at line 334 of file point_gfp.cpp.

References Botan::BigInt::bits(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::RandomNumberGenerator::next_byte(), and Botan::PointGFp::randomize_repr().

336  {
337  if(scalar_in.is_negative())
338  throw Invalid_Argument("Blinded_Point_Multiply scalar must be positive");
339 
340 #if BOTAN_POINTGFP_USE_SCALAR_BLINDING
341  // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
342  const BigInt mask(rng, (m_order.bits()+1)/2, false);
343  const BigInt scalar = scalar_in + m_order * mask;
344 #else
345  const BigInt& scalar = scalar_in;
346 #endif
347 
348  const size_t scalar_bits = scalar.bits();
349 
350  // Randomize each point representation (Coron's 3rd countermeasure)
351  for(size_t i = 0; i != m_U.size(); ++i)
352  m_U[i].randomize_repr(rng);
353 
354  PointGFp R = m_U.at(3*m_h + 2); // base point
355  int32_t alpha = 0;
356 
357  R.randomize_repr(rng);
358 
359  /*
360  Algorithm 7 from "Randomizing the Montgomery Powering Ladder"
361  Duc-Phong Le, Chik How Tan and Michael Tunstall
362  https://eprint.iacr.org/2015/657
363 
364  It takes a random walk through (a subset of) the set of addition
365  chains that end in k.
366  */
367  for(size_t i = scalar_bits; i > 0; i--)
368  {
369  const int32_t ki = scalar.get_bit(i);
370 
371  // choose gamma from -h,...,h
372  const int32_t gamma = static_cast<int32_t>((rng.next_byte() % (2*m_h))) - m_h;
373  const int32_t l = gamma - 2*alpha + ki - (ki ^ 1);
374 
375  R.mult2(m_ws);
376  R.add(m_U.at(3*m_h + 1 + l), m_ws);
377  alpha = gamma;
378  }
379 
380  const int32_t k0 = scalar.get_bit(0);
381  R.add(m_U[3*m_h + 1 - alpha - (k0 ^ 1)], m_ws);
382 
383 
384  //BOTAN_ASSERT(R.on_the_curve(), "Output is on the curve");
385 
386  return R;
387  }
size_t bits() const
Definition: bigint.cpp:183

The documentation for this class was generated from the following files: