Botan::EC_Mul2Table_Data_BN Class Referencefinal
#include <ec_inner_bn.h>
Inheritance diagram for Botan::EC_Mul2Table_Data_BN:
Public Member Functions | |
| EC_Mul2Table_Data_BN (const EC_AffinePoint_Data &g, const EC_AffinePoint_Data &h) | |
| std::unique_ptr< EC_AffinePoint_Data > | mul2_vartime (const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override |
| bool | mul2_vartime_x_mod_order_eq (const EC_Scalar_Data &v, const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override |
Detailed Description
Definition at line 91 of file ec_inner_bn.h.
Constructor & Destructor Documentation
◆ EC_Mul2Table_Data_BN()
| Botan::EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN | ( | const EC_AffinePoint_Data & | g, |
| const EC_AffinePoint_Data & | h ) |
Definition at line 165 of file ec_inner_bn.cpp.
165 :
166 m_group(g.group()), m_tbl(g.to_legacy_point(), h.to_legacy_point()) {
168}
References BOTAN_ARG_CHECK, and Botan::EC_AffinePoint_Data::group().
Member Function Documentation
◆ mul2_vartime()
|
overridevirtual |
Implements Botan::EC_Mul2Table_Data.
Definition at line 170 of file ec_inner_bn.cpp.
171 {
173
177
178 if(pt.is_zero()) {
179 return nullptr;
180 }
181 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
182}
EC_Point multi_exp(const BigInt &k1, const BigInt &k2) const
Definition point_mul.cpp:327
static const EC_Scalar_Data_BN & checked_ref(const EC_Scalar_Data &data)
Definition ec_inner_bn.cpp:11
References BOTAN_ARG_CHECK, Botan::EC_Scalar_Data_BN::checked_ref(), Botan::EC_Scalar_Data::group(), and Botan::EC_Point_Multi_Point_Precompute::multi_exp().
◆ mul2_vartime_x_mod_order_eq()
|
overridevirtual |
Implements Botan::EC_Mul2Table_Data.
Definition at line 184 of file ec_inner_bn.cpp.
186 {
187 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group && v.group() == m_group, "Curve mismatch");
188
193
194 if(pt.is_zero()) {
195 return false;
196 }
197
198 /*
199 * The trick used below doesn't work for curves with cofactors
200 */
201 if(m_group->has_cofactor()) {
202 return m_group->mod_order(pt.get_affine_x()) == bn_v.value();
203 }
204
205 /*
206 * Note we're working with the projective coordinate directly here!
207 * Nominally we're comparing v with the affine x coordinate.
208 *
209 * return m_group->mod_order(pt.get_affine_x()) == bn_v.value();
210 *
211 * However by instead projecting r to an identical z as the x
212 * coordinate, we can compare without having to perform an
213 * expensive inversion in the field.
214 *
215 * That is, given (x*z2) and r, instead of checking if
216 * (x*z2)*z2^-1 == r,
217 * we check if
218 * (x*z2) == (r*z2)
219 */
220 auto& curve = m_group->curve();
221
222 secure_vector<word> ws;
223 BigInt vr = bn_v.value();
224 curve.to_rep(vr, ws);
225 BigInt z2, v_z2;
226 curve.sqr(z2, pt.get_z(), ws);
227 curve.mul(v_z2, vr, z2, ws);
228
229 /*
230 * Since (typically) the group order is slightly less than the size
231 * of the field elements, its possible the signer had to reduce the
232 * r component. If they did not reduce r, then this value is correct.
233 *
234 * Due to the Hasse bound, this case occurs almost always; the
235 * probability that a reduction was actually required is
236 * approximately 1 in 2^(n/2) where n is the bit length of the curve.
237 */
238 if(pt.get_x() == v_z2) {
239 return true;
240 }
241
242 if(m_group->order_is_less_than_p()) {
243 vr = bn_v.value() + m_group->order();
244 if(vr < m_group->p()) {
245 curve.to_rep(vr, ws);
246 curve.mul(v_z2, vr, z2, ws);
247
248 if(pt.get_x() == v_z2) {
249 return true;
250 }
251 }
252 }
253
254 // Reject:
255 return false;
256}
References BOTAN_ARG_CHECK, Botan::EC_Scalar_Data_BN::checked_ref(), Botan::EC_Scalar_Data::group(), Botan::BigInt::mul(), and Botan::EC_Point_Multi_Point_Precompute::multi_exp().
The documentation for this class was generated from the following files:
- src/lib/pubkey/ec_group/ec_inner_bn.h
- src/lib/pubkey/ec_group/ec_inner_bn.cpp
Generated by
1.12.0