Botan::EC_Point Class Reference

#include <ec_point.h>

Public Types
enum	{ WORKSPACE_SIZE = 8 }
typedef EC_Point_Format	Compression_Type

Public Member Functions
void	add (const EC_Point &other, std::vector< BigInt > &workspace)
void	add (const word x_words[], size_t x_size, const word y_words[], size_t y_size, const word z_words[], size_t z_size, std::vector< BigInt > &workspace)
void	add_affine (const EC_Point &other, std::vector< BigInt > &workspace)
void	add_affine (const word x_words[], size_t x_size, const word y_words[], size_t y_size, std::vector< BigInt > &workspace)
EC_Point	double_of (std::vector< BigInt > &workspace) const
	EC_Point ()=default
	EC_Point (const CurveGFp &curve)
	EC_Point (const CurveGFp &curve, const BigInt &x, const BigInt &y)
	EC_Point (const EC_Point &)=default
	EC_Point (EC_Point &&other)
std::vector< uint8_t >	encode (EC_Point_Format format) const
void	force_affine ()
BigInt	get_affine_x () const
BigInt	get_affine_y () const
const CurveGFp &	get_curve () const
const BigInt &	get_x () const
const BigInt &	get_y () const
const BigInt &	get_z () const
bool	is_affine () const
bool	is_zero () const
void	mult2 (std::vector< BigInt > &workspace)
void	mult2i (size_t i, std::vector< BigInt > &workspace)
EC_Point &	negate ()
bool	on_the_curve () const
EC_Point &	operator*= (const BigInt &scalar)
EC_Point &	operator+= (const EC_Point &rhs)
EC_Point &	operator-= (const EC_Point &rhs)
EC_Point &	operator= (const EC_Point &)=default
EC_Point &	operator= (EC_Point &&other)
bool	operator== (const EC_Point &other) const
EC_Point	plus (const EC_Point &other, std::vector< BigInt > &workspace) const
void	randomize_repr (RandomNumberGenerator &rng)
void	randomize_repr (RandomNumberGenerator &rng, secure_vector< word > &ws)
void	swap (EC_Point &other)
void	swap_coords (BigInt &new_x, BigInt &new_y, BigInt &new_z)
EC_Point	zero () const

Static Public Member Functions
static void	force_all_affine (std::vector< EC_Point > &points, secure_vector< word > &ws)

Detailed Description

This class represents one point on a curve of GF(p)

Definition at line 32 of file ec_point.h.

Member Typedef Documentation

Compression_Type

typedef EC_Point_Format Botan::EC_Point::Compression_Type

Definition at line 34 of file ec_point.h.

Member Enumeration Documentation

anonymous enum

anonymous enum

Enumerator
WORKSPACE_SIZE

Definition at line 37 of file ec_point.h.

{ WORKSPACE_SIZE = 8 };

Constructor & Destructor Documentation

EC_Point() [1/5]

Botan::EC_Point::EC_Point ( )

default

Construct an uninitialized EC_Point

Referenced by mult2(), mult2i(), and operator-=().

EC_Point() [2/5]

Botan::EC_Point::EC_Point ( const CurveGFp &  curve )

explicit

Construct the zero point

Parameters

curve

The base curve

Definition at line 18 of file ec_point.cpp.

                                        : m_curve(curve), m_coord_x(0), m_coord_y(curve.get_1_rep()), m_coord_z(0) {
   // Assumes Montgomery rep of zero is zero
}

EC_Point() [3/5]

Botan::EC_Point::EC_Point ( const EC_Point &  )

default

Copy constructor

EC_Point() [4/5]

Botan::EC_Point::EC_Point ( EC_Point &&  other )

inline

Move Constructor

Definition at line 58 of file ec_point.h.

{ this->swap(other); }

EC_Point() [5/5]

Botan::EC_Point::EC_Point	(	const CurveGFp &	curve,
		const BigInt &	x,
		const BigInt &	y
	)

Construct a point from its affine coordinates Prefer EC_Group::point(x,y) for this operation.

Parameters

curve	the base curve
x	affine x coordinate
y	affine y coordinate

Definition at line 22 of file ec_point.cpp.

                                                                          :
      m_curve(curve), m_coord_x(x), m_coord_y(y), m_coord_z(m_curve.get_1_rep()) {
   if(x < 0 || x >= curve.get_p()) {
      throw Invalid_Argument("Invalid EC_Point affine x");
   }
   if(y < 0 || y >= curve.get_p()) {
      throw Invalid_Argument("Invalid EC_Point affine y");
   }
 
   secure_vector<word> monty_ws(m_curve.get_ws_size());
   m_curve.to_rep(m_coord_x, monty_ws);
   m_curve.to_rep(m_coord_y, monty_ws);
}

References Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), and Botan::CurveGFp::to_rep().

Member Function Documentation

add() [1/2]

void Botan::EC_Point::add ( const EC_Point &  other, std::vector< BigInt > &  workspace  )

inline

Point addition

Parameters

other	the point to add to *this
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 212 of file ec_point.h.

                                                                    {
         BOTAN_ARG_CHECK(m_curve == other.m_curve, "cannot add points on different curves");
 
         const size_t p_words = m_curve.get_p_words();
 
         add(other.m_coord_x.data(),
             std::min(p_words, other.m_coord_x.size()),
             other.m_coord_y.data(),
             std::min(p_words, other.m_coord_y.size()),
             other.m_coord_z.data(),
             std::min(p_words, other.m_coord_z.size()),
             workspace);
      }

References BOTAN_ARG_CHECK, Botan::BigInt::data(), and Botan::BigInt::size().

Referenced by Botan::EC_Point_Var_Point_Precompute::mul(), Botan::EC_Point_Multi_Point_Precompute::multi_exp(), Botan::operator*(), operator+=(), and plus().

add() [2/2]

void Botan::EC_Point::add	(	const word	x_words[],
		size_t	x_size,
		const word	y_words[],
		size_t	y_size,
		const word	z_words[],
		size_t	z_size,
		std::vector< BigInt > &	workspace
	)

Point addition. Array version.

Parameters

x_words	the words of the x coordinate of the other point
x_size	size of x_words
y_words	the words of the y coordinate of the other point
y_size	size of y_words
z_words	the words of the z coordinate of the other point
z_size	size of z_words
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 150 of file ec_point.cpp.

                                             {
   if((CT::all_zeros(x_words, x_size) & CT::all_zeros(z_words, z_size)).is_set()) {
      return;
   }
 
   if(is_zero()) {
      m_coord_x.set_words(x_words, x_size);
      m_coord_y.set_words(y_words, y_size);
      m_coord_z.set_words(z_words, z_size);
      return;
   }
 
   resize_ws(ws_bn, m_curve.get_ws_size());
 
   secure_vector<word>& ws = ws_bn[0].get_word_vector();
   secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
   BigInt& T0 = ws_bn[2];
   BigInt& T1 = ws_bn[3];
   BigInt& T2 = ws_bn[4];
   BigInt& T3 = ws_bn[5];
   BigInt& T4 = ws_bn[6];
   BigInt& T5 = ws_bn[7];
 
   /*
   https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
   */
 
   const BigInt& p = m_curve.get_p();
 
   m_curve.sqr(T0, z_words, z_size, ws);      // z2^2
   m_curve.mul(T1, m_coord_x, T0, ws);        // x1*z2^2
   m_curve.mul(T3, z_words, z_size, T0, ws);  // z2^3
   m_curve.mul(T2, m_coord_y, T3, ws);        // y1*z2^3
 
   m_curve.sqr(T3, m_coord_z, ws);            // z1^2
   m_curve.mul(T4, x_words, x_size, T3, ws);  // x2*z1^2
 
   m_curve.mul(T5, m_coord_z, T3, ws);        // z1^3
   m_curve.mul(T0, y_words, y_size, T5, ws);  // y2*z1^3
 
   T4.mod_sub(T1, p, sub_ws);  // x2*z1^2 - x1*z2^2
 
   T0.mod_sub(T2, p, sub_ws);
 
   if(T4.is_zero()) {
      if(T0.is_zero()) {
         mult2(ws_bn);
         return;
      }
 
      // setting to zero:
      m_coord_x.clear();
      m_coord_y = m_curve.get_1_rep();
      m_coord_z.clear();
      return;
   }
 
   m_curve.sqr(T5, T4, ws);
 
   m_curve.mul(T3, T1, T5, ws);
 
   m_curve.mul(T1, T5, T4, ws);
 
   m_curve.sqr(m_coord_x, T0, ws);
   m_coord_x.mod_sub(T1, p, sub_ws);
   m_coord_x.mod_sub(T3, p, sub_ws);
   m_coord_x.mod_sub(T3, p, sub_ws);
 
   T3.mod_sub(m_coord_x, p, sub_ws);
 
   m_curve.mul(m_coord_y, T0, T3, ws);
   m_curve.mul(T3, T2, T1, ws);
 
   m_coord_y.mod_sub(T3, p, sub_ws);
 
   m_curve.mul(T3, z_words, z_size, m_coord_z, ws);
   m_curve.mul(m_coord_z, T3, T4, ws);
}

References Botan::CT::all_zeros(), Botan::BigInt::clear(), Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), Botan::BigInt::is_zero(), is_zero(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), mult2(), Botan::BigInt::set_words(), and Botan::CurveGFp::sqr().

add_affine() [1/2]

void Botan::EC_Point::add_affine ( const EC_Point &  other, std::vector< BigInt > &  workspace  )

inline

Point addition - mixed J+A

Parameters

other	affine point to add - assumed to be affine!
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 250 of file ec_point.h.

                                                                           {
         BOTAN_ASSERT_NOMSG(m_curve == other.m_curve);
         BOTAN_DEBUG_ASSERT(other.is_affine());
 
         const size_t p_words = m_curve.get_p_words();
         add_affine(other.m_coord_x.data(),
                    std::min(p_words, other.m_coord_x.size()),
                    other.m_coord_y.data(),
                    std::min(p_words, other.m_coord_y.size()),
                    workspace);
      }

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::data(), is_affine(), and Botan::BigInt::size().

Referenced by Botan::EC_Point_Base_Point_Precompute::mul(), and Botan::EC_Point_Multi_Point_Precompute::multi_exp().

add_affine() [2/2]

void Botan::EC_Point::add_affine	(	const word	x_words[],
		size_t	x_size,
		const word	y_words[],
		size_t	y_size,
		std::vector< BigInt > &	workspace
	)

Point addition - mixed J+A. Array version.

Parameters

x_words	the words of the x coordinate of the other point
x_size	size of x_words
y_words	the words of the y coordinate of the other point
y_size	size of y_words
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 73 of file ec_point.cpp.

                                                                                                       {
   if((CT::all_zeros(x_words, x_size) & CT::all_zeros(y_words, y_size)).is_set()) {
      return;
   }
 
   if(is_zero()) {
      m_coord_x.set_words(x_words, x_size);
      m_coord_y.set_words(y_words, y_size);
      m_coord_z = m_curve.get_1_rep();
      return;
   }
 
   resize_ws(ws_bn, m_curve.get_ws_size());
 
   secure_vector<word>& ws = ws_bn[0].get_word_vector();
   secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
   BigInt& T0 = ws_bn[2];
   BigInt& T1 = ws_bn[3];
   BigInt& T2 = ws_bn[4];
   BigInt& T3 = ws_bn[5];
   BigInt& T4 = ws_bn[6];
 
   /*
   https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
   simplified with Z2 = 1
   */
 
   const BigInt& p = m_curve.get_p();
 
   m_curve.sqr(T3, m_coord_z, ws);            // z1^2
   m_curve.mul(T4, x_words, x_size, T3, ws);  // x2*z1^2
 
   m_curve.mul(T2, m_coord_z, T3, ws);        // z1^3
   m_curve.mul(T0, y_words, y_size, T2, ws);  // y2*z1^3
 
   T4.mod_sub(m_coord_x, p, sub_ws);  // x2*z1^2 - x1*z2^2
 
   T0.mod_sub(m_coord_y, p, sub_ws);
 
   if(T4.is_zero()) {
      if(T0.is_zero()) {
         mult2(ws_bn);
         return;
      }
 
      // setting to zero:
      m_coord_x.clear();
      m_coord_y = m_curve.get_1_rep();
      m_coord_z.clear();
      return;
   }
 
   m_curve.sqr(T2, T4, ws);
 
   m_curve.mul(T3, m_coord_x, T2, ws);
 
   m_curve.mul(T1, T2, T4, ws);
 
   m_curve.sqr(m_coord_x, T0, ws);
   m_coord_x.mod_sub(T1, p, sub_ws);
 
   m_coord_x.mod_sub(T3, p, sub_ws);
   m_coord_x.mod_sub(T3, p, sub_ws);
 
   T3.mod_sub(m_coord_x, p, sub_ws);
 
   m_curve.mul(T2, T0, T3, ws);
   m_curve.mul(T0, m_coord_y, T1, ws);
   T2.mod_sub(T0, p, sub_ws);
   m_coord_y.swap(T2);
 
   m_curve.mul(T0, m_coord_z, T4, ws);
   m_coord_z.swap(T0);
}

References Botan::CT::all_zeros(), Botan::BigInt::clear(), Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), Botan::BigInt::is_zero(), is_zero(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), mult2(), Botan::BigInt::set_words(), Botan::CurveGFp::sqr(), and Botan::BigInt::swap().

double_of()

EC_Point Botan::EC_Point::double_of ( std::vector< BigInt > &  workspace ) const

inline

Point doubling

Parameters

workspace

temp space, at least WORKSPACE_SIZE elements

Returns

*this doubled

Definition at line 304 of file ec_point.h.

                                                             {
         EC_Point x = (*this);
         x.mult2(workspace);
         return x;
      }

References mult2().

Referenced by Botan::EC_Point_Var_Point_Precompute::EC_Point_Var_Point_Precompute().

encode()

std::vector< uint8_t > Botan::EC_Point::encode

(

EC_Point_Format

format

)

const

EC2OSP - elliptic curve to octet string primitive

Parameters

format

which format to encode using

Definition at line 568 of file ec_point.cpp.

                                                                {
   if(is_zero()) {
      return std::vector<uint8_t>(1);  // single 0 byte
   }
 
   const size_t p_bytes = m_curve.get_p().bytes();
 
   const BigInt x = get_affine_x();
   const BigInt y = get_affine_y();
 
   std::vector<uint8_t> result;
 
   if(format == EC_Point_Format::Uncompressed) {
      result.resize(1 + 2 * p_bytes);
      result[0] = 0x04;
      BigInt::encode_1363(&result[1], p_bytes, x);
      BigInt::encode_1363(&result[1 + p_bytes], p_bytes, y);
   } else if(format == EC_Point_Format::Compressed) {
      result.resize(1 + p_bytes);
      result[0] = 0x02 | static_cast<uint8_t>(y.get_bit(0));
      BigInt::encode_1363(&result[1], p_bytes, x);
   } else if(format == EC_Point_Format::Hybrid) {
      result.resize(1 + 2 * p_bytes);
      result[0] = 0x06 | static_cast<uint8_t>(y.get_bit(0));
      BigInt::encode_1363(&result[1], p_bytes, x);
      BigInt::encode_1363(&result[1 + p_bytes], p_bytes, y);
   } else {
      throw Invalid_Argument("EC2OSP illegal point encoding");
   }
 
   return result;
}

References Botan::BigInt::bytes(), Botan::Compressed, Botan::BigInt::encode_1363(), get_affine_x(), get_affine_y(), Botan::BigInt::get_bit(), Botan::CurveGFp::get_p(), Botan::Hybrid, is_zero(), and Botan::Uncompressed.

Referenced by Botan::ECIES_KA_Operation::derive_secret(), Botan::ECIES_Encryptor::ECIES_Encryptor(), Botan::EC_PrivateKey::private_key_bits(), and Botan::EC_PublicKey::public_key_bits().

force_affine()

void Botan::EC_Point::force_affine

(

)

Force this point to affine coordinates

Definition at line 450 of file ec_point.cpp.

                            {
   if(is_zero()) {
      throw Invalid_State("Cannot convert zero ECC point to affine");
   }
 
   secure_vector<word> ws;
 
   const BigInt z_inv = m_curve.invert_element(m_coord_z, ws);
   const BigInt z2_inv = m_curve.sqr_to_tmp(z_inv, ws);
   const BigInt z3_inv = m_curve.mul_to_tmp(z_inv, z2_inv, ws);
   m_coord_x = m_curve.mul_to_tmp(m_coord_x, z2_inv, ws);
   m_coord_y = m_curve.mul_to_tmp(m_coord_y, z3_inv, ws);
   m_coord_z = m_curve.get_1_rep();
}

References Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::invert_element(), is_zero(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

force_all_affine()

void Botan::EC_Point::force_all_affine ( std::vector< EC_Point > &  points, secure_vector< word > &  ws  )

static

Force all points on the list to affine coordinates

Definition at line 388 of file ec_point.cpp.

                                                                                    {
   if(points.size() <= 1) {
      for(auto& point : points) {
         point.force_affine();
      }
      return;
   }
 
   for(auto& point : points) {
      if(point.is_zero()) {
         throw Invalid_State("Cannot convert zero ECC point to affine");
      }
   }
 
   /*
   For >= 2 points use Montgomery's trick
 
   See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography"
   (Hankerson, Menezes, Vanstone)
 
   TODO is it really necessary to save all k points in c?
   */
 
   const CurveGFp& curve = points[0].m_curve;
   const BigInt& rep_1 = curve.get_1_rep();
 
   if(ws.size() < curve.get_ws_size()) {
      ws.resize(curve.get_ws_size());
   }
 
   std::vector<BigInt> c(points.size());
   c[0] = points[0].m_coord_z;
 
   for(size_t i = 1; i != points.size(); ++i) {
      curve.mul(c[i], c[i - 1], points[i].m_coord_z, ws);
   }
 
   BigInt s_inv = curve.invert_element(c[c.size() - 1], ws);
 
   BigInt z_inv, z2_inv, z3_inv;
 
   for(size_t i = points.size() - 1; i != 0; i--) {
      EC_Point& point = points[i];
 
      curve.mul(z_inv, s_inv, c[i - 1], ws);
 
      s_inv = curve.mul_to_tmp(s_inv, point.m_coord_z, ws);
 
      curve.sqr(z2_inv, z_inv, ws);
      curve.mul(z3_inv, z2_inv, z_inv, ws);
      point.m_coord_x = curve.mul_to_tmp(point.m_coord_x, z2_inv, ws);
      point.m_coord_y = curve.mul_to_tmp(point.m_coord_y, z3_inv, ws);
      point.m_coord_z = rep_1;
   }
 
   curve.sqr(z2_inv, s_inv, ws);
   curve.mul(z3_inv, z2_inv, s_inv, ws);
   points[0].m_coord_x = curve.mul_to_tmp(points[0].m_coord_x, z2_inv, ws);
   points[0].m_coord_y = curve.mul_to_tmp(points[0].m_coord_y, z3_inv, ws);
   points[0].m_coord_z = rep_1;
}

References Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_ws_size(), Botan::CurveGFp::invert_element(), Botan::CurveGFp::mul(), Botan::CurveGFp::mul_to_tmp(), Botan::BigInt::resize(), and Botan::CurveGFp::sqr().

Referenced by Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), and Botan::EC_Point_Multi_Point_Precompute::EC_Point_Multi_Point_Precompute().

get_affine_x()

BigInt Botan::EC_Point::get_affine_x

(

)

const

get affine x coordinate

Returns

affine x coordinate

Definition at line 469 of file ec_point.cpp.

                                    {
   if(is_zero()) {
      throw Invalid_State("Cannot convert zero point to affine");
   }
 
   secure_vector<word> monty_ws;
 
   if(is_affine()) {
      return m_curve.from_rep_to_tmp(m_coord_x, monty_ws);
   }
 
   BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
   z2 = m_curve.invert_element(z2, monty_ws);
 
   BigInt r;
   m_curve.mul(r, m_coord_x, z2, monty_ws);
   m_curve.from_rep(r, monty_ws);
   return r;
}

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::from_rep_to_tmp(), Botan::CurveGFp::invert_element(), is_affine(), is_zero(), Botan::CurveGFp::mul(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by Botan::EC_Group::blinded_base_point_multiply_x(), encode(), operator==(), Botan::GOST_3410_PublicKey::public_key_bits(), and Botan::sm2_compute_za().

get_affine_y()

BigInt Botan::EC_Point::get_affine_y

(

)

const

get affine y coordinate

Returns

affine y coordinate

Definition at line 489 of file ec_point.cpp.

                                    {
   if(is_zero()) {
      throw Invalid_State("Cannot convert zero point to affine");
   }
 
   secure_vector<word> monty_ws;
 
   if(is_affine()) {
      return m_curve.from_rep_to_tmp(m_coord_y, monty_ws);
   }
 
   const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
   const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws);
   const BigInt z3_inv = m_curve.invert_element(z3, monty_ws);
 
   BigInt r;
   m_curve.mul(r, m_coord_y, z3_inv, monty_ws);
   m_curve.from_rep(r, monty_ws);
   return r;
}

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::from_rep_to_tmp(), Botan::CurveGFp::invert_element(), is_affine(), is_zero(), Botan::CurveGFp::mul(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by encode(), operator==(), Botan::GOST_3410_PublicKey::public_key_bits(), and Botan::sm2_compute_za().

get_curve()

const CurveGFp & Botan::EC_Point::get_curve ( ) const

inline

Return base curve of this point

Returns

the curve over GF(p) of this point

You should not need to use this

Definition at line 321 of file ec_point.h.

{ return m_curve; }

Referenced by Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute().

get_x()

const BigInt & Botan::EC_Point::get_x ( ) const

inline

Return the internal x coordinate

Note this may be in Montgomery form

Definition at line 137 of file ec_point.h.

{ return m_coord_x; }

Referenced by Botan::EC_PublicKey::get_int_field().

get_y()

const BigInt & Botan::EC_Point::get_y ( ) const

inline

Return the internal y coordinate

Note this may be in Montgomery form

Definition at line 144 of file ec_point.h.

{ return m_coord_y; }

Referenced by Botan::EC_PublicKey::get_int_field().

get_z()

const BigInt & Botan::EC_Point::get_z ( ) const

inline

Return the internal z coordinate

Note this may be in Montgomery form

Definition at line 151 of file ec_point.h.

{ return m_coord_z; }

is_affine()

bool Botan::EC_Point::is_affine

(

)

const

Definition at line 465 of file ec_point.cpp.

                               {
   return m_curve.is_one(m_coord_z);
}

References Botan::CurveGFp::is_one().

Referenced by add_affine(), get_affine_x(), and get_affine_y().

is_zero()

bool Botan::EC_Point::is_zero ( ) const

inline

Is this the point at infinity?

Returns

true, if this point is at infinity, false otherwise.

Definition at line 175 of file ec_point.h.

{ return m_coord_z.is_zero(); }

Referenced by add(), add_affine(), Botan::EC_Group::blinded_base_point_multiply_x(), Botan::ECIES_KA_Operation::derive_secret(), encode(), force_affine(), get_affine_x(), get_affine_y(), mult2(), on_the_curve(), operator-=(), operator==(), and Botan::EC_Group::verify_public_element().

mult2()

void Botan::EC_Point::mult2

(

std::vector< BigInt > &

workspace

)

Point doubling

Parameters

workspace

temp space, at least WORKSPACE_SIZE elements

Definition at line 256 of file ec_point.cpp.

                                             {
   if(is_zero()) {
      return;
   }
 
   if(m_coord_y.is_zero()) {
      *this = EC_Point(m_curve);  // setting myself to zero
      return;
   }
 
   resize_ws(ws_bn, m_curve.get_ws_size());
 
   secure_vector<word>& ws = ws_bn[0].get_word_vector();
   secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
   BigInt& T0 = ws_bn[2];
   BigInt& T1 = ws_bn[3];
   BigInt& T2 = ws_bn[4];
   BigInt& T3 = ws_bn[5];
   BigInt& T4 = ws_bn[6];
 
   /*
   https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc
   */
   const BigInt& p = m_curve.get_p();
 
   m_curve.sqr(T0, m_coord_y, ws);
 
   m_curve.mul(T1, m_coord_x, T0, ws);
   T1.mod_mul(4, p, sub_ws);
 
   if(m_curve.a_is_zero()) {
      // if a == 0 then 3*x^2 + a*z^4 is just 3*x^2
      m_curve.sqr(T4, m_coord_x, ws);  // x^2
      T4.mod_mul(3, p, sub_ws);        // 3*x^2
   } else if(m_curve.a_is_minus_3()) {
      /*
      if a == -3 then
        3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2)
      */
      m_curve.sqr(T3, m_coord_z, ws);  // z^2
 
      // (x-z^2)
      T2 = m_coord_x;
      T2.mod_sub(T3, p, sub_ws);
 
      // (x+z^2)
      T3.mod_add(m_coord_x, p, sub_ws);
 
      m_curve.mul(T4, T2, T3, ws);  // (x-z^2)*(x+z^2)
 
      T4.mod_mul(3, p, sub_ws);  // 3*(x-z^2)*(x+z^2)
   } else {
      m_curve.sqr(T3, m_coord_z, ws);                // z^2
      m_curve.sqr(T4, T3, ws);                       // z^4
      m_curve.mul(T3, m_curve.get_a_rep(), T4, ws);  // a*z^4
 
      m_curve.sqr(T4, m_coord_x, ws);  // x^2
      T4.mod_mul(3, p, sub_ws);
      T4.mod_add(T3, p, sub_ws);  // 3*x^2 + a*z^4
   }
 
   m_curve.sqr(T2, T4, ws);
   T2.mod_sub(T1, p, sub_ws);
   T2.mod_sub(T1, p, sub_ws);
 
   m_curve.sqr(T3, T0, ws);
   T3.mod_mul(8, p, sub_ws);
 
   T1.mod_sub(T2, p, sub_ws);
 
   m_curve.mul(T0, T4, T1, ws);
   T0.mod_sub(T3, p, sub_ws);
 
   m_coord_x.swap(T2);
 
   m_curve.mul(T2, m_coord_y, m_coord_z, ws);
   T2.mod_mul(2, p, sub_ws);
 
   m_coord_y.swap(T0);
   m_coord_z.swap(T2);
}

References Botan::CurveGFp::a_is_minus_3(), Botan::CurveGFp::a_is_zero(), EC_Point(), Botan::CurveGFp::get_a_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), Botan::BigInt::is_zero(), is_zero(), Botan::BigInt::mod_add(), Botan::BigInt::mod_mul(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), Botan::CurveGFp::sqr(), and Botan::BigInt::swap().

Referenced by add(), add_affine(), double_of(), Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), Botan::EC_Point_Multi_Point_Precompute::EC_Point_Multi_Point_Precompute(), mult2i(), and Botan::operator*().

mult2i()

void Botan::EC_Point::mult2i	(	size_t	i,
		std::vector< BigInt > &	workspace
	)

Repeated point doubling

Parameters

i	number of doublings to perform
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 236 of file ec_point.cpp.

                                                                 {
   if(iterations == 0) {
      return;
   }
 
   if(m_coord_y.is_zero()) {
      *this = EC_Point(m_curve);  // setting myself to zero
      return;
   }
 
   /*
   TODO we can save 2 squarings per iteration by computing
   a*Z^4 using values cached from previous iteration
   */
   for(size_t i = 0; i != iterations; ++i) {
      mult2(ws_bn);
   }
}

References EC_Point(), Botan::BigInt::is_zero(), and mult2().

Referenced by Botan::EC_Point_Var_Point_Precompute::mul(), and Botan::EC_Point_Multi_Point_Precompute::multi_exp().

negate()

EC_Point & Botan::EC_Point::negate ( )

inline

Negate this point

Returns

*this

Definition at line 114 of file ec_point.h.

                         {
         if(!is_zero())
            m_coord_y = m_curve.get_p() - m_coord_y;
         return *this;
      }

Referenced by Botan::EC_Point_Multi_Point_Precompute::multi_exp(), Botan::operator*(), and Botan::operator-().

on_the_curve()

bool Botan::EC_Point::on_the_curve

(

)

const

Checks whether the point is to be found on the underlying curve; used to prevent fault attacks.

Returns

if the point is on the curve

Definition at line 510 of file ec_point.cpp.

                                  {
   /*
   Is the point still on the curve?? (If everything is correct, the
   point is always on its curve; then the function will return true.
   If somehow the state is corrupted, which suggests a fault attack
   (or internal computational error), then return false.
   */
   if(is_zero()) {
      return true;
   }
 
   secure_vector<word> monty_ws;
 
   const BigInt y2 = m_curve.from_rep_to_tmp(m_curve.sqr_to_tmp(m_coord_y, monty_ws), monty_ws);
   const BigInt x3 = m_curve.mul_to_tmp(m_coord_x, m_curve.sqr_to_tmp(m_coord_x, monty_ws), monty_ws);
   const BigInt ax = m_curve.mul_to_tmp(m_coord_x, m_curve.get_a_rep(), monty_ws);
   const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
 
   if(m_coord_z == z2)  // Is z equal to 1 (in Montgomery form)?
   {
      if(y2 != m_curve.from_rep_to_tmp(x3 + ax + m_curve.get_b_rep(), monty_ws)) {
         return false;
      }
   }
 
   const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws);
   const BigInt ax_z4 = m_curve.mul_to_tmp(ax, m_curve.sqr_to_tmp(z2, monty_ws), monty_ws);
   const BigInt b_z6 = m_curve.mul_to_tmp(m_curve.get_b_rep(), m_curve.sqr_to_tmp(z3, monty_ws), monty_ws);
 
   if(y2 != m_curve.from_rep_to_tmp(x3 + ax_z4 + b_z6, monty_ws)) {
      return false;
   }
 
   return true;
}

References Botan::CurveGFp::from_rep_to_tmp(), Botan::CurveGFp::get_a_rep(), Botan::CurveGFp::get_b_rep(), is_zero(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by Botan::EC_Point_Multi_Point_Precompute::EC_Point_Multi_Point_Precompute(), Botan::EC_PrivateKey::EC_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), Botan::operator*(), Botan::OS2ECP(), Botan::EC_Group::verify_group(), and Botan::EC_Group::verify_public_element().

operator*=()

EC_Point & Botan::EC_Point::operator*=

(

const BigInt &

scalar

)

*= Operator

Parameters

scalar

the EC_Point to multiply with *this

Returns

resulting EC_Point

Definition at line 358 of file ec_point.cpp.

                                                   {
   *this = scalar * *this;
   return *this;
}

operator+=()

EC_Point & Botan::EC_Point::operator+=

(

const EC_Point &

rhs

)

+= Operator

Parameters

rhs	the EC_Point to add to the local value

Returns

resulting EC_Point

Definition at line 340 of file ec_point.cpp.

                                                  {
   std::vector<BigInt> ws(EC_Point::WORKSPACE_SIZE);
   add(rhs, ws);
   return *this;
}

References add(), and WORKSPACE_SIZE.

operator-=()

EC_Point & Botan::EC_Point::operator-=

(

const EC_Point &

rhs

)

-= Operator

Parameters

rhs	the EC_Point to subtract from the local value

Returns

resulting EC_Point

Definition at line 346 of file ec_point.cpp.

                                                  {
   EC_Point minus_rhs = EC_Point(rhs).negate();
 
   if(is_zero()) {
      *this = minus_rhs;
   } else {
      *this += minus_rhs;
   }
 
   return *this;
}

References EC_Point(), and is_zero().

operator=() [1/2]

EC_Point & Botan::EC_Point::operator= ( const EC_Point &  )

default

Standard Assignment

operator=() [2/2]

EC_Point & Botan::EC_Point::operator= ( EC_Point &&  other )

inline

Move Assignment

Definition at line 68 of file ec_point.h.

                                            {
         if(this != &other)
            this->swap(other);
         return (*this);
      }

operator==()

bool Botan::EC_Point::operator==

(

const EC_Point &

other

)

const

Equality operator

Definition at line 554 of file ec_point.cpp.

                                                     {
   if(m_curve != other.m_curve) {
      return false;
   }
 
   // If this is zero, only equal if other is also zero
   if(is_zero()) {
      return other.is_zero();
   }
 
   return (get_affine_x() == other.get_affine_x() && get_affine_y() == other.get_affine_y());
}

References get_affine_x(), get_affine_y(), and is_zero().

plus()

EC_Point Botan::EC_Point::plus ( const EC_Point &  other, std::vector< BigInt > &  workspace  ) const

inline

Point addition

Parameters

other	the point to add to *this
workspace	temp space, at least WORKSPACE_SIZE elements

Returns

other plus *this

Definition at line 293 of file ec_point.h.

                                                                               {
         EC_Point x = (*this);
         x.add(other, workspace);
         return x;
      }

References add().

Referenced by Botan::EC_Point_Multi_Point_Precompute::EC_Point_Multi_Point_Precompute(), and Botan::EC_Point_Var_Point_Precompute::EC_Point_Var_Point_Precompute().

randomize_repr() [1/2]

void Botan::EC_Point::randomize_repr

(

RandomNumberGenerator &

rng

)

Randomize the point representation The actual value (get_affine_x, get_affine_y) does not change

Definition at line 36 of file ec_point.cpp.

                                                        {
   secure_vector<word> ws(m_curve.get_ws_size());
   randomize_repr(rng, ws);
}

References Botan::CurveGFp::get_ws_size(), and randomize_repr().

Referenced by Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), and randomize_repr().

randomize_repr() [2/2]

void Botan::EC_Point::randomize_repr	(	RandomNumberGenerator &	rng,
		secure_vector< word > &	ws
	)

Randomize the point representation The actual value (get_affine_x, get_affine_y) does not change

Definition at line 41 of file ec_point.cpp.

                                                                                 {
   const BigInt mask = BigInt::random_integer(rng, 2, m_curve.get_p());
 
   /*
   * No reason to convert this to Montgomery representation first,
   * just pretend the random mask was chosen as Redc(mask) and the
   * random mask we generated above is in the Montgomery
   * representation.
   * //m_curve.to_rep(mask, ws);
   */
   const BigInt mask2 = m_curve.sqr_to_tmp(mask, ws);
   const BigInt mask3 = m_curve.mul_to_tmp(mask2, mask, ws);
 
   m_coord_x = m_curve.mul_to_tmp(m_coord_x, mask2, ws);
   m_coord_y = m_curve.mul_to_tmp(m_coord_y, mask3, ws);
   m_coord_z = m_curve.mul_to_tmp(m_coord_z, mask, ws);
}

References Botan::CurveGFp::get_p(), Botan::CurveGFp::mul_to_tmp(), Botan::BigInt::random_integer(), and Botan::CurveGFp::sqr_to_tmp().

swap()

void Botan::EC_Point::swap

(

EC_Point &

other

)

swaps the states of *this and other, does not throw!

Parameters

other

the object to swap values with

Definition at line 547 of file ec_point.cpp.

                                   {
   m_curve.swap(other.m_curve);
   m_coord_x.swap(other.m_coord_x);
   m_coord_y.swap(other.m_coord_y);
   m_coord_z.swap(other.m_coord_z);
}

References Botan::BigInt::swap(), and Botan::CurveGFp::swap().

Referenced by Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), and std::swap< Botan::EC_Point >().

swap_coords()

void Botan::EC_Point::swap_coords ( BigInt &  new_x, BigInt &  new_y, BigInt &  new_z  )

inline

Definition at line 153 of file ec_point.h.

                                                                    {
         m_coord_x.swap(new_x);
         m_coord_y.swap(new_y);
         m_coord_z.swap(new_z);
      }

zero()

EC_Point Botan::EC_Point::zero ( ) const

inline

Return the zero (aka infinite) point associated with this curve

Definition at line 313 of file ec_point.h.

{ return EC_Point(m_curve); }

Referenced by Botan::EC_Point_Multi_Point_Precompute::EC_Point_Multi_Point_Precompute(), Botan::EC_Point_Var_Point_Precompute::EC_Point_Var_Point_Precompute(), Botan::EC_Point_Base_Point_Precompute::mul(), and Botan::operator*().

---

The documentation for this class was generated from the following files:

• src/lib/pubkey/ec_group/ec_point.h
• src/lib/pubkey/ec_group/ec_point.cpp