Botan 3.9.0
Crypto and TLS for C&
Public Member Functions | List of all members
Botan::EC_Point_Var_Point_Precompute Class Referencefinal

#include <point_mul.h>

Public Member Functions

 EC_Point_Var_Point_Precompute (const EC_Point &point, RandomNumberGenerator &rng, std::vector< BigInt > &ws)
EC_Point mul (const BigInt &k, RandomNumberGenerator &rng, const BigInt &group_order, std::vector< BigInt > &ws) const

Detailed Description

Definition at line 40 of file point_mul.h.

Constructor & Destructor Documentation

◆ EC_Point_Var_Point_Precompute()

Botan::EC_Point_Var_Point_Precompute::EC_Point_Var_Point_Precompute ( const EC_Point & point,
RandomNumberGenerator & rng,
std::vector< BigInt > & ws )

Definition at line 173 of file point_mul.cpp.

175 :
176 m_curve(ipoint.get_curve()), m_p_words(m_curve.get_p_words()) {
177 if(ws.size() < EC_Point::WORKSPACE_SIZE) {
178 ws.resize(EC_Point::WORKSPACE_SIZE);
179 }
180
181 auto point = ipoint;
182 point.randomize_repr(rng);
183
184 std::vector<EC_Point> U(static_cast<size_t>(1) << WindowBits);
185 U[0] = point.zero();
186 U[1] = point;
187
188 for(size_t i = 2; i < U.size(); i += 2) {
189 U[i] = U[i / 2].double_of(ws);
190 U[i + 1] = U[i].plus(point, ws);
191 }
192
193 // Hack to handle Blinded_Point_Multiply
194 if(rng.is_seeded()) {
195 // Skipping zero point since it can't be randomized
196 for(size_t i = 1; i != U.size(); ++i) {
197 U[i].randomize_repr(rng);
198 }
199 }
200
201 m_T.resize(U.size() * 3 * m_p_words);
202
203 word* p = m_T.data();
204 for(const auto& pt : U) {
205 pt.get_x().encode_words(p, m_p_words);
206 pt.get_y().encode_words(p + m_p_words, m_p_words);
207 pt.get_z().encode_words(p + 2 * m_p_words, m_p_words);
208 p += 3 * m_p_words;
209 }
210}
Botan::EC_Point::WORKSPACE_SIZE
@ WORKSPACE_SIZE
Definition ec_point.h:42
Botan::word
std::conditional_t< HasNative64BitRegisters, std::uint64_t, uint32_t > word
Definition types.h:119

References Botan::RandomNumberGenerator::is_seeded(), Botan::EC_Point::randomize_repr(), and Botan::EC_Point::WORKSPACE_SIZE.

Member Function Documentation

◆ mul()

EC_Point Botan::EC_Point_Var_Point_Precompute::mul ( const BigInt & k,
RandomNumberGenerator & rng,
const BigInt & group_order,
std::vector< BigInt > & ws ) const

Definition at line 212 of file point_mul.cpp.

215 {
216 if(k.is_negative()) {
217 throw Invalid_Argument("EC_Point_Var_Point_Precompute scalar must be positive");
218 }
219 if(ws.size() < EC_Point::WORKSPACE_SIZE) {
220 ws.resize(EC_Point::WORKSPACE_SIZE);
221 }
222
223 // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
224 const BigInt scalar = k + group_order * blinding_mask(group_order, rng);
225
226 const size_t elem_size = 3 * m_p_words;
227 const size_t window_elems = static_cast<size_t>(1) << WindowBits;
228
229 size_t windows = round_up(scalar.bits(), WindowBits) / WindowBits;
230 EC_Point R(m_curve);
231 secure_vector<word> e(elem_size);
232
233 if(windows > 0) {
234 windows--;
235
236 const uint32_t w = scalar.get_substring(windows * WindowBits, WindowBits);
237
238 clear_mem(e.data(), e.size());
239 for(size_t i = 1; i != window_elems; ++i) {
240 const auto wmask = CT::Mask<word>::is_equal(w, i);
241
242 for(size_t j = 0; j != elem_size; ++j) {
243 e[j] |= wmask.if_set_return(m_T[i * elem_size + j]);
244 }
245 }
246
247 R.add(e.data(), m_p_words, &e[m_p_words], m_p_words, &e[2 * m_p_words], m_p_words, ws);
248
249 /*
250 Randomize after adding the first nibble as before the addition R
251 is zero, and we cannot effectively randomize the point
252 representation of the zero point.
253 */
254 R.randomize_repr(rng, ws[0].get_word_vector());
255 }
256
257 while(windows > 0) {
258 R.mult2i(WindowBits, ws);
259
260 const uint32_t w = scalar.get_substring((windows - 1) * WindowBits, WindowBits);
261
262 clear_mem(e.data(), e.size());
263 for(size_t i = 1; i != window_elems; ++i) {
264 const auto wmask = CT::Mask<word>::is_equal(w, i);
265
266 for(size_t j = 0; j != elem_size; ++j) {
267 e[j] |= wmask.if_set_return(m_T[i * elem_size + j]);
268 }
269 }
270
271 R.add(e.data(), m_p_words, &e[m_p_words], m_p_words, &e[2 * m_p_words], m_p_words, ws);
272
273 windows--;
274 }
275
276 BOTAN_ASSERT_NOMSG(R.on_the_curve());
277
278 return R;
279}
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470
Botan::round_up
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:26
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119

References Botan::EC_Point::add(), Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::clear_mem(), Botan::BigInt::get_substring(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_negative(), mul(), Botan::EC_Point::mult2i(), Botan::EC_Point::on_the_curve(), Botan::EC_Point::randomize_repr(), Botan::round_up(), and Botan::EC_Point::WORKSPACE_SIZE.

Referenced by mul(), and Botan::EC_Group_Data::mul_px_qy().

The documentation for this class was generated from the following files:
Generated by doxygen 1.14.0