Botan 3.5.0
Crypto and TLS for C&
Botan::EC_Point_Var_Point_Precompute Class Referencefinal

#include <point_mul.h>

Public Member Functions

 EC_Point_Var_Point_Precompute (const EC_Point &point, RandomNumberGenerator &rng, std::vector< BigInt > &ws)
 
EC_Point mul (const BigInt &k, RandomNumberGenerator &rng, const BigInt &group_order, std::vector< BigInt > &ws) const
 

Detailed Description

Definition at line 41 of file point_mul.h.

Constructor & Destructor Documentation

◆ EC_Point_Var_Point_Precompute()

Botan::EC_Point_Var_Point_Precompute::EC_Point_Var_Point_Precompute ( const EC_Point & point,
RandomNumberGenerator & rng,
std::vector< BigInt > & ws )

Definition at line 161 of file point_mul.cpp.

163 :
164 m_curve(point.get_curve()), m_p_words(m_curve.get_p_words()), m_window_bits(4) {
165 if(ws.size() < EC_Point::WORKSPACE_SIZE) {
166 ws.resize(EC_Point::WORKSPACE_SIZE);
167 }
168
169 std::vector<EC_Point> U(static_cast<size_t>(1) << m_window_bits);
170 U[0] = point.zero();
171 U[1] = point;
172
173 for(size_t i = 2; i < U.size(); i += 2) {
174 U[i] = U[i / 2].double_of(ws);
175 U[i + 1] = U[i].plus(point, ws);
176 }
177
178 // Hack to handle Blinded_Point_Multiply
179 if(rng.is_seeded()) {
180 // Skipping zero point since it can't be randomized
181 for(size_t i = 1; i != U.size(); ++i) {
182 U[i].randomize_repr(rng);
183 }
184 }
185
186 m_T.resize(U.size() * 3 * m_p_words);
187
188 word* p = &m_T[0];
189 for(size_t i = 0; i != U.size(); ++i) {
190 U[i].get_x().encode_words(p, m_p_words);
191 U[i].get_y().encode_words(p + m_p_words, m_p_words);
192 U[i].get_z().encode_words(p + 2 * m_p_words, m_p_words);
193 p += 3 * m_p_words;
194 }
195}

References Botan::EC_Point::double_of(), Botan::RandomNumberGenerator::is_seeded(), Botan::EC_Point::plus(), Botan::EC_Point::randomize_repr(), Botan::EC_Point::WORKSPACE_SIZE, and Botan::EC_Point::zero().

Member Function Documentation

◆ mul()

EC_Point Botan::EC_Point_Var_Point_Precompute::mul ( const BigInt & k,
RandomNumberGenerator & rng,
const BigInt & group_order,
std::vector< BigInt > & ws ) const

Definition at line 197 of file point_mul.cpp.

200 {
201 if(k.is_negative()) {
202 throw Invalid_Argument("EC_Point_Var_Point_Precompute scalar must be positive");
203 }
204 if(ws.size() < EC_Point::WORKSPACE_SIZE) {
205 ws.resize(EC_Point::WORKSPACE_SIZE);
206 }
207
208 // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
209 const BigInt mask(rng, blinding_size(group_order), false);
210 const BigInt scalar = k + group_order * mask;
211
212 const size_t elem_size = 3 * m_p_words;
213 const size_t window_elems = static_cast<size_t>(1) << m_window_bits;
214
215 size_t windows = round_up(scalar.bits(), m_window_bits) / m_window_bits;
216 EC_Point R(m_curve);
217 secure_vector<word> e(elem_size);
218
219 if(windows > 0) {
220 windows--;
221
222 const uint32_t w = scalar.get_substring(windows * m_window_bits, m_window_bits);
223
224 clear_mem(e.data(), e.size());
225 for(size_t i = 1; i != window_elems; ++i) {
226 const auto wmask = CT::Mask<word>::is_equal(w, i);
227
228 for(size_t j = 0; j != elem_size; ++j) {
229 e[j] |= wmask.if_set_return(m_T[i * elem_size + j]);
230 }
231 }
232
233 R.add(&e[0], m_p_words, &e[m_p_words], m_p_words, &e[2 * m_p_words], m_p_words, ws);
234
235 /*
236 Randomize after adding the first nibble as before the addition R
237 is zero, and we cannot effectively randomize the point
238 representation of the zero point.
239 */
240 R.randomize_repr(rng, ws[0].get_word_vector());
241 }
242
243 while(windows) {
244 R.mult2i(m_window_bits, ws);
245
246 const uint32_t w = scalar.get_substring((windows - 1) * m_window_bits, m_window_bits);
247
248 clear_mem(e.data(), e.size());
249 for(size_t i = 1; i != window_elems; ++i) {
250 const auto wmask = CT::Mask<word>::is_equal(w, i);
251
252 for(size_t j = 0; j != elem_size; ++j) {
253 e[j] |= wmask.if_set_return(m_T[i * elem_size + j]);
254 }
255 }
256
257 R.add(&e[0], m_p_words, &e[m_p_words], m_p_words, &e[2 * m_p_words], m_p_words, ws);
258
259 windows--;
260 }
261
262 BOTAN_DEBUG_ASSERT(R.on_the_curve());
263
264 return R;
265}
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:250
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120
size_t round_up(size_t n, size_t align_to)
Definition rounding.h:25

References Botan::EC_Point::add(), Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::clear_mem(), Botan::BigInt::get_substring(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_negative(), Botan::EC_Point::mult2i(), Botan::EC_Point::on_the_curve(), Botan::EC_Point::randomize_repr(), Botan::round_up(), and Botan::EC_Point::WORKSPACE_SIZE.

Referenced by Botan::EC_Group::blinded_var_point_multiply().


The documentation for this class was generated from the following files: