Botan 3.8.1
Crypto and TLS for C&
Classes | Public Types | Public Member Functions | Static Public Member Functions | Static Public Attributes | List of all members
Botan::PCurve::PrimeOrderCurveImpl< C > Class Template Referencefinal

#include <pcurves_wrap.h>

Inheritance diagram for Botan::PCurve::PrimeOrderCurveImpl< C >:
Botan::PCurve::PrimeOrderCurve

Classes

class  PrecomputedMul2TableC
 

Public Types

typedef std::shared_ptr< const PrimeOrderCurveCurvePtr
 
typedef std::array< word, StorageWordsStorageUnit
 

Public Member Functions

bool affine_point_is_identity (const AffinePoint &pt) const override
 
Scalar base_point_mul_x_mod_order (const Scalar &scalar, RandomNumberGenerator &rng) const override
 
std::optional< AffinePointdeserialize_point (std::span< const uint8_t > bytes) const override
 
std::optional< Scalardeserialize_scalar (std::span< const uint8_t > bytes) const override
 
size_t field_element_bytes () const override
 
AffinePoint generator () const override
 Return the standard generator.
 
AffinePoint hash_to_curve_nu (std::function< void(std::span< uint8_t >)> expand_message) const override
 
ProjectivePoint hash_to_curve_ro (std::function< void(std::span< uint8_t >)> expand_message) const override
 
ProjectivePoint mul (const AffinePoint &pt, const Scalar &scalar, RandomNumberGenerator &rng) const override
 
std::unique_ptr< const PrecomputedMul2Tablemul2_setup_g (const AffinePoint &q) const override
 Setup a table for 2-ary multiplication where the first point is the generator.
 
std::optional< ProjectivePointmul2_vartime (const PrecomputedMul2Table &tableb, const Scalar &x, const Scalar &y) const override
 
bool mul2_vartime_x_mod_order_eq (const PrecomputedMul2Table &tableb, const Scalar &v, const Scalar &x, const Scalar &y) const override
 
ProjectivePoint mul_by_g (const Scalar &scalar, RandomNumberGenerator &rng) const override
 
std::optional< ProjectivePointmul_px_qy (const AffinePoint &p, const Scalar &x, const AffinePoint &q, const Scalar &y, RandomNumberGenerator &rng) const override
 
secure_vector< uint8_t > mul_x_only (const AffinePoint &pt, const Scalar &scalar, RandomNumberGenerator &rng) const override
 
size_t order_bits () const override
 Return the bit length of the group order.
 
ProjectivePoint point_add (const AffinePoint &a, const AffinePoint &b) const override
 
AffinePoint point_negate (const AffinePoint &pt) const override
 
AffinePoint point_to_affine (const ProjectivePoint &pt) const override
 
 PrimeOrderCurveImpl ()
 
Scalar random_scalar (RandomNumberGenerator &rng) const override
 
Scalar scalar_add (const Scalar &a, const Scalar &b) const override
 Scalar addition.
 
size_t scalar_bytes () const override
 Return the byte length of the scalar element.
 
bool scalar_equal (const Scalar &a, const Scalar &b) const override
 Test if two scalars are equal.
 
std::optional< Scalarscalar_from_wide_bytes (std::span< const uint8_t > bytes) const override
 
Scalar scalar_invert (const Scalar &ss) const override
 Scalar inversion.
 
Scalar scalar_invert_vartime (const Scalar &ss) const override
 Scalar inversion (variable time)
 
bool scalar_is_zero (const Scalar &s) const override
 Test if scalar is zero.
 
Scalar scalar_mul (const Scalar &a, const Scalar &b) const override
 Scalar multiplication.
 
Scalar scalar_negate (const Scalar &s) const override
 Scalar negation.
 
Scalar scalar_one () const override
 
Scalar scalar_square (const Scalar &s) const override
 Scalar squaring.
 
Scalar scalar_sub (const Scalar &a, const Scalar &b) const override
 Scalar subtraction.
 
void serialize_point (std::span< uint8_t > bytes, const AffinePoint &pt) const override
 
void serialize_scalar (std::span< uint8_t > bytes, const Scalar &scalar) const override
 

Static Public Member Functions

static std::shared_ptr< const PrimeOrderCurvefor_named_curve (std::string_view name)
 
static std::shared_ptr< const PrimeOrderCurvefrom_params (const BigInt &p, const BigInt &a, const BigInt &b, const BigInt &base_x, const BigInt &base_y, const BigInt &order)
 
static std::shared_ptr< const PrimeOrderCurveinstance ()
 

Static Public Attributes

static constexpr size_t MaximumBitLength = 521
 
static constexpr size_t MaximumByteLength = (MaximumBitLength + 7) / 8
 
static constexpr size_t StorageWords = (MaximumByteLength + sizeof(word) - 1) / sizeof(word)
 Number of words used to store MaximumByteLength.
 

Detailed Description

template<typename C>
class Botan::PCurve::PrimeOrderCurveImpl< C >

This class provides a bridge between the "public" (actually still internal) PrimeOrderCurve type, and the inner templates which are subclasses of EllipticCurve from pcurves_impl.h

Definition at line 27 of file pcurves_wrap.h.

Member Typedef Documentation

◆ CurvePtr

typedef std::shared_ptr<const PrimeOrderCurve> Botan::PCurve::PrimeOrderCurve::CurvePtr
inherited

Definition at line 60 of file pcurves.h.

◆ StorageUnit

typedef std::array<word, StorageWords> Botan::PCurve::PrimeOrderCurve::StorageUnit
inherited

Definition at line 59 of file pcurves.h.

Constructor & Destructor Documentation

◆ PrimeOrderCurveImpl()

template<typename C>
Botan::PCurve::PrimeOrderCurveImpl< C >::PrimeOrderCurveImpl ( )
inline

Definition at line 303 of file pcurves_wrap.h.

303: m_mul_by_g(C::G) {}

Member Function Documentation

◆ affine_point_is_identity()

template<typename C>
bool Botan::PCurve::PrimeOrderCurveImpl< C >::affine_point_is_identity ( const AffinePoint & pt) const
inlineoverridevirtual

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 207 of file pcurves_wrap.h.

207 {
208 return from_stash(pt).is_identity().as_bool();
209 }

◆ base_point_mul_x_mod_order()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::base_point_mul_x_mod_order ( const Scalar & scalar,
RandomNumberGenerator & rng ) const
inlineoverridevirtual

Base point multiplication, returning only the x coordinate modulo the group order

Multiply by the standard generator point g, then extract the x coordinate as an integer, then reduce the x coordinate modulo the group order

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 179 of file pcurves_wrap.h.

179 {
180 auto pt = m_mul_by_g.mul(from_stash(scalar), rng);
181 std::array<uint8_t, C::FieldElement::BYTES> x_bytes;
182 to_affine_x<C>(pt).serialize_to(std::span{x_bytes});
183 // Reduction might be required (if unlikely)
184 return stash(C::Scalar::from_wide_bytes(std::span<const uint8_t, C::FieldElement::BYTES>{x_bytes}));
185 }
Botan::PCurve::PrimeOrderCurveImpl::mul
ProjectivePoint mul(const AffinePoint &pt, const Scalar &scalar, RandomNumberGenerator &rng) const override
Definition pcurves_wrap.h:42
Botan::to_affine_x
auto to_affine_x(const typename C::ProjectivePoint &pt)
Definition pcurves_algos.h:66

References Botan::to_affine_x().

◆ deserialize_point()

template<typename C>
std::optional< AffinePoint > Botan::PCurve::PrimeOrderCurveImpl< C >::deserialize_point ( std::span< const uint8_t > bytes) const
inlineoverridevirtual

Deserialize a point

Both compressed and uncompressed encodings are accepted

Note that the deprecated "hybrid" encoding is not supported here

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 239 of file pcurves_wrap.h.

239 {
240 if(auto pt = C::AffinePoint::deserialize(bytes)) {
241 return stash(*pt);
242 } else {
243 return {};
244 }
245 }

◆ deserialize_scalar()

template<typename C>
std::optional< Scalar > Botan::PCurve::PrimeOrderCurveImpl< C >::deserialize_scalar ( std::span< const uint8_t > bytes) const
inlineoverridevirtual

Deserialize a scalar in [1,p)

This function requires the input length be exactly scalar_bytes long; it does not accept inputs that are shorter, or with excess leading zero padding bytes.

This function also rejects zero as an input, since in normal usage scalars are integers in Z_p*

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 221 of file pcurves_wrap.h.

221 {
222 if(auto scalar = C::Scalar::deserialize(bytes)) {
223 if(!scalar->is_zero().as_bool()) {
224 return stash(*scalar);
225 }
226 }
227
228 return {};
229 }

◆ field_element_bytes()

template<typename C>
size_t Botan::PCurve::PrimeOrderCurveImpl< C >::field_element_bytes ( ) const
inlineoverridevirtual

Return the byte length of a field element

Each point consists of two field elements

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 36 of file pcurves_wrap.h.

36{ return C::FieldElement::BYTES; }

◆ for_named_curve()

std::shared_ptr< const PrimeOrderCurve > Botan::PCurve::PrimeOrderCurve::for_named_curve ( std::string_view name)
staticinherited
Returns
nullptr if the curve specified is not available

Definition at line 26 of file pcurves.cpp.

26 {
27#if defined(BOTAN_HAS_PCURVES_SECP192R1)
28 if(name == "secp192r1") {
29 return PCurveInstance::secp192r1();
30 }
31#endif
32
33#if defined(BOTAN_HAS_PCURVES_SECP224R1)
34 if(name == "secp224r1") {
35 return PCurveInstance::secp224r1();
36 }
37#endif
38
39#if defined(BOTAN_HAS_PCURVES_SECP256R1)
40 if(name == "secp256r1") {
41 return PCurveInstance::secp256r1();
42 }
43#endif
44
45#if defined(BOTAN_HAS_PCURVES_SECP384R1)
46 if(name == "secp384r1") {
47 return PCurveInstance::secp384r1();
48 }
49#endif
50
51#if defined(BOTAN_HAS_PCURVES_SECP521R1)
52 if(name == "secp521r1") {
53 return PCurveInstance::secp521r1();
54 }
55#endif
56
57#if defined(BOTAN_HAS_PCURVES_SECP256K1)
58 if(name == "secp256k1") {
59 return PCurveInstance::secp256k1();
60 }
61#endif
62
63#if defined(BOTAN_HAS_PCURVES_BRAINPOOL256R1)
64 if(name == "brainpool256r1") {
65 return PCurveInstance::brainpool256r1();
66 }
67#endif
68
69#if defined(BOTAN_HAS_PCURVES_BRAINPOOL384R1)
70 if(name == "brainpool384r1") {
71 return PCurveInstance::brainpool384r1();
72 }
73#endif
74
75#if defined(BOTAN_HAS_PCURVES_BRAINPOOL512R1)
76 if(name == "brainpool512r1") {
77 return PCurveInstance::brainpool512r1();
78 }
79#endif
80
81#if defined(BOTAN_HAS_PCURVES_FRP256V1)
82 if(name == "frp256v1") {
83 return PCurveInstance::frp256v1();
84 }
85#endif
86
87#if defined(BOTAN_HAS_PCURVES_SM2P256V1)
88 if(name == "sm2p256v1") {
89 return PCurveInstance::sm2p256v1();
90 }
91#endif
92
93#if defined(BOTAN_HAS_PCURVES_NUMSP512D1)
94 if(name == "numsp512d1") {
95 return PCurveInstance::numsp512d1();
96 }
97#endif
98
99 BOTAN_UNUSED(name);
100 return {};
101}
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:120

References BOTAN_UNUSED.

◆ from_params()

std::shared_ptr< const PrimeOrderCurve > Botan::PCurve::PrimeOrderCurve::from_params ( const BigInt & p,
const BigInt & a,
const BigInt & b,
const BigInt & base_x,
const BigInt & base_y,
const BigInt & order )
staticinherited
Returns
nullptr if the parameters seem unsuitable for pcurves for example if the prime is too large

This function should accept the same subset of curves as the EC_Group constructor that accepts BigInts.

Definition at line 15 of file pcurves.cpp.

16 {
17#if defined(BOTAN_HAS_PCURVES_GENERIC)
18 return PCurveInstance::from_params(p, a, b, base_x, base_y, order);
19#endif
20
21 BOTAN_UNUSED(p, a, b, base_x, base_y, order);
22 return {};
23}

References BOTAN_UNUSED.

◆ generator()

template<typename C>
AffinePoint Botan::PCurve::PrimeOrderCurveImpl< C >::generator ( ) const
inlineoverridevirtual

Return the standard generator.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 187 of file pcurves_wrap.h.

187{ return stash(C::G); }

◆ hash_to_curve_nu()

template<typename C>
AffinePoint Botan::PCurve::PrimeOrderCurveImpl< C >::hash_to_curve_nu ( std::function< void(std::span< uint8_t >)> expand_message) const
inlineoverridevirtual

RFC 9380 hash to curve (NU variant)

This is currently only supported for a few specific curves

Parameters
expand_messageis a callback which must fill the provided output span with a sequence of uniform bytes, or if this is not possible due to length limitations or some other issue, throw an exception. It is invoked to produce the uniform_bytes value; see RFC 9380 section 5.2

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 247 of file pcurves_wrap.h.

247 {
248 if constexpr(C::ValidForSswuHash) {
249 return stash(hash_to_curve_sswu<C, false>(expand_message));
250 } else {
251 throw Not_Implemented("Hash to curve is not implemented for this curve");
252 }
253 }

◆ hash_to_curve_ro()

template<typename C>
ProjectivePoint Botan::PCurve::PrimeOrderCurveImpl< C >::hash_to_curve_ro ( std::function< void(std::span< uint8_t >)> expand_message) const
inlineoverridevirtual

RFC 9380 hash to curve (RO variant)

This is currently only supported for a few specific curves

Parameters
expand_messageis a callback which must fill the provided output span with a sequence of uniform bytes, or if this is not possible due to length limitations or some other issue, throw an exception. It is invoked to produce the uniform_bytes value; see RFC 9380 section 5.2

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 255 of file pcurves_wrap.h.

255 {
256 if constexpr(C::ValidForSswuHash) {
257 return stash(hash_to_curve_sswu<C, true>(expand_message));
258 } else {
259 throw Not_Implemented("Hash to curve is not implemented for this curve");
260 }
261 }

◆ instance()

template<typename C>
static std::shared_ptr< const PrimeOrderCurve > Botan::PCurve::PrimeOrderCurveImpl< C >::instance ( )
inlinestatic

Definition at line 305 of file pcurves_wrap.h.

305 {
306 static auto g_curve = std::make_shared<const PrimeOrderCurveImpl<C>>();
307 return g_curve;
308 }

◆ mul()

template<typename C>
ProjectivePoint Botan::PCurve::PrimeOrderCurveImpl< C >::mul ( const AffinePoint & pt,
const Scalar & scalar,
RandomNumberGenerator & rng ) const
inlineoverridevirtual

Generic point multiplication

Multiply an arbitrary point by a scalar

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 42 of file pcurves_wrap.h.

42 {
43 auto tbl = WindowedBoothMulTable<C, VarPointWindowBits>(from_stash(pt));
44 return stash(tbl.mul(from_stash(scalar), rng));
45 }

◆ mul2_setup_g()

template<typename C>
std::unique_ptr< const PrecomputedMul2Table > Botan::PCurve::PrimeOrderCurveImpl< C >::mul2_setup_g ( const AffinePoint & q) const
inlineoverridevirtual

Setup a table for 2-ary multiplication where the first point is the generator.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 68 of file pcurves_wrap.h.

68 {
69 return std::make_unique<PrecomputedMul2TableC>(C::G, from_stash(q));
70 }

◆ mul2_vartime()

template<typename C>
std::optional< ProjectivePoint > Botan::PCurve::PrimeOrderCurveImpl< C >::mul2_vartime ( const PrecomputedMul2Table & table,
const Scalar & x,
const Scalar & y ) const
inlineoverridevirtual

Perform 2-ary multiplication (variable time)

Compute p*x + q*y in variable time

Returns nullopt if the produced point is the point at infinity

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 72 of file pcurves_wrap.h.

74 {
75 try {
76 const auto& table = dynamic_cast<const PrecomputedMul2TableC&>(tableb);
77 auto pt = table.table().mul2_vartime(from_stash(x), from_stash(y));
78 if(pt.is_identity().as_bool()) {
79 return {};
80 } else {
81 return stash(pt);
82 }
83 } catch(std::bad_cast&) {
84 throw Invalid_Argument("Curve mismatch");
85 }
86 }
Botan::PCurve::PrimeOrderCurveImpl::mul2_vartime
std::optional< ProjectivePoint > mul2_vartime(const PrecomputedMul2Table &tableb, const Scalar &x, const Scalar &y) const override
Definition pcurves_wrap.h:72

References Botan::PCurve::PrimeOrderCurveImpl< C >::PrecomputedMul2TableC::table().

◆ mul2_vartime_x_mod_order_eq()

template<typename C>
bool Botan::PCurve::PrimeOrderCurveImpl< C >::mul2_vartime_x_mod_order_eq ( const PrecomputedMul2Table & table,
const Scalar & v,
const Scalar & x,
const Scalar & y ) const
inlineoverridevirtual

Perform 2-ary multiplication (variable time), reducing x modulo order

Compute p*x + q*y in variable time, then extract the x coordinate of the result, and reduce x modulo the group order. Compare that value with v. If equal, returns true. Otherwise returns false, including if the produced point is the point at infinity

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 102 of file pcurves_wrap.h.

105 {
106 try {
107 const auto& table = dynamic_cast<const PrecomputedMul2TableC&>(tableb);
108 const auto pt = table.table().mul2_vartime(from_stash(x), from_stash(y));
109 // Variable time here, so the early return is fine
110 if(pt.is_identity().as_bool()) {
111 return false;
112 }
113
114 /*
115 * Avoid the inversion by instead projecting v.
116 *
117 * Given (x*z2) and v we want to know if x % n == v
118 *
119 * Inverting z2 to extract x is expensive. Instead compute (v*z2) and
120 * compare it with (x*z2).
121 *
122 * With overwhelming probability, this conversion is correct. The
123 * only time it is not is in the extremely unlikely case where the
124 * signer actually reduced the x coordinate modulo the group order.
125 * That is handled seperately in a second step.
126 */
127 const auto z2 = pt.z().square();
128
129 std::array<uint8_t, C::Scalar::BYTES> v_bytes;
130 from_stash(v).serialize_to(v_bytes);
131
132 if(const auto fe_v = C::FieldElement::deserialize(v_bytes)) {
133 if((*fe_v * z2 == pt.x()).as_bool()) {
134 return true;
135 }
136
137 /*
138 * Possibly (if cryptographically unlikely) the signer
139 * reduced the value modulo the group order.
140 *
141 * If so we must check v + n similarly as before. However here
142 * we must be careful to not overflow since otherwise that
143 * would lead to us accepting an incorrect signature.
144 *
145 * If the order is > p then the reduction modulo p would not have
146 * had any effect and we don't need to consider the possibility
147 */
148 if constexpr(C::OrderIsLessThanField) {
149 /*
150 * We have to be careful to avoid overflow since this would
151 * lead to a forgery
152 *
153 * v < (p)-n => v + n < p
154 *
155 * The values n and neg_n could be precomputed but they are
156 * fast to compute and this codepath will ~never be taken
157 * unless when verifying an invalid signature. In any case
158 * it is many times cheaper than performing the modular inversion
159 * which this approach avoids.
160 */
161
162 // Create the group order as a field element, safe because n < p
163 const auto n = C::FieldElement::from_words(C::NW);
164 const auto neg_n = n.negate().to_words();
165
166 const auto vw = fe_v->to_words();
167 if(bigint_ct_is_lt(vw.data(), vw.size(), neg_n.data(), neg_n.size()).as_bool()) {
168 return (((*fe_v + n) * z2) == pt.x()).as_bool();
169 }
170 }
171 }
172
173 return false;
174 } catch(std::bad_cast&) {
175 throw Invalid_Argument("Curve mismatch");
176 }
177 }
Botan::bigint_ct_is_lt
constexpr auto bigint_ct_is_lt(const W x[], size_t x_size, const W y[], size_t y_size, bool lt_or_equal=false) -> CT::Mask< W >
Definition mp_core.h:598

References Botan::bigint_ct_is_lt(), and Botan::PCurve::PrimeOrderCurveImpl< C >::PrecomputedMul2TableC::table().

◆ mul_by_g()

template<typename C>
ProjectivePoint Botan::PCurve::PrimeOrderCurveImpl< C >::mul_by_g ( const Scalar & scalar,
RandomNumberGenerator & rng ) const
inlineoverridevirtual

Base point multiplication

Multiply by the standard generator point g

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 38 of file pcurves_wrap.h.

38 {
39 return stash(m_mul_by_g.mul(from_stash(scalar), rng));
40 }

◆ mul_px_qy()

template<typename C>
std::optional< ProjectivePoint > Botan::PCurve::PrimeOrderCurveImpl< C >::mul_px_qy ( const AffinePoint & p,
const Scalar & x,
const AffinePoint & q,
const Scalar & y,
RandomNumberGenerator & rng ) const
inlineoverridevirtual

Perform 2-ary multiplication (constant time)

Compute p*x + q*y

Returns nullopt if the produced point is the point at infinity

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 88 of file pcurves_wrap.h.

92 {
93 WindowedMul2Table<C, Mul2WindowBits> tbl(from_stash(p), from_stash(q));
94 auto pt = tbl.mul2(from_stash(x), from_stash(y), rng);
95 if(pt.is_identity().as_bool()) {
96 return {};
97 } else {
98 return stash(pt);
99 }
100 }

◆ mul_x_only()

template<typename C>
secure_vector< uint8_t > Botan::PCurve::PrimeOrderCurveImpl< C >::mul_x_only ( const AffinePoint & pt,
const Scalar & scalar,
RandomNumberGenerator & rng ) const
inlineoverridevirtual

Generic x-only point multiplication

Multiply an arbitrary point by a scalar, returning only the x coordinate

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 47 of file pcurves_wrap.h.

49 {
50 auto tbl = WindowedBoothMulTable<C, VarPointWindowBits>(from_stash(pt));
51 auto pt_x = to_affine_x<C>(tbl.mul(from_stash(scalar), rng));
52 secure_vector<uint8_t> x_bytes(C::FieldElement::BYTES);
53 pt_x.serialize_to(std::span<uint8_t, C::FieldElement::BYTES>{x_bytes});
54 return x_bytes;
55 }

References Botan::to_affine_x().

◆ order_bits()

template<typename C>
size_t Botan::PCurve::PrimeOrderCurveImpl< C >::order_bits ( ) const
inlineoverridevirtual

Return the bit length of the group order.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 32 of file pcurves_wrap.h.

32{ return C::OrderBits; }

◆ point_add()

template<typename C>
ProjectivePoint Botan::PCurve::PrimeOrderCurveImpl< C >::point_add ( const AffinePoint & a,
const AffinePoint & b ) const
inlineoverridevirtual

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 201 of file pcurves_wrap.h.

201 {
202 return stash(C::ProjectivePoint::from_affine(from_stash(a)) + from_stash(b));
203 }

◆ point_negate()

template<typename C>
AffinePoint Botan::PCurve::PrimeOrderCurveImpl< C >::point_negate ( const AffinePoint & pt) const
inlineoverridevirtual

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 205 of file pcurves_wrap.h.

205{ return stash(from_stash(pt).negate()); }

◆ point_to_affine()

template<typename C>
AffinePoint Botan::PCurve::PrimeOrderCurveImpl< C >::point_to_affine ( const ProjectivePoint & pt) const
inlineoverridevirtual

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 189 of file pcurves_wrap.h.

189 {
190 auto affine = to_affine<C>(from_stash(pt));
191
192 const auto y2 = affine.y().square();
193 const auto x3_ax_b = C::AffinePoint::x3_ax_b(affine.x());
194 const auto valid_point = affine.is_identity() || (y2 == x3_ax_b);
195
196 BOTAN_ASSERT(valid_point.as_bool(), "Computed point is on the curve");
197
198 return stash(affine);
199 }
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:52
Botan::to_affine
constexpr auto to_affine(const typename C::ProjectivePoint &pt)
Definition pcurves_algos.h:46

References BOTAN_ASSERT, and Botan::to_affine().

◆ random_scalar()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::random_scalar ( RandomNumberGenerator & rng) const
inlineoverridevirtual

Return a new random scalar

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 301 of file pcurves_wrap.h.

301{ return stash(C::Scalar::random(rng)); }

◆ scalar_add()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_add ( const Scalar & a,
const Scalar & b ) const
inlineoverridevirtual

Scalar addition.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 263 of file pcurves_wrap.h.

263 {
264 return stash(from_stash(a) + from_stash(b));
265 }

◆ scalar_bytes()

template<typename C>
size_t Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_bytes ( ) const
inlineoverridevirtual

Return the byte length of the scalar element.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 34 of file pcurves_wrap.h.

34{ return C::Scalar::BYTES; }

◆ scalar_equal()

template<typename C>
bool Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_equal ( const Scalar & a,
const Scalar & b ) const
inlineoverridevirtual

Test if two scalars are equal.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 295 of file pcurves_wrap.h.

295 {
296 return (from_stash(a) == from_stash(b)).as_bool();
297 }

◆ scalar_from_wide_bytes()

template<typename C>
std::optional< Scalar > Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_from_wide_bytes ( std::span< const uint8_t > bytes) const
inlineoverridevirtual

Reduce an integer modulo the group order

The input can be at most twice the bit length of the order; if larger than this nullopt is returned

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 231 of file pcurves_wrap.h.

231 {
232 if(auto s = C::Scalar::from_wide_bytes_varlen(bytes)) {
233 return stash(*s);
234 } else {
235 return {};
236 }
237 }

◆ scalar_invert()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_invert ( const Scalar & s) const
inlineoverridevirtual

Scalar inversion.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 277 of file pcurves_wrap.h.

277 {
278 auto s = from_stash(ss);
279 if constexpr(curve_supports_scalar_invert<C>) {
280 return stash(C::scalar_invert(s));
281 } else {
282 return stash(s.invert());
283 }
284 }

◆ scalar_invert_vartime()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_invert_vartime ( const Scalar & s) const
inlineoverridevirtual

Scalar inversion (variable time)

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 286 of file pcurves_wrap.h.

286 {
287 auto s = from_stash(ss);
288 return stash(s.invert_vartime());
289 }

◆ scalar_is_zero()

template<typename C>
bool Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_is_zero ( const Scalar & s) const
inlineoverridevirtual

Test if scalar is zero.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 293 of file pcurves_wrap.h.

293{ return from_stash(s).is_zero().as_bool(); }

◆ scalar_mul()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_mul ( const Scalar & a,
const Scalar & b ) const
inlineoverridevirtual

Scalar multiplication.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 271 of file pcurves_wrap.h.

271 {
272 return stash(from_stash(a) * from_stash(b));
273 }

◆ scalar_negate()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_negate ( const Scalar & s) const
inlineoverridevirtual

Scalar negation.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 291 of file pcurves_wrap.h.

291{ return stash(from_stash(s).negate()); }

◆ scalar_one()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_one ( ) const
inlineoverridevirtual

Return the scalar one

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 299 of file pcurves_wrap.h.

299{ return stash(C::Scalar::one()); }

◆ scalar_square()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_square ( const Scalar & s) const
inlineoverridevirtual

Scalar squaring.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 275 of file pcurves_wrap.h.

275{ return stash(from_stash(s).square()); }
Botan::square
BigInt square(const BigInt &x)
Definition numthry.cpp:157

References Botan::square().

◆ scalar_sub()

template<typename C>
Scalar Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_sub ( const Scalar & a,
const Scalar & b ) const
inlineoverridevirtual

Scalar subtraction.

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 267 of file pcurves_wrap.h.

267 {
268 return stash(from_stash(a) - from_stash(b));
269 }

◆ serialize_point()

template<typename C>
void Botan::PCurve::PrimeOrderCurveImpl< C >::serialize_point ( std::span< uint8_t > bytes,
const AffinePoint & pt ) const
inlineoverridevirtual

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 211 of file pcurves_wrap.h.

211 {
212 BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point");
213 from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>());
214 }
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:31

References BOTAN_ARG_CHECK.

◆ serialize_scalar()

template<typename C>
void Botan::PCurve::PrimeOrderCurveImpl< C >::serialize_scalar ( std::span< uint8_t > bytes,
const Scalar & scalar ) const
inlineoverridevirtual

Implements Botan::PCurve::PrimeOrderCurve.

Definition at line 216 of file pcurves_wrap.h.

216 {
217 BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar");
218 return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>());
219 }

References BOTAN_ARG_CHECK.

Member Data Documentation

◆ MaximumBitLength

size_t Botan::PCurve::PrimeOrderCurve::MaximumBitLength = 521
staticconstexprinherited

Somewhat arbitrary maximum size for a field or scalar

Sized to fit at least P-521

Definition at line 37 of file pcurves.h.

◆ MaximumByteLength

size_t Botan::PCurve::PrimeOrderCurve::MaximumByteLength = (MaximumBitLength + 7) / 8
staticconstexprinherited

Definition at line 39 of file pcurves.h.

◆ StorageWords

size_t Botan::PCurve::PrimeOrderCurve::StorageWords = (MaximumByteLength + sizeof(word) - 1) / sizeof(word)
staticconstexprinherited

Number of words used to store MaximumByteLength.

Definition at line 42 of file pcurves.h.

The documentation for this class was generated from the following file:
Generated by doxygen 1.13.2