#include <point_gfp.h>

Public Types
enum	{ WORKSPACE_SIZE = 8 }

enum	Compression_Type { UNCOMPRESSED = 0 , COMPRESSED = 1 , HYBRID = 2 }

Public Member Functions
void	add (const PointGFp &other, std::vector< BigInt > &workspace)

void	add (const word x_words[], size_t x_size, const word y_words[], size_t y_size, const word z_words[], size_t z_size, std::vector< BigInt > &workspace)

void	add_affine (const PointGFp &other, std::vector< BigInt > &workspace)

void	add_affine (const word x_words[], size_t x_size, const word y_words[], size_t y_size, std::vector< BigInt > &workspace)

PointGFp	double_of (std::vector< BigInt > &workspace) const

std::vector< uint8_t >	encode (PointGFp::Compression_Type format) const

void	force_affine ()

BigInt	get_affine_x () const

BigInt	get_affine_y () const

const CurveGFp &	get_curve () const

const BigInt &	get_x () const

const BigInt &	get_y () const

const BigInt &	get_z () const

bool	is_affine () const

bool	is_zero () const

void	mult2 (std::vector< BigInt > &workspace)

void	mult2i (size_t i, std::vector< BigInt > &workspace)

PointGFp &	negate ()

bool	on_the_curve () const

PointGFp &	operator*= (const BigInt &scalar)

PointGFp &	operator+= (const PointGFp &rhs)

PointGFp &	operator-= (const PointGFp &rhs)

PointGFp &	operator= (const PointGFp &)=default

PointGFp &	operator= (PointGFp &&other)

bool	operator== (const PointGFp &other) const

PointGFp	plus (const PointGFp &other, std::vector< BigInt > &workspace) const

	PointGFp ()=default

	PointGFp (const CurveGFp &curve)

	PointGFp (const CurveGFp &curve, const BigInt &x, const BigInt &y)

	PointGFp (const PointGFp &)=default

	PointGFp (PointGFp &&other)

void	randomize_repr (RandomNumberGenerator &rng)

void	randomize_repr (RandomNumberGenerator &rng, secure_vector< word > &ws)

void	swap (PointGFp &other)

void	swap_coords (BigInt &new_x, BigInt &new_y, BigInt &new_z)

PointGFp	zero () const

Static Public Member Functions
static void	force_all_affine (std::vector< PointGFp > &points, secure_vector< word > &ws)

Detailed Description

This class represents one point on a curve of GF(p)

Definition at line 47 of file point_gfp.h.

Member Enumeration Documentation

◆ anonymous enum

anonymous enum

Enumerator
WORKSPACE_SIZE

Definition at line 56 of file point_gfp.h.

56{ WORKSPACE_SIZE = 8 };

Botan::PointGFp::WORKSPACE_SIZE

@ WORKSPACE_SIZE

Definition: point_gfp.h:56

◆ Compression_Type

enum Botan::PointGFp::Compression_Type

Enumerator
UNCOMPRESSED
COMPRESSED
HYBRID

Definition at line 50 of file point_gfp.h.

                            {
         UNCOMPRESSED = 0,
         COMPRESSED   = 1,
         HYBRID       = 2
      };

Constructor & Destructor Documentation

◆ PointGFp() [1/5]

Botan::PointGFp::PointGFp ( )

default

Construct an uninitialized PointGFp

Referenced by mult2(), mult2i(), and operator-=().

◆ PointGFp() [2/5]

Botan::PointGFp::PointGFp ( const CurveGFp & curve )

explicit

Construct the zero point

Parameters

curve The base curve

Definition at line 18 of file point_gfp.cpp.

                                        :
   m_curve(curve),
   m_coord_x(0),
   m_coord_y(curve.get_1_rep()),
   m_coord_z(0)
   {
   // Assumes Montgomery rep of zero is zero
   }

◆ PointGFp() [3/5]

Botan::PointGFp::PointGFp ( const PointGFp & )

default

Copy constructor

◆ PointGFp() [4/5]

Botan::PointGFp::PointGFp ( PointGFp && other )

inline

Move Constructor

Definition at line 77 of file point_gfp.h.

         {
         this->swap(other);
         }

◆ PointGFp() [5/5]

Botan::PointGFp::PointGFp	(	const CurveGFp &	curve,
		const BigInt &	x,
		const BigInt &	y
	)

Construct a point from its affine coordinates Prefer EC_Group::point(x,y) for this operation.

Parameters

curve	the base curve
x	affine x coordinate
y	affine y coordinate

Definition at line 27 of file point_gfp.cpp.

                                                                          :
   m_curve(curve),
   m_coord_x(x),
   m_coord_y(y),
   m_coord_z(m_curve.get_1_rep())
   {
   if(x < 0 || x >= curve.get_p())
      throw Invalid_Argument("Invalid PointGFp affine x");
   if(y < 0 || y >= curve.get_p())
      throw Invalid_Argument("Invalid PointGFp affine y");
 
   secure_vector<word> monty_ws(m_curve.get_ws_size());
   m_curve.to_rep(m_coord_x, monty_ws);
   m_curve.to_rep(m_coord_y, monty_ws);
   }

References Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), and Botan::CurveGFp::to_rep().

Member Function Documentation

◆ add() [1/2]

void Botan::PointGFp::add	(	const PointGFp &	other,
		std::vector< BigInt > &	workspace
	)

inline

Point addition

Parameters

other	the point to add to *this
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 221 of file point_gfp.h.

         {
         BOTAN_ASSERT_NOMSG(m_curve == other.m_curve);
 
         const size_t p_words = m_curve.get_p_words();
 
         add(other.m_coord_x.data(), std::min(p_words, other.m_coord_x.size()),
             other.m_coord_y.data(), std::min(p_words, other.m_coord_y.size()),
             other.m_coord_z.data(), std::min(p_words, other.m_coord_z.size()),
             workspace);
         }

References BOTAN_ASSERT_NOMSG, Botan::BigInt::data(), and Botan::BigInt::size().

Referenced by Botan::PointGFp_Var_Point_Precompute::mul(), Botan::PointGFp_Multi_Point_Precompute::multi_exp(), Botan::operator*(), operator+=(), and plus().

◆ add() [2/2]

void Botan::PointGFp::add	(	const word	x_words[],
		size_t	x_size,
		const word	y_words[],
		size_t	y_size,
		const word	z_words[],
		size_t	z_size,
		std::vector< BigInt > &	workspace
	)

Point addition. Array version.

Parameters

x_words	the words of the x coordinate of the other point
x_size	size of x_words
y_words	the words of the y coordinate of the other point
y_size	size of y_words
z_words	the words of the z coordinate of the other point
z_size	size of z_words
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 173 of file point_gfp.cpp.

   {
   if(all_zeros(x_words, x_size) & all_zeros(z_words, z_size))
      return;
 
   if(is_zero())
      {
      m_coord_x.set_words(x_words, x_size);
      m_coord_y.set_words(y_words, y_size);
      m_coord_z.set_words(z_words, z_size);
      return;
      }
 
   resize_ws(ws_bn, m_curve.get_ws_size());
 
   secure_vector<word>& ws = ws_bn[0].get_word_vector();
   secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
   BigInt& T0 = ws_bn[2];
   BigInt& T1 = ws_bn[3];
   BigInt& T2 = ws_bn[4];
   BigInt& T3 = ws_bn[5];
   BigInt& T4 = ws_bn[6];
   BigInt& T5 = ws_bn[7];
 
   /*
   https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
   */
 
   const BigInt& p = m_curve.get_p();
 
   m_curve.sqr(T0, z_words, z_size, ws); // z2^2
   m_curve.mul(T1, m_coord_x, T0, ws); // x1*z2^2
   m_curve.mul(T3, z_words, z_size, T0, ws); // z2^3
   m_curve.mul(T2, m_coord_y, T3, ws); // y1*z2^3
 
   m_curve.sqr(T3, m_coord_z, ws); // z1^2
   m_curve.mul(T4, x_words, x_size, T3, ws); // x2*z1^2
 
   m_curve.mul(T5, m_coord_z, T3, ws); // z1^3
   m_curve.mul(T0, y_words, y_size, T5, ws); // y2*z1^3
 
   T4.mod_sub(T1, p, sub_ws); // x2*z1^2 - x1*z2^2
 
   T0.mod_sub(T2, p, sub_ws);
 
   if(T4.is_zero())
      {
      if(T0.is_zero())
         {
         mult2(ws_bn);
         return;
         }
 
      // setting to zero:
      m_coord_x.clear();
      m_coord_y = m_curve.get_1_rep();
      m_coord_z.clear();
      return;
      }
 
   m_curve.sqr(T5, T4, ws);
 
   m_curve.mul(T3, T1, T5, ws);
 
   m_curve.mul(T1, T5, T4, ws);
 
   m_curve.sqr(m_coord_x, T0, ws);
   m_coord_x.mod_sub(T1, p, sub_ws);
   m_coord_x.mod_sub(T3, p, sub_ws);
   m_coord_x.mod_sub(T3, p, sub_ws);
 
   T3.mod_sub(m_coord_x, p, sub_ws);
 
   m_curve.mul(m_coord_y, T0, T3, ws);
   m_curve.mul(T3, T2, T1, ws);
 
   m_coord_y.mod_sub(T3, p, sub_ws);
 
   m_curve.mul(T3, z_words, z_size, m_coord_z, ws);
   m_curve.mul(m_coord_z, T3, T4, ws);
   }

References Botan::BigInt::clear(), Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), Botan::BigInt::is_zero(), is_zero(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), mult2(), Botan::BigInt::set_words(), and Botan::CurveGFp::sqr().

◆ add_affine() [1/2]

void Botan::PointGFp::add_affine	(	const PointGFp &	other,
		std::vector< BigInt > &	workspace
	)

inline

Point addition - mixed J+A

Parameters

other	affine point to add - assumed to be affine!
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 254 of file point_gfp.h.

         {
         BOTAN_ASSERT_NOMSG(m_curve == other.m_curve);
         BOTAN_DEBUG_ASSERT(other.is_affine());
 
         const size_t p_words = m_curve.get_p_words();
         add_affine(other.m_coord_x.data(), std::min(p_words, other.m_coord_x.size()),
                    other.m_coord_y.data(), std::min(p_words, other.m_coord_y.size()),
                    workspace);
         }

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::data(), is_affine(), and Botan::BigInt::size().

Referenced by Botan::PointGFp_Base_Point_Precompute::mul(), and Botan::PointGFp_Multi_Point_Precompute::multi_exp().

◆ add_affine() [2/2]

void Botan::PointGFp::add_affine	(	const word	x_words[],
		size_t	x_size,
		const word	y_words[],
		size_t	y_size,
		std::vector< BigInt > &	workspace
	)

Point addition - mixed J+A. Array version.

Parameters

x_words	the words of the x coordinate of the other point
x_size	size of x_words
y_words	the words of the y coordinate of the other point
y_size	size of y_words
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 90 of file point_gfp.cpp.

   {
   if(all_zeros(x_words, x_size) & all_zeros(y_words, y_size))
      {
      return;
      }
 
   if(is_zero())
      {
      m_coord_x.set_words(x_words, x_size);
      m_coord_y.set_words(y_words, y_size);
      m_coord_z = m_curve.get_1_rep();
      return;
      }
 
   resize_ws(ws_bn, m_curve.get_ws_size());
 
   secure_vector<word>& ws = ws_bn[0].get_word_vector();
   secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
   BigInt& T0 = ws_bn[2];
   BigInt& T1 = ws_bn[3];
   BigInt& T2 = ws_bn[4];
   BigInt& T3 = ws_bn[5];
   BigInt& T4 = ws_bn[6];
 
   /*
   https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
   simplified with Z2 = 1
   */
 
   const BigInt& p = m_curve.get_p();
 
   m_curve.sqr(T3, m_coord_z, ws); // z1^2
   m_curve.mul(T4, x_words, x_size, T3, ws); // x2*z1^2
 
   m_curve.mul(T2, m_coord_z, T3, ws); // z1^3
   m_curve.mul(T0, y_words, y_size, T2, ws); // y2*z1^3
 
   T4.mod_sub(m_coord_x, p, sub_ws); // x2*z1^2 - x1*z2^2
 
   T0.mod_sub(m_coord_y, p, sub_ws);
 
   if(T4.is_zero())
      {
      if(T0.is_zero())
         {
         mult2(ws_bn);
         return;
         }
 
      // setting to zero:
      m_coord_x.clear();
      m_coord_y = m_curve.get_1_rep();
      m_coord_z.clear();
      return;
      }
 
   m_curve.sqr(T2, T4, ws);
 
   m_curve.mul(T3, m_coord_x, T2, ws);
 
   m_curve.mul(T1, T2, T4, ws);
 
   m_curve.sqr(m_coord_x, T0, ws);
   m_coord_x.mod_sub(T1, p, sub_ws);
 
   m_coord_x.mod_sub(T3, p, sub_ws);
   m_coord_x.mod_sub(T3, p, sub_ws);
 
   T3.mod_sub(m_coord_x, p, sub_ws);
 
   m_curve.mul(T2, T0, T3, ws);
   m_curve.mul(T0, m_coord_y, T1, ws);
   T2.mod_sub(T0, p, sub_ws);
   m_coord_y.swap(T2);
 
   m_curve.mul(T0, m_coord_z, T4, ws);
   m_coord_z.swap(T0);
   }

References Botan::BigInt::clear(), Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), Botan::BigInt::is_zero(), is_zero(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), mult2(), Botan::BigInt::set_words(), Botan::CurveGFp::sqr(), and Botan::BigInt::swap().

◆ double_of()

PointGFp Botan::PointGFp::double_of ( std::vector< BigInt > & workspace ) const

inline

Point doubling

Parameters

workspace temp space, at least WORKSPACE_SIZE elements

Returns: *this doubled

Definition at line 309 of file point_gfp.h.

         {
         PointGFp x = (*this);
         x.mult2(workspace);
         return x;
         }

References mult2().

◆ encode()

std::vector< uint8_t > Botan::PointGFp::encode ( PointGFp::Compression_Type format ) const

EC2OSP - elliptic curve to octet string primitive

Parameters

format which format to encode using

Definition at line 601 of file point_gfp.cpp.

   {
   if(is_zero())
      return std::vector<uint8_t>(1); // single 0 byte
 
   const size_t p_bytes = m_curve.get_p().bytes();
 
   const BigInt x = get_affine_x();
   const BigInt y = get_affine_y();
 
   std::vector<uint8_t> result;
 
   if(format == PointGFp::UNCOMPRESSED)
      {
      result.resize(1 + 2*p_bytes);
      result[0] = 0x04;
      BigInt::encode_1363(&result[1], p_bytes, x);
      BigInt::encode_1363(&result[1+p_bytes], p_bytes, y);
      }
   else if(format == PointGFp::COMPRESSED)
      {
      result.resize(1 + p_bytes);
      result[0] = 0x02 | static_cast<uint8_t>(y.get_bit(0));
      BigInt::encode_1363(&result[1], p_bytes, x);
      }
   else if(format == PointGFp::HYBRID)
      {
      result.resize(1 + 2*p_bytes);
      result[0] = 0x06 | static_cast<uint8_t>(y.get_bit(0));
      BigInt::encode_1363(&result[1], p_bytes, x);
      BigInt::encode_1363(&result[1+p_bytes], p_bytes, y);
      }
   else
      throw Invalid_Argument("EC2OSP illegal point encoding");
 
   return result;
   }

References Botan::BigInt::bytes(), COMPRESSED, Botan::BigInt::encode_1363(), get_affine_x(), get_affine_y(), Botan::BigInt::get_bit(), Botan::CurveGFp::get_p(), HYBRID, is_zero(), and UNCOMPRESSED.

Referenced by Botan::ECIES_KA_Operation::derive_secret(), Botan::ECIES_Encryptor::ECIES_Encryptor(), Botan::EC_PrivateKey::private_key_bits(), and Botan::EC_PublicKey::public_key_bits().

◆ force_affine()

void Botan::PointGFp::force_affine ( )

Force this point to affine coordinates

Definition at line 485 of file point_gfp.cpp.

   {
   if(is_zero())
      throw Invalid_State("Cannot convert zero ECC point to affine");
 
   secure_vector<word> ws;
 
   const BigInt z_inv = m_curve.invert_element(m_coord_z, ws);
   const BigInt z2_inv = m_curve.sqr_to_tmp(z_inv, ws);
   const BigInt z3_inv = m_curve.mul_to_tmp(z_inv, z2_inv, ws);
   m_coord_x = m_curve.mul_to_tmp(m_coord_x, z2_inv, ws);
   m_coord_y = m_curve.mul_to_tmp(m_coord_y, z3_inv, ws);
   m_coord_z = m_curve.get_1_rep();
   }

References Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::invert_element(), is_zero(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by force_all_affine().

◆ force_all_affine()

void Botan::PointGFp::force_all_affine	(	std::vector< PointGFp > &	points,
		secure_vector< word > &	ws
	)

static

Force all points on the list to affine coordinates

Definition at line 420 of file point_gfp.cpp.

   {
   if(points.size() <= 1)
      {
      for(size_t i = 0; i != points.size(); ++i)
         points[i].force_affine();
      return;
      }
 
   for(size_t i = 0; i != points.size(); ++i)
      {
      if(points[i].is_zero())
         throw Invalid_State("Cannot convert zero ECC point to affine");
      }
 
   /*
   For >= 2 points use Montgomery's trick
 
   See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography"
   (Hankerson, Menezes, Vanstone)
 
   TODO is it really necessary to save all k points in c?
   */
 
   const CurveGFp& curve = points[0].m_curve;
   const BigInt& rep_1 = curve.get_1_rep();
 
   if(ws.size() < curve.get_ws_size())
      ws.resize(curve.get_ws_size());
 
   std::vector<BigInt> c(points.size());
   c[0] = points[0].m_coord_z;
 
   for(size_t i = 1; i != points.size(); ++i)
      {
      curve.mul(c[i], c[i-1], points[i].m_coord_z, ws);
      }
 
   BigInt s_inv = curve.invert_element(c[c.size()-1], ws);
 
   BigInt z_inv, z2_inv, z3_inv;
 
   for(size_t i = points.size() - 1; i != 0; i--)
      {
      PointGFp& point = points[i];
 
      curve.mul(z_inv, s_inv, c[i-1], ws);
 
      s_inv = curve.mul_to_tmp(s_inv, point.m_coord_z, ws);
 
      curve.sqr(z2_inv, z_inv, ws);
      curve.mul(z3_inv, z2_inv, z_inv, ws);
      point.m_coord_x = curve.mul_to_tmp(point.m_coord_x, z2_inv, ws);
      point.m_coord_y = curve.mul_to_tmp(point.m_coord_y, z3_inv, ws);
      point.m_coord_z = rep_1;
      }
 
   curve.sqr(z2_inv, s_inv, ws);
   curve.mul(z3_inv, z2_inv, s_inv, ws);
   points[0].m_coord_x = curve.mul_to_tmp(points[0].m_coord_x, z2_inv, ws);
   points[0].m_coord_y = curve.mul_to_tmp(points[0].m_coord_y, z3_inv, ws);
   points[0].m_coord_z = rep_1;
   }

References force_affine(), Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_ws_size(), Botan::CurveGFp::invert_element(), is_zero(), Botan::CurveGFp::mul(), Botan::CurveGFp::mul_to_tmp(), Botan::BigInt::resize(), and Botan::CurveGFp::sqr().

Referenced by Botan::PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute().

◆ get_affine_x()

BigInt Botan::PointGFp::get_affine_x ( ) const

get affine x coordinate

Returns: affine x coordinate

Definition at line 505 of file point_gfp.cpp.

   {
   if(is_zero())
      throw Illegal_Transformation("Cannot convert zero point to affine");
 
   secure_vector<word> monty_ws;
 
   if(is_affine())
      return m_curve.from_rep_to_tmp(m_coord_x, monty_ws);
 
   BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
   z2 = m_curve.invert_element(z2, monty_ws);
 
   BigInt r;
   m_curve.mul(r, m_coord_x, z2, monty_ws);
   m_curve.from_rep(r, monty_ws);
   return r;
   }

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::from_rep_to_tmp(), Botan::CurveGFp::invert_element(), is_affine(), is_zero(), Botan::CurveGFp::mul(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by Botan::EC_Group::blinded_base_point_multiply_x(), encode(), operator==(), Botan::GOST_3410_PublicKey::public_key_bits(), and Botan::sm2_compute_za().

◆ get_affine_y()

BigInt Botan::PointGFp::get_affine_y ( ) const

get affine y coordinate

Returns: affine y coordinate

Definition at line 524 of file point_gfp.cpp.

   {
   if(is_zero())
      throw Illegal_Transformation("Cannot convert zero point to affine");
 
   secure_vector<word> monty_ws;
 
   if(is_affine())
      return m_curve.from_rep_to_tmp(m_coord_y, monty_ws);
 
   const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
   const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws);
   const BigInt z3_inv = m_curve.invert_element(z3, monty_ws);
 
   BigInt r;
   m_curve.mul(r, m_coord_y, z3_inv, monty_ws);
   m_curve.from_rep(r, monty_ws);
   return r;
   }

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::from_rep_to_tmp(), Botan::CurveGFp::invert_element(), is_affine(), is_zero(), Botan::CurveGFp::mul(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by encode(), operator==(), Botan::GOST_3410_PublicKey::public_key_bits(), and Botan::sm2_compute_za().

◆ get_curve()

const CurveGFp & Botan::PointGFp::get_curve ( ) const

inline

Return base curve of this point

Returns: the curve over GF(p) of this point

You should not need to use this

Definition at line 327 of file point_gfp.h.

327{ return m_curve; }

◆ get_x()

const BigInt & Botan::PointGFp::get_x ( ) const

inline

Definition at line 156 of file point_gfp.h.

156{ return m_coord_x; }

◆ get_y()

const BigInt & Botan::PointGFp::get_y ( ) const

inline

Definition at line 157 of file point_gfp.h.

157{ return m_coord_y; }

◆ get_z()

const BigInt & Botan::PointGFp::get_z ( ) const

inline

Definition at line 158 of file point_gfp.h.

158{ return m_coord_z; }

◆ is_affine()

bool Botan::PointGFp::is_affine ( ) const

Definition at line 500 of file point_gfp.cpp.

   {
   return m_curve.is_one(m_coord_z);
   }

References Botan::CurveGFp::is_one().

Referenced by add_affine(), get_affine_x(), and get_affine_y().

◆ is_zero()

bool Botan::PointGFp::is_zero ( ) const

inline

Is this the point at infinity?

Returns: true, if this point is at infinity, false otherwise.

Definition at line 184 of file point_gfp.h.

184{ return m_coord_z.is_zero(); }

Botan::BigInt::is_zero

bool is_zero() const

Definition: bigint.h:421

Referenced by add(), add_affine(), Botan::EC_Group::blinded_base_point_multiply_x(), Botan::ECIES_KA_Operation::derive_secret(), encode(), force_affine(), force_all_affine(), get_affine_x(), get_affine_y(), mult2(), on_the_curve(), operator-=(), operator==(), and Botan::EC_Group::verify_public_element().

◆ mult2()

void Botan::PointGFp::mult2 ( std::vector< BigInt > & workspace )

Point doubling

Parameters

workspace temp space, at least WORKSPACE_SIZE elements

Definition at line 279 of file point_gfp.cpp.

   {
   if(is_zero())
      return;
 
   if(m_coord_y.is_zero())
      {
      *this = PointGFp(m_curve); // setting myself to zero
      return;
      }
 
   resize_ws(ws_bn, m_curve.get_ws_size());
 
   secure_vector<word>& ws = ws_bn[0].get_word_vector();
   secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
   BigInt& T0 = ws_bn[2];
   BigInt& T1 = ws_bn[3];
   BigInt& T2 = ws_bn[4];
   BigInt& T3 = ws_bn[5];
   BigInt& T4 = ws_bn[6];
 
   /*
   https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc
   */
   const BigInt& p = m_curve.get_p();
 
   m_curve.sqr(T0, m_coord_y, ws);
 
   m_curve.mul(T1, m_coord_x, T0, ws);
   T1.mod_mul(4, p, sub_ws);
 
   if(m_curve.a_is_zero())
      {
      // if a == 0 then 3*x^2 + a*z^4 is just 3*x^2
      m_curve.sqr(T4, m_coord_x, ws); // x^2
      T4.mod_mul(3, p, sub_ws); // 3*x^2
      }
   else if(m_curve.a_is_minus_3())
      {
      /*
      if a == -3 then
        3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2)
      */
      m_curve.sqr(T3, m_coord_z, ws); // z^2
 
      // (x-z^2)
      T2 = m_coord_x;
      T2.mod_sub(T3, p, sub_ws);
 
      // (x+z^2)
      T3.mod_add(m_coord_x, p, sub_ws);
 
      m_curve.mul(T4, T2, T3, ws); // (x-z^2)*(x+z^2)
 
      T4.mod_mul(3, p, sub_ws); // 3*(x-z^2)*(x+z^2)
      }
   else
      {
      m_curve.sqr(T3, m_coord_z, ws); // z^2
      m_curve.sqr(T4, T3, ws); // z^4
      m_curve.mul(T3, m_curve.get_a_rep(), T4, ws); // a*z^4
 
      m_curve.sqr(T4, m_coord_x, ws); // x^2
      T4.mod_mul(3, p, sub_ws);
      T4.mod_add(T3, p, sub_ws); // 3*x^2 + a*z^4
      }
 
   m_curve.sqr(T2, T4, ws);
   T2.mod_sub(T1, p, sub_ws);
   T2.mod_sub(T1, p, sub_ws);
 
   m_curve.sqr(T3, T0, ws);
   T3.mod_mul(8, p, sub_ws);
 
   T1.mod_sub(T2, p, sub_ws);
 
   m_curve.mul(T0, T4, T1, ws);
   T0.mod_sub(T3, p, sub_ws);
 
   m_coord_x.swap(T2);
 
   m_curve.mul(T2, m_coord_y, m_coord_z, ws);
   T2.mod_mul(2, p, sub_ws);
 
   m_coord_y.swap(T0);
   m_coord_z.swap(T2);
   }

References Botan::CurveGFp::a_is_minus_3(), Botan::CurveGFp::a_is_zero(), Botan::CurveGFp::get_a_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), Botan::BigInt::is_zero(), is_zero(), Botan::BigInt::mod_add(), Botan::BigInt::mod_mul(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), PointGFp(), Botan::CurveGFp::sqr(), and Botan::BigInt::swap().

Referenced by add(), add_affine(), double_of(), mult2i(), Botan::operator*(), and Botan::PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute().

◆ mult2i()

void Botan::PointGFp::mult2i	(	size_t	i,
		std::vector< BigInt > &	workspace
	)

Repeated point doubling

Parameters

i	number of doublings to perform
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 259 of file point_gfp.cpp.

   {
   if(iterations == 0)
      return;
 
   if(m_coord_y.is_zero())
      {
      *this = PointGFp(m_curve); // setting myself to zero
      return;
      }
 
   /*
   TODO we can save 2 squarings per iteration by computing
   a*Z^4 using values cached from previous iteration
   */
   for(size_t i = 0; i != iterations; ++i)
      mult2(ws_bn);
   }

References Botan::BigInt::is_zero(), mult2(), and PointGFp().

Referenced by Botan::PointGFp_Var_Point_Precompute::mul(), and Botan::PointGFp_Multi_Point_Precompute::multi_exp().

◆ negate()

PointGFp & Botan::PointGFp::negate ( )

inline

Negate this point

Returns: *this

Definition at line 137 of file point_gfp.h.

         {
         if(!is_zero())
            m_coord_y = m_curve.get_p() - m_coord_y;
         return *this;
         }

Referenced by Botan::PointGFp_Multi_Point_Precompute::multi_exp(), Botan::operator*(), and Botan::operator-().

◆ on_the_curve()

bool Botan::PointGFp::on_the_curve ( ) const

Checks whether the point is to be found on the underlying curve; used to prevent fault attacks.

Returns: if the point is on the curve

Definition at line 544 of file point_gfp.cpp.

   {
   /*
   Is the point still on the curve?? (If everything is correct, the
   point is always on its curve; then the function will return true.
   If somehow the state is corrupted, which suggests a fault attack
   (or internal computational error), then return false.
   */
   if(is_zero())
      return true;
 
   secure_vector<word> monty_ws;
 
   const BigInt y2 = m_curve.from_rep_to_tmp(m_curve.sqr_to_tmp(m_coord_y, monty_ws), monty_ws);
   const BigInt x3 = m_curve.mul_to_tmp(m_coord_x, m_curve.sqr_to_tmp(m_coord_x, monty_ws), monty_ws);
   const BigInt ax = m_curve.mul_to_tmp(m_coord_x, m_curve.get_a_rep(), monty_ws);
   const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
 
   if(m_coord_z == z2) // Is z equal to 1 (in Montgomery form)?
      {
      if(y2 != m_curve.from_rep_to_tmp(x3 + ax + m_curve.get_b_rep(), monty_ws))
         return false;
      }
 
   const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws);
   const BigInt ax_z4 = m_curve.mul_to_tmp(ax, m_curve.sqr_to_tmp(z2, monty_ws), monty_ws);
   const BigInt b_z6 = m_curve.mul_to_tmp(m_curve.get_b_rep(), m_curve.sqr_to_tmp(z3, monty_ws), monty_ws);
 
   if(y2 != m_curve.from_rep_to_tmp(x3 + ax_z4 + b_z6, monty_ws))
      return false;
 
   return true;
   }

References Botan::CurveGFp::from_rep_to_tmp(), Botan::CurveGFp::get_a_rep(), Botan::CurveGFp::get_b_rep(), is_zero(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by Botan::EC_PrivateKey::EC_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), Botan::PointGFp_Base_Point_Precompute::mul(), Botan::PointGFp_Var_Point_Precompute::mul(), Botan::operator*(), Botan::OS2ECP(), Botan::EC_Group::verify_group(), and Botan::EC_Group::verify_public_element().

◆ operator*=()

PointGFp & Botan::PointGFp::operator*= ( const BigInt & scalar )

*= Operator

Parameters

scalar the PointGFp to multiply with *this

Returns: resulting PointGFp

Definition at line 388 of file point_gfp.cpp.

   {
   *this = scalar * *this;
   return *this;
   }

◆ operator+=()

PointGFp & Botan::PointGFp::operator+= ( const PointGFp & rhs )

+= Operator

Parameters

rhs	the PointGFp to add to the local value

Returns: resulting PointGFp

Definition at line 369 of file point_gfp.cpp.

   {
   std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE);
   add(rhs, ws);
   return *this;
   }

References add(), and WORKSPACE_SIZE.

◆ operator-=()

PointGFp & Botan::PointGFp::operator-= ( const PointGFp & rhs )

-= Operator

Parameters

rhs	the PointGFp to subtract from the local value

Returns: resulting PointGFp

Definition at line 376 of file point_gfp.cpp.

   {
   PointGFp minus_rhs = PointGFp(rhs).negate();
 
   if(is_zero())
      *this = minus_rhs;
   else
      *this += minus_rhs;
 
   return *this;
   }

References is_zero(), and PointGFp().

◆ operator=() [1/2]

PointGFp & Botan::PointGFp::operator= ( const PointGFp & )

default

Standard Assignment

◆ operator=() [2/2]

PointGFp & Botan::PointGFp::operator= ( PointGFp && other )

inline

Move Assignment

Definition at line 90 of file point_gfp.h.

         {
         if(this != &other)
            this->swap(other);
         return (*this);
         }

◆ operator==()

bool Botan::PointGFp::operator== ( const PointGFp & other ) const

Equality operator

Definition at line 587 of file point_gfp.cpp.

   {
   if(m_curve != other.m_curve)
      return false;
 
   // If this is zero, only equal if other is also zero
   if(is_zero())
      return other.is_zero();
 
   return (get_affine_x() == other.get_affine_x() &&
           get_affine_y() == other.get_affine_y());
   }

References get_affine_x(), get_affine_y(), and is_zero().

◆ plus()

PointGFp Botan::PointGFp::plus	(	const PointGFp &	other,
		std::vector< BigInt > &	workspace
	)		const

inline

Point addition

Parameters

other	the point to add to *this
workspace	temp space, at least WORKSPACE_SIZE elements

Returns: other plus *this

Definition at line 297 of file point_gfp.h.

         {
         PointGFp x = (*this);
         x.add(other, workspace);
         return x;
         }

References add().

Referenced by Botan::PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute().

◆ randomize_repr() [1/2]

void Botan::PointGFp::randomize_repr ( RandomNumberGenerator & rng )

Randomize the point representation The actual value (get_affine_x, get_affine_y) does not change

Definition at line 43 of file point_gfp.cpp.

   {
   secure_vector<word> ws(m_curve.get_ws_size());
   randomize_repr(rng, ws);
   }

References Botan::CurveGFp::get_ws_size(), and randomize_repr().

Referenced by Botan::PointGFp_Base_Point_Precompute::mul(), Botan::PointGFp_Var_Point_Precompute::mul(), and randomize_repr().

◆ randomize_repr() [2/2]

void Botan::PointGFp::randomize_repr	(	RandomNumberGenerator &	rng,
		secure_vector< word > &	ws
	)

Randomize the point representation The actual value (get_affine_x, get_affine_y) does not change

Definition at line 49 of file point_gfp.cpp.

   {
   const BigInt mask = BigInt::random_integer(rng, 2, m_curve.get_p());
 
   /*
   * No reason to convert this to Montgomery representation first,
   * just pretend the random mask was chosen as Redc(mask) and the
   * random mask we generated above is in the Montgomery
   * representation.
   * //m_curve.to_rep(mask, ws);
   */
   const BigInt mask2 = m_curve.sqr_to_tmp(mask, ws);
   const BigInt mask3 = m_curve.mul_to_tmp(mask2, mask, ws);
 
   m_coord_x = m_curve.mul_to_tmp(m_coord_x, mask2, ws);
   m_coord_y = m_curve.mul_to_tmp(m_coord_y, mask3, ws);
   m_coord_z = m_curve.mul_to_tmp(m_coord_z, mask, ws);
   }

References Botan::CurveGFp::get_p(), Botan::CurveGFp::mul_to_tmp(), Botan::BigInt::random_integer(), and Botan::CurveGFp::sqr_to_tmp().

◆ swap()

void Botan::PointGFp::swap ( PointGFp & other )

swaps the states of *this and other, does not throw!

Parameters

other the object to swap values with

Definition at line 579 of file point_gfp.cpp.

   {
   m_curve.swap(other.m_curve);
   m_coord_x.swap(other.m_coord_x);
   m_coord_y.swap(other.m_coord_y);
   m_coord_z.swap(other.m_coord_z);
   }

References Botan::BigInt::swap(), and Botan::CurveGFp::swap().

Referenced by std::swap< Botan::PointGFp >().

◆ swap_coords()

void Botan::PointGFp::swap_coords	(	BigInt &	new_x,
		BigInt &	new_y,
		BigInt &	new_z
	)

inline

Definition at line 160 of file point_gfp.h.

         {
         m_coord_x.swap(new_x);
         m_coord_y.swap(new_y);
         m_coord_z.swap(new_z);
         }

◆ zero()

PointGFp Botan::PointGFp::zero ( ) const

inline

Return the zero (aka infinite) point associated with this curve

Definition at line 319 of file point_gfp.h.

319{ return PointGFp(m_curve); }

Referenced by Botan::PointGFp_Base_Point_Precompute::mul(), and Botan::operator*().

The documentation for this class was generated from the following files:

src/lib/pubkey/ec_group/point_gfp.h
src/lib/pubkey/ec_group/point_gfp.cpp

Public Types

Public Member Functions

Static Public Member Functions

Detailed Description

Member Enumeration Documentation

◆ anonymous enum

◆ Compression_Type

Constructor & Destructor Documentation

◆ PointGFp() [1/5]

◆ PointGFp() [2/5]

◆ PointGFp() [3/5]

◆ PointGFp() [4/5]

◆ PointGFp() [5/5]

Member Function Documentation

◆ add() [1/2]

◆ add() [2/2]

◆ add_affine() [1/2]

◆ add_affine() [2/2]

◆ double_of()

◆ encode()

◆ force_affine()

◆ force_all_affine()

◆ get_affine_x()

◆ get_affine_y()

◆ get_curve()

◆ get_x()

◆ get_y()

◆ get_z()

◆ is_affine()

◆ is_zero()

◆ mult2()

◆ mult2i()

◆ negate()

◆ on_the_curve()

◆ operator*=()

◆ operator+=()

◆ operator-=()

◆ operator=() [1/2]

◆ operator=() [2/2]

◆ operator==()

◆ plus()

◆ randomize_repr() [1/2]

◆ randomize_repr() [2/2]

◆ swap()

◆ swap_coords()

◆ zero()