#include <point_gfp.h>

Public Types
enum	{ WORKSPACE_SIZE = 8 }

enum	Compression_Type { UNCOMPRESSED = 0, COMPRESSED = 1, HYBRID = 2 }

Public Member Functions
void	add (const PointGFp &other, std::vector< BigInt > &workspace)

void	add (const word x_words[], size_t x_size, const word y_words[], size_t y_size, const word z_words[], size_t z_size, std::vector< BigInt > &workspace)

void	add_affine (const PointGFp &other, std::vector< BigInt > &workspace)

void	add_affine (const word x_words[], size_t x_size, const word y_words[], size_t y_size, std::vector< BigInt > &workspace)

PointGFp	double_of (std::vector< BigInt > &workspace) const

std::vector< uint8_t >	encode (PointGFp::Compression_Type format) const

void	force_affine ()

BigInt	get_affine_x () const

BigInt	get_affine_y () const

const CurveGFp &	get_curve () const

const BigInt &	get_x () const

const BigInt &	get_y () const

const BigInt &	get_z () const

bool	is_affine () const

bool	is_zero () const

void	mult2 (std::vector< BigInt > &workspace)

void	mult2i (size_t i, std::vector< BigInt > &workspace)

PointGFp &	negate ()

bool	on_the_curve () const

PointGFp &	operator*= (const BigInt &scalar)

PointGFp &	operator+= (const PointGFp &rhs)

PointGFp &	operator-= (const PointGFp &rhs)

PointGFp &	operator= (const PointGFp &)=default

PointGFp &	operator= (PointGFp &&other)

bool	operator== (const PointGFp &other) const

PointGFp	plus (const PointGFp &other, std::vector< BigInt > &workspace) const

	PointGFp ()=default

	PointGFp (const CurveGFp &curve)

	PointGFp (const PointGFp &)=default

	PointGFp (PointGFp &&other)

	PointGFp (const CurveGFp &curve, const BigInt &x, const BigInt &y)

void	randomize_repr (RandomNumberGenerator &rng)

void	randomize_repr (RandomNumberGenerator &rng, secure_vector< word > &ws)

void	swap (PointGFp &other)

void	swap_coords (BigInt &new_x, BigInt &new_y, BigInt &new_z)

PointGFp	zero () const

Static Public Member Functions
static void	force_all_affine (std::vector< PointGFp > &points, secure_vector< word > &ws)

Detailed Description

This class represents one point on a curve of GF(p)

Definition at line 44 of file point_gfp.h.

Member Enumeration Documentation

◆ anonymous enum

anonymous enum

Enumerator
WORKSPACE_SIZE

Definition at line 53 of file point_gfp.h.

53 { WORKSPACE_SIZE = 8 };

Botan::PointGFp::WORKSPACE_SIZE

Definition: point_gfp.h:53

◆ Compression_Type

enum Botan::PointGFp::Compression_Type

Enumerator
UNCOMPRESSED
COMPRESSED
HYBRID

Definition at line 47 of file point_gfp.h.

                             {
          UNCOMPRESSED = 0,
          COMPRESSED   = 1,
          HYBRID       = 2
       };

Constructor & Destructor Documentation

◆ PointGFp() [1/5]

Botan::PointGFp::PointGFp ( )

default

Construct an uninitialized PointGFp

Referenced by mult2(), mult2i(), and operator-=().

◆ PointGFp() [2/5]

Botan::PointGFp::PointGFp ( const CurveGFp & curve )

explicit

Construct the zero point

Parameters

curve The base curve

Definition at line 17 of file point_gfp.cpp.

                                         :
    m_curve(curve),
    m_coord_x(0),
    m_coord_y(curve.get_1_rep()),
    m_coord_z(0)
    {
    // Assumes Montgomery rep of zero is zero
    }

◆ PointGFp() [3/5]

Botan::PointGFp::PointGFp ( const PointGFp & )

default

Copy constructor

◆ PointGFp() [4/5]

Botan::PointGFp::PointGFp ( PointGFp && other )

inline

Move Constructor

Definition at line 74 of file point_gfp.h.

          {
          this->swap(other);
          }

◆ PointGFp() [5/5]

Botan::PointGFp::PointGFp	(	const CurveGFp &	curve,
		const BigInt &	x,
		const BigInt &	y
	)

Construct a point from its affine coordinates

Parameters

curve	the base curve
x	affine x coordinate
y	affine y coordinate

Definition at line 26 of file point_gfp.cpp.

References Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), and Botan::CurveGFp::to_rep().

                                                                           :
    m_curve(curve),
    m_coord_x(x),
    m_coord_y(y),
    m_coord_z(m_curve.get_1_rep())
    {
    if(x <= 0 || x >= curve.get_p())
       throw Invalid_Argument("Invalid PointGFp affine x");
    if(y <= 0 || y >= curve.get_p())
       throw Invalid_Argument("Invalid PointGFp affine y");
 
    secure_vector<word> monty_ws(m_curve.get_ws_size());
    m_curve.to_rep(m_coord_x, monty_ws);
    m_curve.to_rep(m_coord_y, monty_ws);
    }

Member Function Documentation

◆ add() [1/2]

void Botan::PointGFp::add	(	const PointGFp &	other,
		std::vector< BigInt > &	workspace
	)

inline

Point addition

Parameters

other	the point to add to *this
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 218 of file point_gfp.h.

References BOTAN_ASSERT_NOMSG, Botan::BigInt::data(), and Botan::BigInt::size().

Referenced by Botan::operator*(), operator+=(), and plus().

          {
          BOTAN_ASSERT_NOMSG(m_curve == other.m_curve);
 
          const size_t p_words = m_curve.get_p_words();
 
          add(other.m_coord_x.data(), std::min(p_words, other.m_coord_x.size()),
              other.m_coord_y.data(), std::min(p_words, other.m_coord_y.size()),
              other.m_coord_z.data(), std::min(p_words, other.m_coord_z.size()),
              workspace);
          }

◆ add() [2/2]

void Botan::PointGFp::add	(	const word	x_words[],
		size_t	x_size,
		const word	y_words[],
		size_t	y_size,
		const word	z_words[],
		size_t	z_size,
		std::vector< BigInt > &	workspace
	)

Point addition. Array version.

Parameters

x_words	the words of the x coordinate of the other point
x_size	size of x_words
y_words	the words of the y coordinate of the other point
y_size	size of y_words
z_words	the words of the z coordinate of the other point
z_size	size of z_words
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 170 of file point_gfp.cpp.

References Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), is_zero(), Botan::BigInt::is_zero(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), mult2(), Botan::BigInt::set_words(), and Botan::CurveGFp::sqr().

    {
    if(all_zeros(x_words, x_size) && all_zeros(z_words, z_size))
       return;
 
    if(is_zero())
       {
       m_coord_x.set_words(x_words, x_size);
       m_coord_y.set_words(y_words, y_size);
       m_coord_z.set_words(z_words, z_size);
       return;
       }
 
    resize_ws(ws_bn, m_curve.get_ws_size());
 
    secure_vector<word>& ws = ws_bn[0].get_word_vector();
    secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
    BigInt& T0 = ws_bn[2];
    BigInt& T1 = ws_bn[3];
    BigInt& T2 = ws_bn[4];
    BigInt& T3 = ws_bn[5];
    BigInt& T4 = ws_bn[6];
    BigInt& T5 = ws_bn[7];
 
    /*
    https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
    */
 
    const BigInt& p = m_curve.get_p();
 
    m_curve.sqr(T0, z_words, z_size, ws); // z2^2
    m_curve.mul(T1, m_coord_x, T0, ws); // x1*z2^2
    m_curve.mul(T3, z_words, z_size, T0, ws); // z2^3
    m_curve.mul(T2, m_coord_y, T3, ws); // y1*z2^3
 
    m_curve.sqr(T3, m_coord_z, ws); // z1^2
    m_curve.mul(T4, x_words, x_size, T3, ws); // x2*z1^2
 
    m_curve.mul(T5, m_coord_z, T3, ws); // z1^3
    m_curve.mul(T0, y_words, y_size, T5, ws); // y2*z1^3
 
    T4.mod_sub(T1, p, sub_ws); // x2*z1^2 - x1*z2^2
 
    T0.mod_sub(T2, p, sub_ws);
 
    if(T4.is_zero())
       {
       if(T0.is_zero())
          {
          mult2(ws_bn);
          return;
          }
 
       // setting to zero:
       m_coord_x = 0;
       m_coord_y = m_curve.get_1_rep();
       m_coord_z = 0;
       return;
       }
 
    m_curve.sqr(T5, T4, ws);
 
    m_curve.mul(T3, T1, T5, ws);
 
    m_curve.mul(T1, T5, T4, ws);
 
    m_curve.sqr(m_coord_x, T0, ws);
    m_coord_x.mod_sub(T1, p, sub_ws);
    m_coord_x.mod_sub(T3, p, sub_ws);
    m_coord_x.mod_sub(T3, p, sub_ws);
 
    T3.mod_sub(m_coord_x, p, sub_ws);
 
    m_curve.mul(m_coord_y, T0, T3, ws);
    m_curve.mul(T3, T2, T1, ws);
 
    m_coord_y.mod_sub(T3, p, sub_ws);
 
    m_curve.mul(T3, z_words, z_size, m_coord_z, ws);
    m_curve.mul(m_coord_z, T3, T4, ws);
    }

◆ add_affine() [1/2]

void Botan::PointGFp::add_affine	(	const PointGFp &	other,
		std::vector< BigInt > &	workspace
	)

inline

Point addition - mixed J+A

Parameters

other	affine point to add - assumed to be affine!
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 251 of file point_gfp.h.

References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::data(), is_affine(), and Botan::BigInt::size().

Referenced by Botan::PointGFp_Base_Point_Precompute::mul(), and Botan::PointGFp_Multi_Point_Precompute::multi_exp().

          {
          BOTAN_ASSERT_NOMSG(m_curve == other.m_curve);
          BOTAN_DEBUG_ASSERT(other.is_affine());
 
          const size_t p_words = m_curve.get_p_words();
          add_affine(other.m_coord_x.data(), std::min(p_words, other.m_coord_x.size()),
                     other.m_coord_y.data(), std::min(p_words, other.m_coord_y.size()),
                     workspace);
          }

◆ add_affine() [2/2]

void Botan::PointGFp::add_affine	(	const word	x_words[],
		size_t	x_size,
		const word	y_words[],
		size_t	y_size,
		std::vector< BigInt > &	workspace
	)

Point addition - mixed J+A. Array version.

Parameters

x_words	the words of the x coordinate of the other point
x_size	size of x_words
y_words	the words of the y coordinate of the other point
y_size	size of y_words
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 89 of file point_gfp.cpp.

References Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_p(), Botan::BigInt::get_word_vector(), Botan::CurveGFp::get_ws_size(), is_zero(), Botan::BigInt::is_zero(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), mult2(), Botan::BigInt::set_words(), and Botan::CurveGFp::sqr().

    {
    if(all_zeros(x_words, x_size) && all_zeros(y_words, y_size))
       return;
 
    if(is_zero())
       {
       m_coord_x.set_words(x_words, x_size);
       m_coord_y.set_words(y_words, y_size);
       m_coord_z = m_curve.get_1_rep();
       return;
       }
 
    resize_ws(ws_bn, m_curve.get_ws_size());
 
    secure_vector<word>& ws = ws_bn[0].get_word_vector();
    secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
    BigInt& T0 = ws_bn[2];
    BigInt& T1 = ws_bn[3];
    BigInt& T2 = ws_bn[4];
    BigInt& T3 = ws_bn[5];
    BigInt& T4 = ws_bn[6];
 
    /*
    https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
    simplified with Z2 = 1
    */
 
    const BigInt& p = m_curve.get_p();
 
    m_curve.sqr(T3, m_coord_z, ws); // z1^2
    m_curve.mul(T4, x_words, x_size, T3, ws); // x2*z1^2
 
    m_curve.mul(T2, m_coord_z, T3, ws); // z1^3
    m_curve.mul(T0, y_words, y_size, T2, ws); // y2*z1^3
 
    T4.mod_sub(m_coord_x, p, sub_ws); // x2*z1^2 - x1*z2^2
 
    T0.mod_sub(m_coord_y, p, sub_ws);
 
    if(T4.is_zero())
       {
       if(T0.is_zero())
          {
          mult2(ws_bn);
          return;
          }
 
       // setting to zero:
       m_coord_x = 0;
       m_coord_y = m_curve.get_1_rep();
       m_coord_z = 0;
       return;
       }
 
    m_curve.sqr(T2, T4, ws);
 
    m_curve.mul(T3, m_coord_x, T2, ws);
 
    m_curve.mul(T1, T2, T4, ws);
 
    m_curve.sqr(m_coord_x, T0, ws);
    m_coord_x.mod_sub(T1, p, sub_ws);
    m_coord_x.mod_sub(T3, p, sub_ws);
    m_coord_x.mod_sub(T3, p, sub_ws);
 
    T3.mod_sub(m_coord_x, p, sub_ws);
 
    T2 = m_coord_y;
    m_curve.mul(T2, T0, T3, ws);
    m_curve.mul(T3, m_coord_y, T1, ws);
    T2.mod_sub(T3, p, sub_ws);
    m_coord_y = T2;
 
    m_curve.mul(T3, m_coord_z, T4, ws);
    m_coord_z = T3;
    }

◆ double_of()

PointGFp Botan::PointGFp::double_of ( std::vector< BigInt > & workspace ) const

inline

Point doubling

Parameters

workspace temp space, at least WORKSPACE_SIZE elements

Returns: *this doubled

Definition at line 306 of file point_gfp.h.

References mult2().

          {
          PointGFp x = (*this);
          x.mult2(workspace);
          return x;
          }

◆ encode()

std::vector< uint8_t > Botan::PointGFp::encode ( PointGFp::Compression_Type format ) const

EC2OSP - elliptic curve to octet string primitive

Parameters

format which format to encode using

Definition at line 597 of file point_gfp.cpp.

References Botan::BigInt::bytes(), COMPRESSED, Botan::BigInt::encode_1363(), get_affine_x(), get_affine_y(), Botan::BigInt::get_bit(), Botan::CurveGFp::get_p(), HYBRID, is_zero(), and UNCOMPRESSED.

Referenced by Botan::ECIES_Encryptor::ECIES_Encryptor(), and Botan::EC_PublicKey::public_key_bits().

    {
    if(is_zero())
       return std::vector<uint8_t>(1); // single 0 byte
 
    const size_t p_bytes = m_curve.get_p().bytes();
 
    const BigInt x = get_affine_x();
    const BigInt y = get_affine_y();
 
    std::vector<uint8_t> result;
 
    if(format == PointGFp::UNCOMPRESSED)
       {
       result.resize(1 + 2*p_bytes);
       result[0] = 0x04;
       BigInt::encode_1363(&result[1], p_bytes, x);
       BigInt::encode_1363(&result[1+p_bytes], p_bytes, y);
       }
    else if(format == PointGFp::COMPRESSED)
       {
       result.resize(1 + p_bytes);
       result[0] = 0x02 | static_cast<uint8_t>(y.get_bit(0));
       BigInt::encode_1363(&result[1], p_bytes, x);
       }
    else if(format == PointGFp::HYBRID)
       {
       result.resize(1 + 2*p_bytes);
       result[0] = 0x06 | static_cast<uint8_t>(y.get_bit(0));
       BigInt::encode_1363(&result[1], p_bytes, x);
       BigInt::encode_1363(&result[1+p_bytes], p_bytes, y);
       }
    else
       throw Invalid_Argument("EC2OSP illegal point encoding");
 
    return result;
    }

◆ force_affine()

void Botan::PointGFp::force_affine ( )

Force this point to affine coordinates

Definition at line 481 of file point_gfp.cpp.

References Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::invert_element(), is_zero(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by force_all_affine().

    {
    if(is_zero())
       throw Invalid_State("Cannot convert zero ECC point to affine");
 
    secure_vector<word> ws;
 
    const BigInt z_inv = m_curve.invert_element(m_coord_z, ws);
    const BigInt z2_inv = m_curve.sqr_to_tmp(z_inv, ws);
    const BigInt z3_inv = m_curve.mul_to_tmp(z_inv, z2_inv, ws);
    m_coord_x = m_curve.mul_to_tmp(m_coord_x, z2_inv, ws);
    m_coord_y = m_curve.mul_to_tmp(m_coord_y, z3_inv, ws);
    m_coord_z = m_curve.get_1_rep();
    }

◆ force_all_affine()

void Botan::PointGFp::force_all_affine	(	std::vector< PointGFp > &	points,
		secure_vector< word > &	ws
	)

static

Force all points on the list to affine coordinates

Definition at line 422 of file point_gfp.cpp.

References force_affine(), Botan::CurveGFp::get_1_rep(), Botan::CurveGFp::get_ws_size(), Botan::CurveGFp::invert_element(), Botan::CurveGFp::mul(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr().

Referenced by Botan::PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute().

    {
    if(points.size() <= 1)
       {
       for(size_t i = 0; i != points.size(); ++i)
          points[i].force_affine();
       return;
       }
 
    /*
    For >= 2 points use Montgomery's trick
 
    See Algorithm 2.26 in "Guide to Elliptic Curve Cryptography"
    (Hankerson, Menezes, Vanstone)
 
    TODO is it really necessary to save all k points in c?
    */
 
    const CurveGFp& curve = points[0].m_curve;
    const BigInt& rep_1 = curve.get_1_rep();
 
    if(ws.size() < curve.get_ws_size())
       ws.resize(curve.get_ws_size());
 
    std::vector<BigInt> c(points.size());
    c[0] = points[0].m_coord_z;
 
    for(size_t i = 1; i != points.size(); ++i)
       {
       curve.mul(c[i], c[i-1], points[i].m_coord_z, ws);
       }
 
    BigInt s_inv = curve.invert_element(c[c.size()-1], ws);
 
    BigInt z_inv, z2_inv, z3_inv;
 
    for(size_t i = points.size() - 1; i != 0; i--)
       {
       PointGFp& point = points[i];
 
       curve.mul(z_inv, s_inv, c[i-1], ws);
 
       s_inv = curve.mul_to_tmp(s_inv, point.m_coord_z, ws);
 
       curve.sqr(z2_inv, z_inv, ws);
       curve.mul(z3_inv, z2_inv, z_inv, ws);
       point.m_coord_x = curve.mul_to_tmp(point.m_coord_x, z2_inv, ws);
       point.m_coord_y = curve.mul_to_tmp(point.m_coord_y, z3_inv, ws);
       point.m_coord_z = rep_1;
       }
 
    curve.sqr(z2_inv, s_inv, ws);
    curve.mul(z3_inv, z2_inv, s_inv, ws);
    points[0].m_coord_x = curve.mul_to_tmp(points[0].m_coord_x, z2_inv, ws);
    points[0].m_coord_y = curve.mul_to_tmp(points[0].m_coord_y, z3_inv, ws);
    points[0].m_coord_z = rep_1;
    }

◆ get_affine_x()

BigInt Botan::PointGFp::get_affine_x ( ) const

get affine x coordinate

Returns: affine x coordinate

Definition at line 501 of file point_gfp.cpp.

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::invert_element(), is_affine(), is_zero(), Botan::CurveGFp::mul(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by Botan::EC_Group::blinded_base_point_multiply_x(), encode(), operator==(), Botan::GOST_3410_PublicKey::public_key_bits(), and Botan::sm2_compute_za().

    {
    if(is_zero())
       throw Illegal_Transformation("Cannot convert zero point to affine");
 
    secure_vector<word> monty_ws;
 
    if(is_affine())
       return m_curve.from_rep(m_coord_x, monty_ws);
 
    BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
    z2 = m_curve.invert_element(z2, monty_ws);
 
    BigInt r;
    m_curve.mul(r, m_coord_x, z2, monty_ws);
    m_curve.from_rep(r, monty_ws);
    return r;
    }

◆ get_affine_y()

BigInt Botan::PointGFp::get_affine_y ( ) const

get affine y coordinate

Returns: affine y coordinate

Definition at line 520 of file point_gfp.cpp.

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::invert_element(), is_affine(), is_zero(), Botan::CurveGFp::mul(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by encode(), operator==(), Botan::GOST_3410_PublicKey::public_key_bits(), and Botan::sm2_compute_za().

    {
    if(is_zero())
       throw Illegal_Transformation("Cannot convert zero point to affine");
 
    secure_vector<word> monty_ws;
 
    if(is_affine())
       return m_curve.from_rep(m_coord_y, monty_ws);
 
    const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
    const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws);
    const BigInt z3_inv = m_curve.invert_element(z3, monty_ws);
 
    BigInt r;
    m_curve.mul(r, m_coord_y, z3_inv, monty_ws);
    m_curve.from_rep(r, monty_ws);
    return r;
    }

◆ get_curve()

const CurveGFp& Botan::PointGFp::get_curve ( ) const

inline

Return base curve of this point

Returns: the curve over GF(p) of this point

You should not need to use this

Definition at line 324 of file point_gfp.h.

Referenced by Botan::EC_PublicKey::EC_PublicKey().

324 { return m_curve; }

◆ get_x()

const BigInt& Botan::PointGFp::get_x ( ) const

inline

Definition at line 152 of file point_gfp.h.

152 { return m_coord_x; }

◆ get_y()

const BigInt& Botan::PointGFp::get_y ( ) const

inline

Definition at line 153 of file point_gfp.h.

153 { return m_coord_y; }

◆ get_z()

const BigInt& Botan::PointGFp::get_z ( ) const

inline

Definition at line 154 of file point_gfp.h.

154 { return m_coord_z; }

◆ is_affine()

bool Botan::PointGFp::is_affine ( ) const

Definition at line 496 of file point_gfp.cpp.

References Botan::CurveGFp::is_one().

Referenced by add_affine(), get_affine_x(), and get_affine_y().

    {
    return m_curve.is_one(m_coord_z);
    }

◆ is_zero()

bool Botan::PointGFp::is_zero ( ) const

inline

Is this the point at infinity?

Returns: true, if this point is at infinity, false otherwise.

Definition at line 180 of file point_gfp.h.

Referenced by add(), add_affine(), Botan::EC_Group::blinded_base_point_multiply_x(), Botan::ECIES_KA_Operation::derive_secret(), encode(), force_affine(), get_affine_x(), get_affine_y(), mult2(), on_the_curve(), operator-=(), operator==(), and Botan::EC_Group::verify_public_element().

181 { return (m_coord_x.is_zero() && m_coord_z.is_zero()); }

Botan::BigInt::is_zero

bool is_zero() const

Definition: bigint.h:355

◆ mult2()

void Botan::PointGFp::mult2 ( std::vector< BigInt > & workspace )

Point doubling

Parameters

workspace temp space, at least WORKSPACE_SIZE elements

Definition at line 276 of file point_gfp.cpp.

References Botan::CurveGFp::a_is_minus_3(), Botan::CurveGFp::a_is_zero(), Botan::CurveGFp::get_a_rep(), Botan::CurveGFp::get_p(), Botan::CurveGFp::get_ws_size(), is_zero(), Botan::BigInt::is_zero(), Botan::BigInt::mod_add(), Botan::BigInt::mod_sub(), Botan::CurveGFp::mul(), PointGFp(), Botan::CurveGFp::redc_mod_p(), and Botan::CurveGFp::sqr().

Referenced by add(), add_affine(), double_of(), mult2i(), Botan::operator*(), and Botan::PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute().

    {
    if(is_zero())
       return;
 
    if(m_coord_y.is_zero())
       {
       *this = PointGFp(m_curve); // setting myself to zero
       return;
       }
 
    resize_ws(ws_bn, m_curve.get_ws_size());
 
    secure_vector<word>& ws = ws_bn[0].get_word_vector();
    secure_vector<word>& sub_ws = ws_bn[1].get_word_vector();
 
    BigInt& T0 = ws_bn[2];
    BigInt& T1 = ws_bn[3];
    BigInt& T2 = ws_bn[4];
    BigInt& T3 = ws_bn[5];
    BigInt& T4 = ws_bn[6];
 
    /*
    https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-1986-cc
    */
    const BigInt& p = m_curve.get_p();
 
    m_curve.sqr(T0, m_coord_y, ws);
 
    m_curve.mul(T1, m_coord_x, T0, ws);
    T1 <<= 2; // * 4
    m_curve.redc_mod_p(T1, sub_ws);
 
    if(m_curve.a_is_zero())
       {
       // if a == 0 then 3*x^2 + a*z^4 is just 3*x^2
       m_curve.sqr(T4, m_coord_x, ws); // x^2
       T4 *= 3; // 3*x^2
       m_curve.redc_mod_p(T4, sub_ws);
       }
    else if(m_curve.a_is_minus_3())
       {
       /*
       if a == -3 then
         3*x^2 + a*z^4 == 3*x^2 - 3*z^4 == 3*(x^2-z^4) == 3*(x-z^2)*(x+z^2)
       */
       m_curve.sqr(T3, m_coord_z, ws); // z^2
 
       // (x-z^2)
       T2 = m_coord_x;
       T2.mod_sub(T3, p, sub_ws);
 
       // (x+z^2)
       T3.mod_add(m_coord_x, p, sub_ws);
 
       m_curve.mul(T4, T2, T3, ws); // (x-z^2)*(x+z^2)
 
       T4 *= 3; // 3*(x-z^2)*(x+z^2)
       m_curve.redc_mod_p(T4, sub_ws);
       }
    else
       {
       m_curve.sqr(T3, m_coord_z, ws); // z^2
       m_curve.sqr(T4, T3, ws); // z^4
       m_curve.mul(T3, m_curve.get_a_rep(), T4, ws); // a*z^4
 
       m_curve.sqr(T4, m_coord_x, ws); // x^2
       T4 *= 3; // 3*x^2
       T4.mod_add(T3, p, sub_ws); // 3*x^2 + a*z^4
       }
 
    m_curve.sqr(T2, T4, ws);
    T2.mod_sub(T1, p, sub_ws);
    T2.mod_sub(T1, p, sub_ws);
 
    m_curve.sqr(T3, T0, ws);
    T3 <<= 3;
    m_curve.redc_mod_p(T3, sub_ws);
 
    T1.mod_sub(T2, p, sub_ws);
 
    m_curve.mul(T0, T4, T1, ws);
    T0.mod_sub(T3, p, sub_ws);
 
    m_coord_x = T2;
 
    m_curve.mul(T2, m_coord_y, m_coord_z, ws);
    T2 <<= 1;
    m_curve.redc_mod_p(T2, sub_ws);
 
    m_coord_y = T0;
    m_coord_z = T2;
    }

◆ mult2i()

void Botan::PointGFp::mult2i	(	size_t	i,
		std::vector< BigInt > &	workspace
	)

Repeated point doubling

Parameters

i	number of doublings to perform
workspace	temp space, at least WORKSPACE_SIZE elements

Definition at line 256 of file point_gfp.cpp.

References Botan::BigInt::is_zero(), mult2(), and PointGFp().

Referenced by Botan::PointGFp_Multi_Point_Precompute::multi_exp().

    {
    if(iterations == 0)
       return;
 
    if(m_coord_y.is_zero())
       {
       *this = PointGFp(m_curve); // setting myself to zero
       return;
       }
 
    /*
    TODO we can save 2 squarings per iteration by computing
    a*Z^4 using values cached from previous iteration
    */
    for(size_t i = 0; i != iterations; ++i)
       mult2(ws_bn);
    }

◆ negate()

PointGFp& Botan::PointGFp::negate ( )

inline

Negate this point

Returns: *this

Definition at line 133 of file point_gfp.h.

References Botan::CT::is_zero().

Referenced by Botan::PointGFp_Multi_Point_Precompute::multi_exp(), and Botan::operator-().

          {
          if(!is_zero())
             m_coord_y = m_curve.get_p() - m_coord_y;
          return *this;
          }

◆ on_the_curve()

bool Botan::PointGFp::on_the_curve ( ) const

Checks whether the point is to be found on the underlying curve; used to prevent fault attacks.

Returns: if the point is on the curve

Definition at line 540 of file point_gfp.cpp.

References Botan::CurveGFp::from_rep(), Botan::CurveGFp::get_a_rep(), Botan::CurveGFp::get_b_rep(), is_zero(), Botan::CurveGFp::mul_to_tmp(), and Botan::CurveGFp::sqr_to_tmp().

Referenced by Botan::EC_PrivateKey::EC_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), Botan::PointGFp_Base_Point_Precompute::mul(), Botan::operator*(), Botan::EC_Group::verify_group(), and Botan::EC_Group::verify_public_element().

    {
    /*
    Is the point still on the curve?? (If everything is correct, the
    point is always on its curve; then the function will return true.
    If somehow the state is corrupted, which suggests a fault attack
    (or internal computational error), then return false.
    */
    if(is_zero())
       return true;
 
    secure_vector<word> monty_ws;
 
    const BigInt y2 = m_curve.from_rep(m_curve.sqr_to_tmp(m_coord_y, monty_ws), monty_ws);
    const BigInt x3 = m_curve.mul_to_tmp(m_coord_x, m_curve.sqr_to_tmp(m_coord_x, monty_ws), monty_ws);
    const BigInt ax = m_curve.mul_to_tmp(m_coord_x, m_curve.get_a_rep(), monty_ws);
    const BigInt z2 = m_curve.sqr_to_tmp(m_coord_z, monty_ws);
 
    if(m_coord_z == z2) // Is z equal to 1 (in Montgomery form)?
       {
       if(y2 != m_curve.from_rep(x3 + ax + m_curve.get_b_rep(), monty_ws))
          return false;
       }
 
    const BigInt z3 = m_curve.mul_to_tmp(m_coord_z, z2, monty_ws);
    const BigInt ax_z4 = m_curve.mul_to_tmp(ax, m_curve.sqr_to_tmp(z2, monty_ws), monty_ws);
    const BigInt b_z6 = m_curve.mul_to_tmp(m_curve.get_b_rep(), m_curve.sqr_to_tmp(z3, monty_ws), monty_ws);
 
    if(y2 != m_curve.from_rep(x3 + ax_z4 + b_z6, monty_ws))
       return false;
 
    return true;
    }

◆ operator*=()

PointGFp & Botan::PointGFp::operator*= ( const BigInt & scalar )

*= Operator

Parameters

scalar the PointGFp to multiply with *this

Returns: resulting PointGFp

Definition at line 390 of file point_gfp.cpp.

    {
    *this = scalar * *this;
    return *this;
    }

◆ operator+=()

PointGFp & Botan::PointGFp::operator+= ( const PointGFp & rhs )

+= Operator

Parameters

rhs	the PointGFp to add to the local value

Returns: resulting PointGFp

Definition at line 371 of file point_gfp.cpp.

References add(), and WORKSPACE_SIZE.

    {
    std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE);
    add(rhs, ws);
    return *this;
    }

◆ operator-=()

PointGFp & Botan::PointGFp::operator-= ( const PointGFp & rhs )

-= Operator

Parameters

rhs	the PointGFp to subtract from the local value

Returns: resulting PointGFp

Definition at line 378 of file point_gfp.cpp.

References is_zero(), and PointGFp().

    {
    PointGFp minus_rhs = PointGFp(rhs).negate();
 
    if(is_zero())
       *this = minus_rhs;
    else
       *this += minus_rhs;
 
    return *this;
    }

◆ operator=() [1/2]

PointGFp& Botan::PointGFp::operator= ( const PointGFp & )

default

Standard Assignment

◆ operator=() [2/2]

PointGFp& Botan::PointGFp::operator= ( PointGFp && other )

inline

Move Assignment

Definition at line 87 of file point_gfp.h.

          {
          if(this != &other)
             this->swap(other);
          return (*this);
          }

◆ operator==()

bool Botan::PointGFp::operator== ( const PointGFp & other ) const

Equality operator

Definition at line 583 of file point_gfp.cpp.

References get_affine_x(), get_affine_y(), and is_zero().

    {
    if(m_curve != other.m_curve)
       return false;
 
    // If this is zero, only equal if other is also zero
    if(is_zero())
       return other.is_zero();
 
    return (get_affine_x() == other.get_affine_x() &&
            get_affine_y() == other.get_affine_y());
    }

◆ plus()

PointGFp Botan::PointGFp::plus	(	const PointGFp &	other,
		std::vector< BigInt > &	workspace
	)		const

inline

Point addition

Parameters

other	the point to add to *this
workspace	temp space, at least WORKSPACE_SIZE elements

Returns: other plus *this

Definition at line 294 of file point_gfp.h.

References add().

Referenced by Botan::PointGFp_Multi_Point_Precompute::PointGFp_Multi_Point_Precompute().

          {
          PointGFp x = (*this);
          x.add(other, workspace);
          return x;
          }

◆ randomize_repr() [1/2]

void Botan::PointGFp::randomize_repr ( RandomNumberGenerator & rng )

Randomize the point representation The actual value (get_affine_x, get_affine_y) does not change

Definition at line 42 of file point_gfp.cpp.

References Botan::CurveGFp::get_ws_size().

Referenced by Botan::PointGFp_Base_Point_Precompute::mul().

    {
    secure_vector<word> ws(m_curve.get_ws_size());
    randomize_repr(rng, ws);
    }

◆ randomize_repr() [2/2]

void Botan::PointGFp::randomize_repr	(	RandomNumberGenerator &	rng,
		secure_vector< word > &	ws
	)

Randomize the point representation The actual value (get_affine_x, get_affine_y) does not change

Definition at line 48 of file point_gfp.cpp.

References Botan::CurveGFp::get_p(), Botan::CurveGFp::mul_to_tmp(), Botan::BigInt::random_integer(), and Botan::CurveGFp::sqr_to_tmp().

    {
    const BigInt mask = BigInt::random_integer(rng, 2, m_curve.get_p());
 
    /*
    * No reason to convert this to Montgomery representation first,
    * just pretend the random mask was chosen as Redc(mask) and the
    * random mask we generated above is in the Montgomery
    * representation.
    * //m_curve.to_rep(mask, ws);
    */
    const BigInt mask2 = m_curve.sqr_to_tmp(mask, ws);
    const BigInt mask3 = m_curve.mul_to_tmp(mask2, mask, ws);
 
    m_coord_x = m_curve.mul_to_tmp(m_coord_x, mask2, ws);
    m_coord_y = m_curve.mul_to_tmp(m_coord_y, mask3, ws);
    m_coord_z = m_curve.mul_to_tmp(m_coord_z, mask, ws);
    }

◆ swap()

void Botan::PointGFp::swap ( PointGFp & other )

swaps the states of *this and other, does not throw!

Parameters

other the object to swap values with

Definition at line 575 of file point_gfp.cpp.

References Botan::BigInt::swap(), and Botan::CurveGFp::swap().

    {
    m_curve.swap(other.m_curve);
    m_coord_x.swap(other.m_coord_x);
    m_coord_y.swap(other.m_coord_y);
    m_coord_z.swap(other.m_coord_z);
    }

◆ swap_coords()

void Botan::PointGFp::swap_coords	(	BigInt &	new_x,
		BigInt &	new_y,
		BigInt &	new_z
	)

inline

Definition at line 156 of file point_gfp.h.

          {
          m_coord_x.swap(new_x);
          m_coord_y.swap(new_y);
          m_coord_z.swap(new_z);
          }

◆ zero()

PointGFp Botan::PointGFp::zero ( ) const

inline

Return the zero (aka infinite) point associated with this curve

Definition at line 316 of file point_gfp.h.

Referenced by Botan::PointGFp_Base_Point_Precompute::mul(), and Botan::operator*().

316 { return PointGFp(m_curve); }

Botan::PointGFp::PointGFp

PointGFp()=default

The documentation for this class was generated from the following files:

src/lib/pubkey/ec_group/point_gfp.h
src/lib/pubkey/ec_group/point_gfp.cpp

Public Types

Public Member Functions

Static Public Member Functions

Detailed Description

Member Enumeration Documentation

◆ anonymous enum

◆ Compression_Type

Constructor & Destructor Documentation

◆ PointGFp() [1/5]

◆ PointGFp() [2/5]

◆ PointGFp() [3/5]

◆ PointGFp() [4/5]

◆ PointGFp() [5/5]

Member Function Documentation

◆ add() [1/2]

◆ add() [2/2]

◆ add_affine() [1/2]

◆ add_affine() [2/2]

◆ double_of()

◆ encode()

◆ force_affine()

◆ force_all_affine()

◆ get_affine_x()

◆ get_affine_y()

◆ get_curve()

◆ get_x()

◆ get_y()

◆ get_z()

◆ is_affine()

◆ is_zero()

◆ mult2()

◆ mult2i()

◆ negate()

◆ on_the_curve()

◆ operator*=()

◆ operator+=()

◆ operator-=()

◆ operator=() [1/2]

◆ operator=() [2/2]

◆ operator==()

◆ plus()

◆ randomize_repr() [1/2]

◆ randomize_repr() [2/2]

◆ swap()

◆ swap_coords()

◆ zero()