#include <point_mul.h>

Public Member Functions
PointGFp	mul (const BigInt &k, RandomNumberGenerator &rng, const BigInt &group_order, std::vector< BigInt > &ws) const

	PointGFp_Var_Point_Precompute (const PointGFp &point, RandomNumberGenerator &rng, std::vector< BigInt > &ws)

Detailed Description

Definition at line 44 of file point_mul.h.

Constructor & Destructor Documentation

◆ PointGFp_Var_Point_Precompute()

Botan::PointGFp_Var_Point_Precompute::PointGFp_Var_Point_Precompute	(	const PointGFp &	point,
		RandomNumberGenerator &	rng,
		std::vector< BigInt > &	ws
	)

Definition at line 193 of file point_mul.cpp.

                                                                                     :
    m_curve(point.get_curve()),
    m_p_words(m_curve.get_p().sig_words()),
    m_window_bits(4)
    {
    if(ws.size() < PointGFp::WORKSPACE_SIZE)
       ws.resize(PointGFp::WORKSPACE_SIZE);
 
    std::vector<PointGFp> U(static_cast<size_t>(1) << m_window_bits);
    U[0] = point.zero();
    U[1] = point;
 
    for(size_t i = 2; i < U.size(); i += 2)
       {
       U[i] = U[i/2].double_of(ws);
       U[i+1] = U[i].plus(point, ws);
       }
 
    // Hack to handle Blinded_Point_Multiply
    if(rng.is_seeded())
       {
       BigInt& mask = ws[0];
       BigInt& mask2 = ws[1];
       BigInt& mask3 = ws[2];
       BigInt& new_x = ws[3];
       BigInt& new_y = ws[4];
       BigInt& new_z = ws[5];
       secure_vector<word>& tmp = ws[6].get_word_vector();
 
       const CurveGFp& curve = U[0].get_curve();
 
       const size_t p_bits = curve.get_p().bits();
 
       // Skipping zero point since it can't be randomized
       for(size_t i = 1; i != U.size(); ++i)
          {
          mask.randomize(rng, p_bits - 1, false);
          // Easy way of ensuring mask != 0
          mask.set_bit(0);
 
          curve.sqr(mask2, mask, tmp);
          curve.mul(mask3, mask, mask2, tmp);
 
          curve.mul(new_x, U[i].get_x(), mask2, tmp);
          curve.mul(new_y, U[i].get_y(), mask3, tmp);
          curve.mul(new_z, U[i].get_z(), mask, tmp);
 
          U[i].swap_coords(new_x, new_y, new_z);
          }
       }
 
    m_T.resize(U.size() * 3 * m_p_words);
 
    word* p = &m_T[0];
    for(size_t i = 0; i != U.size(); ++i)
       {
       U[i].get_x().encode_words(p              , m_p_words);
       U[i].get_y().encode_words(p +   m_p_words, m_p_words);
       U[i].get_z().encode_words(p + 2*m_p_words, m_p_words);
       p += 3*m_p_words;
       }
    }

Member Function Documentation

◆ mul()

PointGFp Botan::PointGFp_Var_Point_Precompute::mul	(	const BigInt &	k,
		RandomNumberGenerator &	rng,
		const BigInt &	group_order,
		std::vector< BigInt > &	ws
	)		const

Definition at line 258 of file point_mul.cpp.

    {
    if(k.is_negative())
       throw Invalid_Argument("PointGFp_Var_Point_Precompute scalar must be positive");
    if(ws.size() < PointGFp::WORKSPACE_SIZE)
       ws.resize(PointGFp::WORKSPACE_SIZE);
 
    // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
    const BigInt mask(rng, PointGFp_SCALAR_BLINDING_BITS, false);
    const BigInt scalar = k + group_order * mask;
 
    const size_t elem_size = 3*m_p_words;
    const size_t window_elems = (1ULL << m_window_bits);
 
    size_t windows = round_up(scalar.bits(), m_window_bits) / m_window_bits;
    PointGFp R(m_curve);
    secure_vector<word> e(elem_size);
 
    if(windows > 0)
       {
       windows--;
 
       const uint32_t w = scalar.get_substring(windows*m_window_bits, m_window_bits);
 
       clear_mem(e.data(), e.size());
       for(size_t i = 1; i != window_elems; ++i)
          {
          const auto wmask = CT::Mask<word>::is_equal(w, i);
 
          for(size_t j = 0; j != elem_size; ++j)
             {
             e[j] |= wmask.if_set_return(m_T[i * elem_size + j]);
             }
          }
 
       R.add(&e[0], m_p_words, &e[m_p_words], m_p_words, &e[2*m_p_words], m_p_words, ws);
 
       /*
       Randomize after adding the first nibble as before the addition R
       is zero, and we cannot effectively randomize the point
       representation of the zero point.
       */
       R.randomize_repr(rng, ws[0].get_word_vector());
       }
 
    while(windows)
       {
       R.mult2i(m_window_bits, ws);
 
       const uint32_t w = scalar.get_substring((windows-1)*m_window_bits, m_window_bits);
 
       clear_mem(e.data(), e.size());
       for(size_t i = 1; i != window_elems; ++i)
          {
          const auto wmask = CT::Mask<word>::is_equal(w, i);
 
          for(size_t j = 0; j != elem_size; ++j)
             {
             e[j] |= wmask.if_set_return(m_T[i * elem_size + j]);
             }
          }
 
       R.add(&e[0], m_p_words, &e[m_p_words], m_p_words, &e[2*m_p_words], m_p_words, ws);
 
       windows--;
       }
 
    BOTAN_DEBUG_ASSERT(R.on_the_curve());
 
    return R;
    }

References BOTAN_DEBUG_ASSERT, Botan::clear_mem(), e, Botan::elem_size, Botan::CT::Mask< T >::is_equal(), Botan::rng, Botan::round_up(), scalar, and Botan::ws.

The documentation for this class was generated from the following files:

src/lib/pubkey/ec_group/point_mul.h
src/lib/pubkey/ec_group/point_mul.cpp

Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ PointGFp_Var_Point_Precompute()

Member Function Documentation

◆ mul()