Botan 3.11.0
Crypto and TLS for C&
Public Member Functions | Static Public Member Functions | Static Public Attributes | List of all members
Botan::Scalar448 Class Referencefinal

Representation of a scalar for X448. More...

#include <curve448_scalar.h>

Public Member Functions

bool get_bit (size_t i) const
 Access the i-th bit of the scalar. From 0 (lsb) to 445 (msb).
uint32_t get_window (size_t starting_pos, size_t width) const
 Extract a window of width bits starting at bit position starting_pos. Bits beyond position 445 are treated as zero.
Scalar448 operator* (const Scalar448 &other) const
 scalar = (scalar * other) mod L
Scalar448 operator+ (const Scalar448 &other) const
 scalar = (scalar + other) mod L
 Scalar448 (std::span< const uint8_t > x)
 Construct a new scalar from (max. 114) bytes. Little endian.
template<size_t S = BYTES>
requires (S >= BYTES)
std::array< uint8_t, S > to_bytes () const
 Convert the scalar to bytes in little endian.

Static Public Member Functions

static bool bytes_are_reduced (std::span< const uint8_t > x)

Static Public Attributes

static constexpr size_t BYTES = ceil_tobytes<size_t>(446)
static constexpr size_t WORDS = words_for_bits(446)

Detailed Description

Representation of a scalar for X448.

The scalar is an element in 0 <= s < L, where L is the group order of X448. The constructor and all operations on scalars reduce the element mod L internally. All operations are constant time.

L = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885 (RFC 7748 4.2)

Definition at line 34 of file curve448_scalar.h.

Constructor & Destructor Documentation

◆ Scalar448()

Botan::Scalar448::Scalar448 ( std::span< const uint8_t > x)
explicit

Construct a new scalar from (max. 114) bytes. Little endian.

Definition at line 148 of file curve448_scalar.cpp.

148 {
149 BOTAN_ARG_CHECK(in_bytes.size() <= 114, "Input must be at most 114 bytes long");
150 std::array<uint8_t, 114> max_bytes = {0};
151 copy_mem(std::span(max_bytes).first(in_bytes.size()), in_bytes);
152
153 const auto x_words = bytes_to_words(std::span<const uint8_t, 114>(max_bytes));
154 m_scalar_words = ct_reduce_mod_L(x_words);
155}
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::bytes_to_words
constexpr auto bytes_to_words(std::span< const uint8_t, L > bytes)
Definition pcurves_util.h:287
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144

References BOTAN_ARG_CHECK, Botan::bytes_to_words(), and Botan::copy_mem().

Referenced by operator*(), and operator+().

Member Function Documentation

◆ bytes_are_reduced()

bool Botan::Scalar448::bytes_are_reduced ( std::span< const uint8_t > x)
static
Returns
true iff x >= L.

Definition at line 211 of file curve448_scalar.cpp.

211 {
212 BOTAN_ARG_CHECK(x.size() >= BYTES, "Input is not long enough (at least 446 bits)");
213 // remember: `x` contains a big int in little-endian
214 const auto leading_zeros = x.subspan(BYTES);
215 const auto leading_zeros_are_zero = CT::all_zeros(leading_zeros.data(), leading_zeros.size());
216 auto x_sig_words = bytes_to_words(x.first<56>());
217 const auto least_56_bytes_smaller_L = CT::Mask<uint8_t>::from_choice(!ct_subtract_L_if_bigger(x_sig_words));
218 return (leading_zeros_are_zero & least_56_bytes_smaller_L).as_bool();
219}
Botan::CT::Mask::from_choice
static constexpr Mask< T > from_choice(Choice c)
Definition ct_utils.h:402
Botan::Scalar448::BYTES
static constexpr size_t BYTES
Definition curve448_scalar.h:37
Botan::CT::all_zeros
constexpr CT::Mask< T > all_zeros(const T elem[], size_t len)
Definition ct_utils.h:785

References Botan::CT::all_zeros(), BOTAN_ARG_CHECK, BYTES, Botan::bytes_to_words(), and Botan::CT::Mask< T >::from_choice().

Referenced by Botan::verify_signature().

◆ get_bit()

bool Botan::Scalar448::get_bit ( size_t i) const

Access the i-th bit of the scalar. From 0 (lsb) to 445 (msb).

Definition at line 157 of file curve448_scalar.cpp.

157 {
158 BOTAN_ARG_CHECK(bit_pos < 446, "Bit position out of range");
159 constexpr size_t word_sz = sizeof(word) * 8;
160 return (((m_scalar_words[bit_pos / word_sz] >> (bit_pos % word_sz)) & 1) == 1);
161}
Botan::word
std::conditional_t< HasNative64BitRegisters, std::uint64_t, uint32_t > word
Definition types.h:119

References BOTAN_ARG_CHECK.

◆ get_window()

uint32_t Botan::Scalar448::get_window ( size_t starting_pos,
size_t width ) const

Extract a window of width bits starting at bit position starting_pos. Bits beyond position 445 are treated as zero.

Definition at line 163 of file curve448_scalar.cpp.

163 {
164 BOTAN_ARG_CHECK(width <= 32, "Window too wide");
165 constexpr size_t word_sz = sizeof(word) * 8;
166
167 // Bits at or beyond position 446 are zero
168 if(starting_pos >= 446) {
169 return 0;
170 }
171
172 // Clamp the effective width so we don't read past bit 445
173 const size_t effective_bits = std::min(width, size_t(446) - starting_pos);
174
175 const size_t word_idx = starting_pos / word_sz;
176 const size_t bit_idx = starting_pos % word_sz;
177
178 const uint64_t mask = (effective_bits >= 64) ? ~uint64_t(0) : (uint64_t(1) << effective_bits) - 1;
179
180 uint64_t val = m_scalar_words[word_idx] >> bit_idx;
181 if(bit_idx + effective_bits > word_sz && word_idx + 1 < WORDS) {
182 val |= m_scalar_words[word_idx + 1] << (word_sz - bit_idx);
183 }
184
185 return static_cast<uint32_t>(val & mask);
186}
Botan::Scalar448::WORDS
static constexpr size_t WORDS
Definition curve448_scalar.h:36

References BOTAN_ARG_CHECK, and WORDS.

Referenced by Botan::Ed448Point::base_point_mul(), Botan::Ed448Point::double_scalar_mul_vartime(), and Botan::Ed448Point::scalar_mul().

◆ operator*()

Scalar448 Botan::Scalar448::operator* ( const Scalar448 & other) const

scalar = (scalar * other) mod L

Definition at line 194 of file curve448_scalar.cpp.

194 {
195 std::array<word, WORDS_REDUCE_SZ> product = {0};
196 std::array<word, WORDS_REDUCE_SZ> ws = {0};
197 bigint_mul(product.data(),
198 product.size(),
199 m_scalar_words.data(),
200 m_scalar_words.size(),
201 m_scalar_words.size(),
202 other.m_scalar_words.data(),
203 other.m_scalar_words.size(),
204 other.m_scalar_words.size(),
205 ws.data(),
206 ws.size());
207
208 return Scalar448(ct_reduce_mod_L(product));
209}
Botan::Scalar448::Scalar448
Scalar448(std::span< const uint8_t > x)
Construct a new scalar from (max. 114) bytes. Little endian.
Definition curve448_scalar.cpp:148
Botan::bigint_mul
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:283

References Botan::bigint_mul(), and Scalar448().

◆ operator+()

Scalar448 Botan::Scalar448::operator+ ( const Scalar448 & other) const

scalar = (scalar + other) mod L

Definition at line 188 of file curve448_scalar.cpp.

188 {
189 auto sum = add(m_scalar_words, other.m_scalar_words);
190 ct_subtract_L_if_bigger(sum);
191 return Scalar448(sum);
192}

References Scalar448().

◆ to_bytes()

template<size_t S = BYTES>
requires (S >= BYTES)
std::array< uint8_t, S > Botan::Scalar448::to_bytes ( ) const
inline

Convert the scalar to bytes in little endian.

Definition at line 44 of file curve448_scalar.h.

46 {
47 std::array<uint8_t, S> result = {0};
48 store_le(std::span(result).template first<BYTES>(), m_scalar_words);
49 return result;
50 }
Botan::store_le
constexpr auto store_le(ParamTs &&... params)
Definition loadstor.h:736

References BYTES, and Botan::store_le().

Member Data Documentation

◆ BYTES

size_t Botan::Scalar448::BYTES = ceil_tobytes<size_t>(446)
staticconstexpr

Definition at line 37 of file curve448_scalar.h.

Referenced by bytes_are_reduced(), and to_bytes().

◆ WORDS

size_t Botan::Scalar448::WORDS = words_for_bits(446)
staticconstexpr

Definition at line 36 of file curve448_scalar.h.

Referenced by get_window().

The documentation for this class was generated from the following files:
Generated by doxygen 1.15.0