Botan 3.11.0
Crypto and TLS for C&
Public Types | Public Member Functions | Static Public Attributes | List of all members
Botan::VartimeMul2Table< C, W > Class Template Referencefinal

#include <pcurves_impl.h>

Public Types

using AffinePoint = typename C::AffinePoint
using ProjectivePoint = typename C::ProjectivePoint
using Scalar = typename C::Scalar

Public Member Functions

ProjectivePoint mul2_vartime (const Scalar &s1, const Scalar &s2) const
 VartimeMul2Table (const AffinePoint &p, const AffinePoint &q)

Static Public Attributes

static constexpr size_t WindowBits = W

Detailed Description

template<typename C, size_t W>
class Botan::VartimeMul2Table< C, W >

Definition at line 1565 of file pcurves_impl.h.

Member Typedef Documentation

◆ AffinePoint

template<typename C, size_t W>
using Botan::VartimeMul2Table< C, W >::AffinePoint = typename C::AffinePoint

Definition at line 1573 of file pcurves_impl.h.

◆ ProjectivePoint

template<typename C, size_t W>
using Botan::VartimeMul2Table< C, W >::ProjectivePoint = typename C::ProjectivePoint

Definition at line 1574 of file pcurves_impl.h.

◆ Scalar

template<typename C, size_t W>
using Botan::VartimeMul2Table< C, W >::Scalar = typename C::Scalar

Definition at line 1572 of file pcurves_impl.h.

Constructor & Destructor Documentation

◆ VartimeMul2Table()

template<typename C, size_t W>
Botan::VartimeMul2Table< C, W >::VartimeMul2Table ( const AffinePoint & p,
const AffinePoint & q )
inline

Definition at line 1576 of file pcurves_impl.h.

1576 :
1577 m_table(to_affine_batch<C, true>(mul2_setup<C, W>(p, q))) {}

References Botan::mul2_setup(), and Botan::to_affine_batch().

Member Function Documentation

◆ mul2_vartime()

template<typename C, size_t W>
ProjectivePoint Botan::VartimeMul2Table< C, W >::mul2_vartime ( const Scalar & s1,
const Scalar & s2 ) const
inline

Variable time 2-ary multiplication

A common use of 2-ary multiplication is when verifying the commitments of an elliptic curve signature. Since in this case the inputs are all public, there is no problem with variable time computation.

TODO in the future we could use joint sparse form here.

Definition at line 1588 of file pcurves_impl.h.

1588 {
1589 constexpr size_t Windows = (Scalar::BITS + WindowBits - 1) / WindowBits;
1590
1591 const UnblindedScalarBits<C, W> bits1(s1);
1592 const UnblindedScalarBits<C, W> bits2(s2);
1593
1594 const bool s1_is_zero = s1.is_zero().as_bool();
1595 const bool s2_is_zero = s2.is_zero().as_bool();
1596
1597 // Conditional ok: this function is variable time
1598 if(s1_is_zero && s2_is_zero) {
1599 return ProjectivePoint::identity();
1600 }
1601
1602 auto [w_0, first_nonempty_window] = [&]() {
1603 for(size_t i = 0; i != Windows; ++i) {
1604 const size_t w_1 = bits1.get_window((Windows - i - 1) * WindowBits);
1605 const size_t w_2 = bits2.get_window((Windows - i - 1) * WindowBits);
1606 const size_t window = w_1 + (w_2 << WindowBits);
1607 // Conditional ok: this function is variable time
1608 if(window > 0) {
1609 return std::make_pair(window, i);
1610 }
1611 }
1612 // We checked for s1 == s2 == 0 above, so we must see a window eventually
1613 BOTAN_ASSERT_UNREACHABLE();
1614 }();
1615
1616 BOTAN_ASSERT_NOMSG(w_0 > 0);
1617 auto accum = ProjectivePoint::from_affine(m_table[w_0 - 1]);
1618
1619 for(size_t i = first_nonempty_window + 1; i < Windows; ++i) {
1620 accum = accum.dbl_n(WindowBits);
1621
1622 const size_t w_1 = bits1.get_window((Windows - i - 1) * WindowBits);
1623 const size_t w_2 = bits2.get_window((Windows - i - 1) * WindowBits);
1624
1625 const size_t window = w_1 + (w_2 << WindowBits);
1626
1627 // Conditional ok: this function is variable time
1628 if(window > 0) {
1629 accum += m_table[window - 1];
1630 }
1631 }
1632
1633 return accum;
1634 }
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_ASSERT_UNREACHABLE
#define BOTAN_ASSERT_UNREACHABLE()
Definition assert.h:163
Botan::VartimeMul2Table::WindowBits
static constexpr size_t WindowBits
Definition pcurves_impl.h:1570

References BOTAN_ASSERT_NOMSG, BOTAN_ASSERT_UNREACHABLE, Botan::UnblindedScalarBits< C, WindowBits >::get_window(), and WindowBits.

Member Data Documentation

◆ WindowBits

template<typename C, size_t W>
size_t Botan::VartimeMul2Table< C, W >::WindowBits = W
staticconstexpr

Definition at line 1570 of file pcurves_impl.h.

Referenced by mul2_vartime().

The documentation for this class was generated from the following file:
Generated by doxygen 1.15.0