Botan 3.6.1
Crypto and TLS for C&
curve448_scalar.cpp
Go to the documentation of this file.
1/*
2 * Ed448 Scalar
3 * (C) 2024 Jack Lloyd
4 * 2024 Fabian Albert - Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8#include <botan/internal/curve448_scalar.h>
9
10#include <botan/internal/ct_utils.h>
11#include <botan/internal/mp_core.h>
12
13namespace Botan {
14
15namespace {
16constexpr size_t WORDS_REDUCE_SZ = words_for_bits(114 * 8);
17constexpr size_t WORDS_C = words_for_bits(28 * 8);
18
19/// @return (q,r) so that x = q*2^446 + r, r < L
20template <size_t S>
21auto div_mod_2_446(std::span<const word, S> x) {
22 if constexpr(S < Scalar448::WORDS) {
23 std::array<word, Scalar448::WORDS> r = {0};
24 copy_mem(std::span(r).template first<S>(), x);
25 return std::make_pair(std::array<word, 1>({0}), r);
26 } else {
27 std::array<word, Scalar448::WORDS> r;
28 copy_mem(r, std::span(x).template first<Scalar448::WORDS>());
29 // Clear the two most significant bits
30 r[Scalar448::WORDS - 1] &= ~(word(0b11) << (sizeof(word) * 8 - 2));
31
32 std::array<word, S - Scalar448::WORDS + 1> q;
33 bigint_shr2(q.data(), x.data(), x.size(), 446);
34
35 return std::make_pair(q, r);
36 }
37}
38
39/// @return a word array for c = 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
40consteval std::array<word, WORDS_C> c_words() {
41 const std::array<uint8_t, WORDS_C * sizeof(word)> c_bytes{0x0d, 0xbb, 0xa7, 0x54, 0x6d, 0x3d, 0x87, 0xdc, 0xaa, 0x70,
42 0x3a, 0x72, 0x8d, 0x3d, 0x93, 0xde, 0x6f, 0xc9, 0x29, 0x51,
43 0xb6, 0x24, 0xb1, 0x3b, 0x16, 0xdc, 0x35, 0x83};
44 return load_le<std::array<word, WORDS_C>>(c_bytes);
45}
46
47/// @return a word array for L = 2^446 - 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
48consteval std::array<word, Scalar448::WORDS> big_l_words() {
49 const std::array<uint8_t, Scalar448::WORDS * sizeof(word)> big_l_bytes{
50 0xf3, 0x44, 0x58, 0xab, 0x92, 0xc2, 0x78, 0x23, 0x55, 0x8f, 0xc5, 0x8d, 0x72, 0xc2, 0x6c, 0x21, 0x90, 0x36, 0xd6,
51 0xae, 0x49, 0xdb, 0x4e, 0xc4, 0xe9, 0x23, 0xca, 0x7c, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
52 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f};
53 return load_le<std::array<word, Scalar448::WORDS>>(big_l_bytes);
54}
55
56/// @return c*x, with c = 0x8335dc163bb124b65129c96fde933d8d723a70aadc873d6d54a7bb0d
57template <size_t S>
58std::array<word, S + WORDS_C> mul_c(std::span<const word, S> x) {
59 std::array<word, S + WORDS_C> res;
60 std::array<word, S + WORDS_C> ws;
61 constexpr std::array<word, WORDS_C> c = c_words();
62 bigint_mul(res.data(), res.size(), x.data(), x.size(), x.size(), c.data(), c.size(), c.size(), ws.data(), ws.size());
63
64 return res;
65}
66
67/**
68 * @brief Add two numbers. Requires that the result is smaller than 2^448.
69 */
70std::array<word, Scalar448::WORDS> add(std::span<const word, Scalar448::WORDS> x,
71 std::span<const word, Scalar448::WORDS> y) {
72 std::array<word, Scalar448::WORDS> res;
73 copy_mem(res, x);
74 const word carry = bigint_add2_nc(res.data(), res.size(), y.data(), y.size());
75 CT::unpoison(carry);
76 BOTAN_ASSERT(carry == 0, "Result fits in output");
77 return res;
78}
79
80/**
81 * @brief x = (x >= L) ? x - L : x. Constant time.
82 *
83 * @return true iff a reduction was performed
84 */
85bool ct_subtract_L_if_bigger(std::span<word, Scalar448::WORDS> x) {
86 std::array<word, Scalar448::WORDS> tmp;
87 copy_mem(tmp, x);
88 constexpr auto big_l = big_l_words();
89
90 const word borrow = bigint_sub2(tmp.data(), tmp.size(), big_l.data(), big_l.size());
91 const auto smaller_than_L = CT::Mask<word>::expand(borrow);
92 smaller_than_L.select_n(x.data(), x.data(), tmp.data(), Scalar448::WORDS);
93
94 return !smaller_than_L.as_bool();
95}
96
97template <size_t S>
98std::array<word, words_for_bits(S * 8)> bytes_to_words(std::span<const uint8_t, S> x) {
99 constexpr size_t words = words_for_bits(S * 8);
100 std::array<uint8_t, words * sizeof(word)> x_word_bytes = {0};
101 copy_mem(std::span(x_word_bytes).template first<S>(), x);
102 return load_le<std::array<word, words>>(x_word_bytes);
103}
104
105/**
106 * @brief Reduce a 114 byte number (little endian) modulo L.
107 *
108 * L = 2^446 - 13818066809895115352007386748515426880336692474882178609894547503885
109 * as defined in RFC 8032 5.2. The reduction is performed using the algorithm
110 * described in the "Handbook of Applied Cryptography" Algorithm 14.47. for
111 * m = b^t - c, with b^7 = 2^446 and c = 1381...85
112 */
113std::array<word, Scalar448::WORDS> ct_reduce_mod_L(const std::array<word, WORDS_REDUCE_SZ> x) {
114 const auto [q_0, r_0] = div_mod_2_446(std::span(x));
115
116 auto r = r_0;
117 // Three iterations are required. This is tested using the biggest possible input.
118 // i = 0:
119 const auto q_0_c = mul_c(std::span(q_0));
120 const auto [q_1, r_1] = div_mod_2_446(std::span(q_0_c));
121 r = add(r, r_1);
122
123 // i = 1
124 const auto q_1_c = mul_c(std::span(q_1));
125 const auto [q_2, r_2] = div_mod_2_446(std::span(q_1_c));
126 r = add(r, r_2);
127
128 // i = 2
129 const auto q_2_c = mul_c(std::span(q_2));
130 const auto [q_3, r_3] = div_mod_2_446(std::span(q_2_c));
131 r = add(r, r_3);
132
133 BOTAN_ASSERT_NOMSG(CT::all_zeros(q_3.data(), q_3.size()).as_bool());
134
135 // Note that r is maximal 4*(2^446 - 1) < 2^448. Therefore, the addition did not overflow.
136 // Also, this means that subtracting L 4 times (at most) will bring r into the range [0, L), since
137 // 4*(2^446 - 1) - 4*(2^446 - c) = 4*(c - 1) < L.
138 for(size_t i = 0; i < 4; ++i) {
139 ct_subtract_L_if_bigger(r);
140 }
141
142 return r;
143}
144
145} // namespace
146
147Scalar448::Scalar448(std::span<const uint8_t> in_bytes) {
148 BOTAN_ARG_CHECK(in_bytes.size() <= 114, "Input must be at most 114 bytes long");
149 std::array<uint8_t, 114> max_bytes = {0};
150 copy_mem(std::span(max_bytes).first(in_bytes.size()), in_bytes);
151
152 const auto x_words = bytes_to_words(std::span<const uint8_t, 114>(max_bytes));
153 m_scalar_words = ct_reduce_mod_L(x_words);
154}
155
156bool Scalar448::get_bit(size_t bit_pos) const {
157 BOTAN_ARG_CHECK(bit_pos < 446, "Bit position out of range");
158 constexpr size_t word_sz = sizeof(word) * 8;
159 return (m_scalar_words[bit_pos / word_sz] >> (bit_pos % word_sz)) & 1;
160}
161
162Scalar448 Scalar448::operator+(const Scalar448& other) const {
163 auto sum = add(m_scalar_words, other.m_scalar_words);
164 ct_subtract_L_if_bigger(sum);
165 return Scalar448(sum);
166}
167
168Scalar448 Scalar448::operator*(const Scalar448& other) const {
169 std::array<word, WORDS_REDUCE_SZ> product = {0};
170 std::array<word, WORDS_REDUCE_SZ> ws = {0};
171 bigint_mul(product.data(),
172 product.size(),
173 m_scalar_words.data(),
174 m_scalar_words.size(),
175 m_scalar_words.size(),
176 other.m_scalar_words.data(),
177 other.m_scalar_words.size(),
178 other.m_scalar_words.size(),
179 ws.data(),
180 ws.size());
181
182 return Scalar448(ct_reduce_mod_L(product));
183}
184
185bool Scalar448::bytes_are_reduced(std::span<const uint8_t> x) {
186 BOTAN_ARG_CHECK(x.size() >= BYTES, "Input is not long enough (at least 446 bits)");
187 // remember: `x` contains a big int in little-endian
188 const auto leading_zeros = x.subspan(BYTES);
189 const auto leading_zeros_are_zero = CT::all_zeros(leading_zeros.data(), leading_zeros.size());
190 auto x_sig_words = bytes_to_words(x.first<56>());
191 const auto least_56_bytes_smaller_L = CT::Mask<uint8_t>::expand(!ct_subtract_L_if_bigger(x_sig_words));
192 return (leading_zeros_are_zero & least_56_bytes_smaller_L).as_bool();
193}
194
195} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:389
Botan::Scalar448
Representation of a scalar for X448.
Definition curve448_scalar.h:34
Botan::Scalar448::operator+
Scalar448 operator+(const Scalar448 &other) const
scalar = (scalar + other) mod L
Definition curve448_scalar.cpp:162
Botan::Scalar448::Scalar448
Scalar448(std::span< const uint8_t > x)
Construct a new scalar from (max. 114) bytes. Little endian.
Definition curve448_scalar.cpp:147
Botan::Scalar448::WORDS
static constexpr size_t WORDS
Definition curve448_scalar.h:36
Botan::Scalar448::bytes_are_reduced
static bool bytes_are_reduced(std::span< const uint8_t > x)
Definition curve448_scalar.cpp:185
Botan::Scalar448::BYTES
static constexpr size_t BYTES
Definition curve448_scalar.h:37
Botan::Scalar448::get_bit
bool get_bit(size_t i) const
Access the i-th bit of the scalar. From 0 (lsb) to 445 (msb).
Definition curve448_scalar.cpp:156
Botan::Scalar448::operator*
Scalar448 operator*(const Scalar448 &other) const
scalar = (scalar * other) mod L
Definition curve448_scalar.cpp:168
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:64
Botan::CT::all_zeros
constexpr CT::Mask< T > all_zeros(const T elem[], size_t len)
Definition ct_utils.h:746
Botan::bigint_shr2
constexpr void bigint_shr2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:528
Botan::words_for_bits
constexpr size_t words_for_bits(size_t x)
Definition curve448_scalar.h:18
Botan::bigint_mul
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:282
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:28
Botan::load_le
constexpr auto load_le(ParamTs &&... params)
Definition loadstor.h:521
Botan::bigint_sub2
constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:291
Botan::bigint_add2_nc
constexpr auto bigint_add2_nc(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:206
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:146
Generated by doxygen 1.12.0