Botan 3.12.0
Crypto and TLS for C&
ec_inner_bn.cpp
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/ec_inner_bn.h>
8
9#include <botan/mem_ops.h>
10#include <botan/internal/buffer_stuffer.h>
11#include <botan/internal/mod_inv.h>
12
13namespace Botan {
14
15const EC_Scalar_Data_BN& EC_Scalar_Data_BN::checked_ref(const EC_Scalar_Data& data) {
16 const auto* p = dynamic_cast<const EC_Scalar_Data_BN*>(&data);
17 if(p == nullptr) {
18 throw Invalid_State("Failed conversion to EC_Scalar_Data_BN");
19 }
20 return *p;
21}
22
23const std::shared_ptr<const EC_Group_Data>& EC_Scalar_Data_BN::group() const {
24 return m_group;
25}
26
27size_t EC_Scalar_Data_BN::bytes() const {
28 return this->group()->order_bytes();
29}
30
31std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::clone() const {
32 return std::make_unique<EC_Scalar_Data_BN>(this->group(), this->value());
33}
34
35bool EC_Scalar_Data_BN::is_zero() const {
36 return this->value().is_zero();
37}
38
39bool EC_Scalar_Data_BN::is_eq(const EC_Scalar_Data& other) const {
40 return (value() == checked_ref(other).value());
41}
42
43void EC_Scalar_Data_BN::assign(const EC_Scalar_Data& other) {
44 m_v = checked_ref(other).value();
45}
46
47void EC_Scalar_Data_BN::zeroize() {
48 // BigInt stores its value in a secure_vector, after swapping the existing
49 // value will go out of scope (inside `zero`) and be wiped properly.
50 BigInt zero;
51 std::swap(m_v, zero);
52}
53
54void EC_Scalar_Data_BN::square_self() {
55 m_group->mod_order().square(m_v);
56}
57
58std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::negate() const {
59 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().reduce(m_group->order() - m_v));
60}
61
62std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::invert() const {
63 if(m_v.is_zero()) {
64 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_v);
65 } else {
66 return std::make_unique<EC_Scalar_Data_BN>(m_group, inverse_mod_public_prime(m_v, m_group->order()));
67 }
68}
69
70std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::invert_vartime() const {
71 if(m_v.is_zero()) {
72 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_v);
73 } else {
74 return std::make_unique<EC_Scalar_Data_BN>(m_group, inverse_mod_public_prime(m_v, m_group->order()));
75 }
76}
77
78std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::add(const EC_Scalar_Data& other) const {
79 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().reduce(m_v + checked_ref(other).value()));
80}
81
82std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::sub(const EC_Scalar_Data& other) const {
83 return std::make_unique<EC_Scalar_Data_BN>(
84 m_group, m_group->mod_order().reduce(m_v + (m_group->order() - checked_ref(other).value())));
85}
86
87std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::mul(const EC_Scalar_Data& other) const {
88 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().multiply(m_v, checked_ref(other).value()));
89}
90
91void EC_Scalar_Data_BN::serialize_to(std::span<uint8_t> bytes) const {
92 BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length");
93 m_v.serialize_to(bytes);
94}
95
96EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN(std::shared_ptr<const EC_Group_Data> group, EC_Point pt) :
97 m_group(std::move(group)), m_pt(std::move(pt)) {
98 if(!m_pt.is_zero()) {
99 m_pt.force_affine();
100 m_xy = m_pt.xy_bytes();
101 }
102}
103
104std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::clone() const {
105 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, m_pt);
106}
107
108const std::shared_ptr<const EC_Group_Data>& EC_AffinePoint_Data_BN::group() const {
109 return m_group;
110}
111
112std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::mul(const EC_Scalar_Data& scalar,
113 RandomNumberGenerator& rng) const {
114 BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
115 const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);
116
117 std::vector<BigInt> ws;
118 const EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);
119
120 // We pass order*cofactor here to "correctly" handle the case where the
121 // point is on the curve but not in the prime order subgroup. This only
122 // matters for groups with cofactor > 1
123 // See https://github.com/randombit/botan/issues/3800
124
125 const auto order = m_group->order() * m_group->cofactor();
126 auto pt = mul.mul(bn.value(), rng, order, ws);
127 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
128}
129
130secure_vector<uint8_t> EC_AffinePoint_Data_BN::mul_x_only(const EC_Scalar_Data& scalar,
131 RandomNumberGenerator& rng) const {
132 BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
133 const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);
134
135 std::vector<BigInt> ws;
136 const EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);
137
138 // We pass order*cofactor here to "correctly" handle the case where the
139 // point is on the curve but not in the prime order subgroup. This only
140 // matters for groups with cofactor > 1
141 // See https://github.com/randombit/botan/issues/3800
142
143 const auto order = m_group->order() * m_group->cofactor();
144 auto pt = mul.mul(bn.value(), rng, order, ws);
145 return pt.x_bytes();
146}
147
148size_t EC_AffinePoint_Data_BN::field_element_bytes() const {
149 return m_group->p_bytes();
150}
151
152bool EC_AffinePoint_Data_BN::is_identity() const {
153 return m_xy.empty();
154}
155
156void EC_AffinePoint_Data_BN::serialize_x_to(std::span<uint8_t> bytes) const {
157 BOTAN_STATE_CHECK(!this->is_identity());
158 const size_t fe_bytes = this->field_element_bytes();
159 BOTAN_ARG_CHECK(bytes.size() == fe_bytes, "Invalid output size");
160 copy_mem(bytes, std::span{m_xy}.first(fe_bytes));
161}
162
163void EC_AffinePoint_Data_BN::serialize_y_to(std::span<uint8_t> bytes) const {
164 BOTAN_STATE_CHECK(!this->is_identity());
165 const size_t fe_bytes = this->field_element_bytes();
166 BOTAN_ARG_CHECK(bytes.size() == fe_bytes, "Invalid output size");
167 copy_mem(bytes, std::span{m_xy}.last(fe_bytes));
168}
169
170void EC_AffinePoint_Data_BN::serialize_xy_to(std::span<uint8_t> bytes) const {
171 BOTAN_STATE_CHECK(!this->is_identity());
172 const size_t fe_bytes = this->field_element_bytes();
173 BOTAN_ARG_CHECK(bytes.size() == 2 * fe_bytes, "Invalid output size");
174 copy_mem(bytes, m_xy);
175}
176
177void EC_AffinePoint_Data_BN::serialize_compressed_to(std::span<uint8_t> bytes) const {
178 BOTAN_STATE_CHECK(!this->is_identity());
179 const size_t fe_bytes = this->field_element_bytes();
180 BOTAN_ARG_CHECK(bytes.size() == 1 + fe_bytes, "Invalid output size");
181 const bool y_is_odd = (m_xy[m_xy.size() - 1] & 0x01) == 0x01;
182
183 BufferStuffer stuffer(bytes);
184 stuffer.append(y_is_odd ? 0x03 : 0x02);
185 serialize_x_to(stuffer.next(fe_bytes));
186}
187
188void EC_AffinePoint_Data_BN::serialize_uncompressed_to(std::span<uint8_t> bytes) const {
189 BOTAN_STATE_CHECK(!this->is_identity());
190 const size_t fe_bytes = this->field_element_bytes();
191 BOTAN_ARG_CHECK(bytes.size() == 1 + 2 * fe_bytes, "Invalid output size");
192 BufferStuffer stuffer(bytes);
193 stuffer.append(0x04);
194 stuffer.append(m_xy);
195}
196
197EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN(const EC_AffinePoint_Data& g, const EC_AffinePoint_Data& h) :
198 m_group(g.group()), m_tbl(g.to_legacy_point(), h.to_legacy_point()) {
199 BOTAN_ARG_CHECK(h.group() == m_group, "Curve mismatch");
200}
201
202std::unique_ptr<EC_AffinePoint_Data> EC_Mul2Table_Data_BN::mul2_vartime(const EC_Scalar_Data& x,
203 const EC_Scalar_Data& y) const {
204 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group, "Curve mismatch");
205
206 const auto& bn_x = EC_Scalar_Data_BN::checked_ref(x);
207 const auto& bn_y = EC_Scalar_Data_BN::checked_ref(y);
208 auto pt = m_tbl.multi_exp(bn_x.value(), bn_y.value());
209
210 if(pt.is_zero()) {
211 return nullptr;
212 }
213 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
214}
215
216bool EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq(const EC_Scalar_Data& v,
217 const EC_Scalar_Data& x,
218 const EC_Scalar_Data& y) const {
219 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group && v.group() == m_group, "Curve mismatch");
220
221 const auto& bn_v = EC_Scalar_Data_BN::checked_ref(v);
222 const auto& bn_x = EC_Scalar_Data_BN::checked_ref(x);
223 const auto& bn_y = EC_Scalar_Data_BN::checked_ref(y);
224 const auto pt = m_tbl.multi_exp(bn_x.value(), bn_y.value());
225
226 return pt._is_x_eq_to_v_mod_order(bn_v.value());
227}
228
229} // namespace Botan
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::BigInt::is_zero
bool is_zero() const
Definition bigint.h:484
Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition buffer_stuffer.h:24
Botan::BufferStuffer::append
constexpr void append(std::span< const uint8_t > buffer)
Definition buffer_stuffer.h:59
Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition buffer_stuffer.h:32
Botan::EC_AffinePoint_Data_BN::serialize_x_to
void serialize_x_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:156
Botan::EC_AffinePoint_Data_BN::group
const std::shared_ptr< const EC_Group_Data > & group() const override
Definition ec_inner_bn.cpp:108
Botan::EC_AffinePoint_Data_BN::mul_x_only
secure_vector< uint8_t > mul_x_only(const EC_Scalar_Data &scalar, RandomNumberGenerator &rng) const override
Definition ec_inner_bn.cpp:130
Botan::EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN
EC_AffinePoint_Data_BN(std::shared_ptr< const EC_Group_Data > group, EC_Point pt)
Definition ec_inner_bn.cpp:96
Botan::EC_AffinePoint_Data_BN::serialize_compressed_to
void serialize_compressed_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:177
Botan::EC_AffinePoint_Data_BN::mul
std::unique_ptr< EC_AffinePoint_Data > mul(const EC_Scalar_Data &scalar, RandomNumberGenerator &rng) const override
Definition ec_inner_bn.cpp:112
Botan::EC_AffinePoint_Data_BN::clone
std::unique_ptr< EC_AffinePoint_Data > clone() const override
Definition ec_inner_bn.cpp:104
Botan::EC_AffinePoint_Data_BN::field_element_bytes
size_t field_element_bytes() const override
Definition ec_inner_bn.cpp:148
Botan::EC_AffinePoint_Data_BN::is_identity
bool is_identity() const override
Definition ec_inner_bn.cpp:152
Botan::EC_AffinePoint_Data_BN::serialize_y_to
void serialize_y_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:163
Botan::EC_AffinePoint_Data_BN::serialize_xy_to
void serialize_xy_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:170
Botan::EC_AffinePoint_Data_BN::serialize_uncompressed_to
void serialize_uncompressed_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:188
Botan::EC_AffinePoint_Data
Definition ec_inner_data.h:71
Botan::EC_AffinePoint_Data::group
virtual const std::shared_ptr< const EC_Group_Data > & group() const =0
Botan::EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN
EC_Mul2Table_Data_BN(const EC_AffinePoint_Data &g, const EC_AffinePoint_Data &h)
Definition ec_inner_bn.cpp:197
Botan::EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar_Data &v, const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:216
Botan::EC_Mul2Table_Data_BN::mul2_vartime
std::unique_ptr< EC_AffinePoint_Data > mul2_vartime(const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:202
Botan::EC_Point_Var_Point_Precompute
Definition point_mul.h:40
Botan::EC_Point
Definition ec_point.h:32
Botan::EC_Scalar_Data_BN::invert
std::unique_ptr< EC_Scalar_Data > invert() const override
Definition ec_inner_bn.cpp:62
Botan::EC_Scalar_Data_BN::clone
std::unique_ptr< EC_Scalar_Data > clone() const override
Definition ec_inner_bn.cpp:31
Botan::EC_Scalar_Data_BN::negate
std::unique_ptr< EC_Scalar_Data > negate() const override
Definition ec_inner_bn.cpp:58
Botan::EC_Scalar_Data_BN::group
const std::shared_ptr< const EC_Group_Data > & group() const override
Definition ec_inner_bn.cpp:23
Botan::EC_Scalar_Data_BN::is_zero
bool is_zero() const override
Definition ec_inner_bn.cpp:35
Botan::EC_Scalar_Data_BN::sub
std::unique_ptr< EC_Scalar_Data > sub(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:82
Botan::EC_Scalar_Data_BN::square_self
void square_self() override
Definition ec_inner_bn.cpp:54
Botan::EC_Scalar_Data_BN::add
std::unique_ptr< EC_Scalar_Data > add(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:78
Botan::EC_Scalar_Data_BN::mul
std::unique_ptr< EC_Scalar_Data > mul(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:87
Botan::EC_Scalar_Data_BN::value
const BigInt & value() const
Definition ec_inner_bn.h:52
Botan::EC_Scalar_Data_BN::serialize_to
void serialize_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:91
Botan::EC_Scalar_Data_BN::checked_ref
static const EC_Scalar_Data_BN & checked_ref(const EC_Scalar_Data &data)
Definition ec_inner_bn.cpp:15
Botan::EC_Scalar_Data_BN::EC_Scalar_Data_BN
EC_Scalar_Data_BN(std::shared_ptr< const EC_Group_Data > group, BigInt v)
Definition ec_inner_bn.h:17
Botan::EC_Scalar_Data_BN::is_eq
bool is_eq(const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:39
Botan::EC_Scalar_Data_BN::zeroize
void zeroize() override
Definition ec_inner_bn.cpp:47
Botan::EC_Scalar_Data_BN::invert_vartime
std::unique_ptr< EC_Scalar_Data > invert_vartime() const override
Definition ec_inner_bn.cpp:70
Botan::EC_Scalar_Data_BN::assign
void assign(const EC_Scalar_Data &y) override
Definition ec_inner_bn.cpp:43
Botan::EC_Scalar_Data_BN::bytes
size_t bytes() const override
Definition ec_inner_bn.cpp:27
Botan::EC_Scalar_Data
Definition ec_inner_data.h:36
Botan::EC_Scalar_Data::group
virtual const std::shared_ptr< const EC_Group_Data > & group() const =0
Botan::Invalid_State
Definition exceptn.h:207
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::inverse_mod_public_prime
BigInt inverse_mod_public_prime(const BigInt &x, const BigInt &p)
Definition mod_inv.cpp:294
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Generated by doxygen 1.16.1