Botan 3.9.0
Crypto and TLS for C&
ec_inner_bn.cpp
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/ec_inner_bn.h>
8
9#include <botan/mem_ops.h>
10#include <botan/internal/mod_inv.h>
11
12namespace Botan {
13
14const EC_Scalar_Data_BN& EC_Scalar_Data_BN::checked_ref(const EC_Scalar_Data& data) {
15 const auto* p = dynamic_cast<const EC_Scalar_Data_BN*>(&data);
16 if(p == nullptr) {
17 throw Invalid_State("Failed conversion to EC_Scalar_Data_BN");
18 }
19 return *p;
20}
21
22const std::shared_ptr<const EC_Group_Data>& EC_Scalar_Data_BN::group() const {
23 return m_group;
24}
25
26size_t EC_Scalar_Data_BN::bytes() const {
27 return this->group()->order_bytes();
28}
29
30std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::clone() const {
31 return std::make_unique<EC_Scalar_Data_BN>(this->group(), this->value());
32}
33
34bool EC_Scalar_Data_BN::is_zero() const {
35 return this->value().is_zero();
36}
37
38bool EC_Scalar_Data_BN::is_eq(const EC_Scalar_Data& other) const {
39 return (value() == checked_ref(other).value());
40}
41
42void EC_Scalar_Data_BN::assign(const EC_Scalar_Data& other) {
43 m_v = checked_ref(other).value();
44}
45
46void EC_Scalar_Data_BN::zeroize() {
47 // BigInt stores its value in a secure_vector, after swapping the existing
48 // value will go out of scope (inside `zero`) and be wiped properly.
49 BigInt zero;
50 std::swap(m_v, zero);
51}
52
53void EC_Scalar_Data_BN::square_self() {
54 m_group->mod_order().square(m_v);
55}
56
57std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::negate() const {
58 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().reduce(m_group->order() - m_v));
59}
60
61std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::invert() const {
62 return std::make_unique<EC_Scalar_Data_BN>(m_group, inverse_mod_public_prime(m_v, m_group->order()));
63}
64
65std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::invert_vartime() const {
66 return std::make_unique<EC_Scalar_Data_BN>(m_group, inverse_mod_public_prime(m_v, m_group->order()));
67}
68
69std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::add(const EC_Scalar_Data& other) const {
70 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().reduce(m_v + checked_ref(other).value()));
71}
72
73std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::sub(const EC_Scalar_Data& other) const {
74 return std::make_unique<EC_Scalar_Data_BN>(
75 m_group, m_group->mod_order().reduce(m_v + (m_group->order() - checked_ref(other).value())));
76}
77
78std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::mul(const EC_Scalar_Data& other) const {
79 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().multiply(m_v, checked_ref(other).value()));
80}
81
82void EC_Scalar_Data_BN::serialize_to(std::span<uint8_t> bytes) const {
83 BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length");
84 m_v.serialize_to(bytes);
85}
86
87EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN(std::shared_ptr<const EC_Group_Data> group, EC_Point pt) :
88 m_group(std::move(group)), m_pt(std::move(pt)) {
89 if(!m_pt.is_zero()) {
90 m_pt.force_affine();
91 m_xy = m_pt.xy_bytes();
92 }
93}
94
95std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::clone() const {
96 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, m_pt);
97}
98
99const std::shared_ptr<const EC_Group_Data>& EC_AffinePoint_Data_BN::group() const {
100 return m_group;
101}
102
103std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::mul(const EC_Scalar_Data& scalar,
104 RandomNumberGenerator& rng) const {
105 BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
106 const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);
107
108 std::vector<BigInt> ws;
109 EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);
110
111 // We pass order*cofactor here to "correctly" handle the case where the
112 // point is on the curve but not in the prime order subgroup. This only
113 // matters for groups with cofactor > 1
114 // See https://github.com/randombit/botan/issues/3800
115
116 const auto order = m_group->order() * m_group->cofactor();
117 auto pt = mul.mul(bn.value(), rng, order, ws);
118 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
119}
120
121secure_vector<uint8_t> EC_AffinePoint_Data_BN::mul_x_only(const EC_Scalar_Data& scalar,
122 RandomNumberGenerator& rng) const {
123 BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
124 const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);
125
126 std::vector<BigInt> ws;
127 EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);
128
129 // We pass order*cofactor here to "correctly" handle the case where the
130 // point is on the curve but not in the prime order subgroup. This only
131 // matters for groups with cofactor > 1
132 // See https://github.com/randombit/botan/issues/3800
133
134 const auto order = m_group->order() * m_group->cofactor();
135 auto pt = mul.mul(bn.value(), rng, order, ws);
136 return pt.x_bytes();
137}
138
139size_t EC_AffinePoint_Data_BN::field_element_bytes() const {
140 return m_group->p_bytes();
141}
142
143bool EC_AffinePoint_Data_BN::is_identity() const {
144 return m_xy.empty();
145}
146
147void EC_AffinePoint_Data_BN::serialize_x_to(std::span<uint8_t> bytes) const {
148 BOTAN_STATE_CHECK(!this->is_identity());
149 const size_t fe_bytes = this->field_element_bytes();
150 BOTAN_ARG_CHECK(bytes.size() == fe_bytes, "Invalid output size");
151 copy_mem(bytes, std::span{m_xy}.first(fe_bytes));
152}
153
154void EC_AffinePoint_Data_BN::serialize_y_to(std::span<uint8_t> bytes) const {
155 BOTAN_STATE_CHECK(!this->is_identity());
156 const size_t fe_bytes = this->field_element_bytes();
157 BOTAN_ARG_CHECK(bytes.size() == fe_bytes, "Invalid output size");
158 copy_mem(bytes, std::span{m_xy}.last(fe_bytes));
159}
160
161void EC_AffinePoint_Data_BN::serialize_xy_to(std::span<uint8_t> bytes) const {
162 BOTAN_STATE_CHECK(!this->is_identity());
163 const size_t fe_bytes = this->field_element_bytes();
164 BOTAN_ARG_CHECK(bytes.size() == 2 * fe_bytes, "Invalid output size");
165 copy_mem(bytes, m_xy);
166}
167
168void EC_AffinePoint_Data_BN::serialize_compressed_to(std::span<uint8_t> bytes) const {
169 BOTAN_STATE_CHECK(!this->is_identity());
170 const size_t fe_bytes = this->field_element_bytes();
171 BOTAN_ARG_CHECK(bytes.size() == 1 + fe_bytes, "Invalid output size");
172 const bool y_is_odd = (m_xy[m_xy.size() - 1] & 0x01) == 0x01;
173
174 BufferStuffer stuffer(bytes);
175 stuffer.append(y_is_odd ? 0x03 : 0x02);
176 serialize_x_to(stuffer.next(fe_bytes));
177}
178
179void EC_AffinePoint_Data_BN::serialize_uncompressed_to(std::span<uint8_t> bytes) const {
180 BOTAN_STATE_CHECK(!this->is_identity());
181 const size_t fe_bytes = this->field_element_bytes();
182 BOTAN_ARG_CHECK(bytes.size() == 1 + 2 * fe_bytes, "Invalid output size");
183 BufferStuffer stuffer(bytes);
184 stuffer.append(0x04);
185 stuffer.append(m_xy);
186}
187
188EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN(const EC_AffinePoint_Data& g, const EC_AffinePoint_Data& h) :
189 m_group(g.group()), m_tbl(g.to_legacy_point(), h.to_legacy_point()) {
190 BOTAN_ARG_CHECK(h.group() == m_group, "Curve mismatch");
191}
192
193std::unique_ptr<EC_AffinePoint_Data> EC_Mul2Table_Data_BN::mul2_vartime(const EC_Scalar_Data& x,
194 const EC_Scalar_Data& y) const {
195 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group, "Curve mismatch");
196
197 const auto& bn_x = EC_Scalar_Data_BN::checked_ref(x);
198 const auto& bn_y = EC_Scalar_Data_BN::checked_ref(y);
199 auto pt = m_tbl.multi_exp(bn_x.value(), bn_y.value());
200
201 if(pt.is_zero()) {
202 return nullptr;
203 }
204 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
205}
206
207bool EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq(const EC_Scalar_Data& v,
208 const EC_Scalar_Data& x,
209 const EC_Scalar_Data& y) const {
210 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group && v.group() == m_group, "Curve mismatch");
211
212 const auto& bn_v = EC_Scalar_Data_BN::checked_ref(v);
213 const auto& bn_x = EC_Scalar_Data_BN::checked_ref(x);
214 const auto& bn_y = EC_Scalar_Data_BN::checked_ref(y);
215 const auto pt = m_tbl.multi_exp(bn_x.value(), bn_y.value());
216
217 return pt._is_x_eq_to_v_mod_order(bn_v.value());
218}
219
220} // namespace Botan
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::BigInt::is_zero
bool is_zero() const
Definition bigint.h:457
Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:134
Botan::BufferStuffer::append
constexpr void append(std::span< const uint8_t > buffer)
Definition stl_util.h:169
Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition stl_util.h:142
Botan::EC_AffinePoint_Data_BN::serialize_x_to
void serialize_x_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:147
Botan::EC_AffinePoint_Data_BN::group
const std::shared_ptr< const EC_Group_Data > & group() const override
Definition ec_inner_bn.cpp:99
Botan::EC_AffinePoint_Data_BN::mul_x_only
secure_vector< uint8_t > mul_x_only(const EC_Scalar_Data &scalar, RandomNumberGenerator &rng) const override
Definition ec_inner_bn.cpp:121
Botan::EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN
EC_AffinePoint_Data_BN(std::shared_ptr< const EC_Group_Data > group, EC_Point pt)
Definition ec_inner_bn.cpp:87
Botan::EC_AffinePoint_Data_BN::serialize_compressed_to
void serialize_compressed_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:168
Botan::EC_AffinePoint_Data_BN::mul
std::unique_ptr< EC_AffinePoint_Data > mul(const EC_Scalar_Data &scalar, RandomNumberGenerator &rng) const override
Definition ec_inner_bn.cpp:103
Botan::EC_AffinePoint_Data_BN::clone
std::unique_ptr< EC_AffinePoint_Data > clone() const override
Definition ec_inner_bn.cpp:95
Botan::EC_AffinePoint_Data_BN::field_element_bytes
size_t field_element_bytes() const override
Definition ec_inner_bn.cpp:139
Botan::EC_AffinePoint_Data_BN::is_identity
bool is_identity() const override
Definition ec_inner_bn.cpp:143
Botan::EC_AffinePoint_Data_BN::serialize_y_to
void serialize_y_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:154
Botan::EC_AffinePoint_Data_BN::serialize_xy_to
void serialize_xy_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:161
Botan::EC_AffinePoint_Data_BN::serialize_uncompressed_to
void serialize_uncompressed_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:179
Botan::EC_AffinePoint_Data
Definition ec_inner_data.h:72
Botan::EC_AffinePoint_Data::group
virtual const std::shared_ptr< const EC_Group_Data > & group() const =0
Botan::EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN
EC_Mul2Table_Data_BN(const EC_AffinePoint_Data &g, const EC_AffinePoint_Data &h)
Definition ec_inner_bn.cpp:188
Botan::EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar_Data &v, const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:207
Botan::EC_Mul2Table_Data_BN::mul2_vartime
std::unique_ptr< EC_AffinePoint_Data > mul2_vartime(const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:193
Botan::EC_Point_Var_Point_Precompute
Definition point_mul.h:40
Botan::EC_Point
Definition ec_point.h:33
Botan::EC_Scalar_Data_BN::invert
std::unique_ptr< EC_Scalar_Data > invert() const override
Definition ec_inner_bn.cpp:61
Botan::EC_Scalar_Data_BN::clone
std::unique_ptr< EC_Scalar_Data > clone() const override
Definition ec_inner_bn.cpp:30
Botan::EC_Scalar_Data_BN::negate
std::unique_ptr< EC_Scalar_Data > negate() const override
Definition ec_inner_bn.cpp:57
Botan::EC_Scalar_Data_BN::group
const std::shared_ptr< const EC_Group_Data > & group() const override
Definition ec_inner_bn.cpp:22
Botan::EC_Scalar_Data_BN::is_zero
bool is_zero() const override
Definition ec_inner_bn.cpp:34
Botan::EC_Scalar_Data_BN::sub
std::unique_ptr< EC_Scalar_Data > sub(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:73
Botan::EC_Scalar_Data_BN::square_self
void square_self() override
Definition ec_inner_bn.cpp:53
Botan::EC_Scalar_Data_BN::add
std::unique_ptr< EC_Scalar_Data > add(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:69
Botan::EC_Scalar_Data_BN::mul
std::unique_ptr< EC_Scalar_Data > mul(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:78
Botan::EC_Scalar_Data_BN::value
const BigInt & value() const
Definition ec_inner_bn.h:52
Botan::EC_Scalar_Data_BN::serialize_to
void serialize_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:82
Botan::EC_Scalar_Data_BN::checked_ref
static const EC_Scalar_Data_BN & checked_ref(const EC_Scalar_Data &data)
Definition ec_inner_bn.cpp:14
Botan::EC_Scalar_Data_BN::EC_Scalar_Data_BN
EC_Scalar_Data_BN(std::shared_ptr< const EC_Group_Data > group, BigInt v)
Definition ec_inner_bn.h:17
Botan::EC_Scalar_Data_BN::is_eq
bool is_eq(const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:38
Botan::EC_Scalar_Data_BN::zeroize
void zeroize() override
Definition ec_inner_bn.cpp:46
Botan::EC_Scalar_Data_BN::invert_vartime
std::unique_ptr< EC_Scalar_Data > invert_vartime() const override
Definition ec_inner_bn.cpp:65
Botan::EC_Scalar_Data_BN::assign
void assign(const EC_Scalar_Data &y) override
Definition ec_inner_bn.cpp:42
Botan::EC_Scalar_Data_BN::bytes
size_t bytes() const override
Definition ec_inner_bn.cpp:26
Botan::EC_Scalar_Data
Definition ec_inner_data.h:37
Botan::EC_Scalar_Data::group
virtual const std::shared_ptr< const EC_Group_Data > & group() const =0
Botan::Invalid_State
Definition exceptn.h:206
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:145
Botan::inverse_mod_public_prime
BigInt inverse_mod_public_prime(const BigInt &x, const BigInt &p)
Definition mod_inv.cpp:291
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Generated by doxygen 1.14.0