Botan 3.11.0
Crypto and TLS for C&
ec_inner_bn.cpp
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/ec_inner_bn.h>
8
9#include <botan/mem_ops.h>
10#include <botan/internal/buffer_stuffer.h>
11#include <botan/internal/mod_inv.h>
12
13namespace Botan {
14
15const EC_Scalar_Data_BN& EC_Scalar_Data_BN::checked_ref(const EC_Scalar_Data& data) {
16 const auto* p = dynamic_cast<const EC_Scalar_Data_BN*>(&data);
17 if(p == nullptr) {
18 throw Invalid_State("Failed conversion to EC_Scalar_Data_BN");
19 }
20 return *p;
21}
22
23const std::shared_ptr<const EC_Group_Data>& EC_Scalar_Data_BN::group() const {
24 return m_group;
25}
26
27size_t EC_Scalar_Data_BN::bytes() const {
28 return this->group()->order_bytes();
29}
30
31std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::clone() const {
32 return std::make_unique<EC_Scalar_Data_BN>(this->group(), this->value());
33}
34
35bool EC_Scalar_Data_BN::is_zero() const {
36 return this->value().is_zero();
37}
38
39bool EC_Scalar_Data_BN::is_eq(const EC_Scalar_Data& other) const {
40 return (value() == checked_ref(other).value());
41}
42
43void EC_Scalar_Data_BN::assign(const EC_Scalar_Data& other) {
44 m_v = checked_ref(other).value();
45}
46
47void EC_Scalar_Data_BN::zeroize() {
48 // BigInt stores its value in a secure_vector, after swapping the existing
49 // value will go out of scope (inside `zero`) and be wiped properly.
50 BigInt zero;
51 std::swap(m_v, zero);
52}
53
54void EC_Scalar_Data_BN::square_self() {
55 m_group->mod_order().square(m_v);
56}
57
58std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::negate() const {
59 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().reduce(m_group->order() - m_v));
60}
61
62std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::invert() const {
63 return std::make_unique<EC_Scalar_Data_BN>(m_group, inverse_mod_public_prime(m_v, m_group->order()));
64}
65
66std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::invert_vartime() const {
67 return std::make_unique<EC_Scalar_Data_BN>(m_group, inverse_mod_public_prime(m_v, m_group->order()));
68}
69
70std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::add(const EC_Scalar_Data& other) const {
71 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().reduce(m_v + checked_ref(other).value()));
72}
73
74std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::sub(const EC_Scalar_Data& other) const {
75 return std::make_unique<EC_Scalar_Data_BN>(
76 m_group, m_group->mod_order().reduce(m_v + (m_group->order() - checked_ref(other).value())));
77}
78
79std::unique_ptr<EC_Scalar_Data> EC_Scalar_Data_BN::mul(const EC_Scalar_Data& other) const {
80 return std::make_unique<EC_Scalar_Data_BN>(m_group, m_group->mod_order().multiply(m_v, checked_ref(other).value()));
81}
82
83void EC_Scalar_Data_BN::serialize_to(std::span<uint8_t> bytes) const {
84 BOTAN_ARG_CHECK(bytes.size() == m_group->order_bytes(), "Invalid output length");
85 m_v.serialize_to(bytes);
86}
87
88EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN(std::shared_ptr<const EC_Group_Data> group, EC_Point pt) :
89 m_group(std::move(group)), m_pt(std::move(pt)) {
90 if(!m_pt.is_zero()) {
91 m_pt.force_affine();
92 m_xy = m_pt.xy_bytes();
93 }
94}
95
96std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::clone() const {
97 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, m_pt);
98}
99
100const std::shared_ptr<const EC_Group_Data>& EC_AffinePoint_Data_BN::group() const {
101 return m_group;
102}
103
104std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::mul(const EC_Scalar_Data& scalar,
105 RandomNumberGenerator& rng) const {
106 BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
107 const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);
108
109 std::vector<BigInt> ws;
110 const EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);
111
112 // We pass order*cofactor here to "correctly" handle the case where the
113 // point is on the curve but not in the prime order subgroup. This only
114 // matters for groups with cofactor > 1
115 // See https://github.com/randombit/botan/issues/3800
116
117 const auto order = m_group->order() * m_group->cofactor();
118 auto pt = mul.mul(bn.value(), rng, order, ws);
119 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
120}
121
122secure_vector<uint8_t> EC_AffinePoint_Data_BN::mul_x_only(const EC_Scalar_Data& scalar,
123 RandomNumberGenerator& rng) const {
124 BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
125 const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);
126
127 std::vector<BigInt> ws;
128 const EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);
129
130 // We pass order*cofactor here to "correctly" handle the case where the
131 // point is on the curve but not in the prime order subgroup. This only
132 // matters for groups with cofactor > 1
133 // See https://github.com/randombit/botan/issues/3800
134
135 const auto order = m_group->order() * m_group->cofactor();
136 auto pt = mul.mul(bn.value(), rng, order, ws);
137 return pt.x_bytes();
138}
139
140size_t EC_AffinePoint_Data_BN::field_element_bytes() const {
141 return m_group->p_bytes();
142}
143
144bool EC_AffinePoint_Data_BN::is_identity() const {
145 return m_xy.empty();
146}
147
148void EC_AffinePoint_Data_BN::serialize_x_to(std::span<uint8_t> bytes) const {
149 BOTAN_STATE_CHECK(!this->is_identity());
150 const size_t fe_bytes = this->field_element_bytes();
151 BOTAN_ARG_CHECK(bytes.size() == fe_bytes, "Invalid output size");
152 copy_mem(bytes, std::span{m_xy}.first(fe_bytes));
153}
154
155void EC_AffinePoint_Data_BN::serialize_y_to(std::span<uint8_t> bytes) const {
156 BOTAN_STATE_CHECK(!this->is_identity());
157 const size_t fe_bytes = this->field_element_bytes();
158 BOTAN_ARG_CHECK(bytes.size() == fe_bytes, "Invalid output size");
159 copy_mem(bytes, std::span{m_xy}.last(fe_bytes));
160}
161
162void EC_AffinePoint_Data_BN::serialize_xy_to(std::span<uint8_t> bytes) const {
163 BOTAN_STATE_CHECK(!this->is_identity());
164 const size_t fe_bytes = this->field_element_bytes();
165 BOTAN_ARG_CHECK(bytes.size() == 2 * fe_bytes, "Invalid output size");
166 copy_mem(bytes, m_xy);
167}
168
169void EC_AffinePoint_Data_BN::serialize_compressed_to(std::span<uint8_t> bytes) const {
170 BOTAN_STATE_CHECK(!this->is_identity());
171 const size_t fe_bytes = this->field_element_bytes();
172 BOTAN_ARG_CHECK(bytes.size() == 1 + fe_bytes, "Invalid output size");
173 const bool y_is_odd = (m_xy[m_xy.size() - 1] & 0x01) == 0x01;
174
175 BufferStuffer stuffer(bytes);
176 stuffer.append(y_is_odd ? 0x03 : 0x02);
177 serialize_x_to(stuffer.next(fe_bytes));
178}
179
180void EC_AffinePoint_Data_BN::serialize_uncompressed_to(std::span<uint8_t> bytes) const {
181 BOTAN_STATE_CHECK(!this->is_identity());
182 const size_t fe_bytes = this->field_element_bytes();
183 BOTAN_ARG_CHECK(bytes.size() == 1 + 2 * fe_bytes, "Invalid output size");
184 BufferStuffer stuffer(bytes);
185 stuffer.append(0x04);
186 stuffer.append(m_xy);
187}
188
189EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN(const EC_AffinePoint_Data& g, const EC_AffinePoint_Data& h) :
190 m_group(g.group()), m_tbl(g.to_legacy_point(), h.to_legacy_point()) {
191 BOTAN_ARG_CHECK(h.group() == m_group, "Curve mismatch");
192}
193
194std::unique_ptr<EC_AffinePoint_Data> EC_Mul2Table_Data_BN::mul2_vartime(const EC_Scalar_Data& x,
195 const EC_Scalar_Data& y) const {
196 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group, "Curve mismatch");
197
198 const auto& bn_x = EC_Scalar_Data_BN::checked_ref(x);
199 const auto& bn_y = EC_Scalar_Data_BN::checked_ref(y);
200 auto pt = m_tbl.multi_exp(bn_x.value(), bn_y.value());
201
202 if(pt.is_zero()) {
203 return nullptr;
204 }
205 return std::make_unique<EC_AffinePoint_Data_BN>(m_group, std::move(pt));
206}
207
208bool EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq(const EC_Scalar_Data& v,
209 const EC_Scalar_Data& x,
210 const EC_Scalar_Data& y) const {
211 BOTAN_ARG_CHECK(x.group() == m_group && y.group() == m_group && v.group() == m_group, "Curve mismatch");
212
213 const auto& bn_v = EC_Scalar_Data_BN::checked_ref(v);
214 const auto& bn_x = EC_Scalar_Data_BN::checked_ref(x);
215 const auto& bn_y = EC_Scalar_Data_BN::checked_ref(y);
216 const auto pt = m_tbl.multi_exp(bn_x.value(), bn_y.value());
217
218 return pt._is_x_eq_to_v_mod_order(bn_v.value());
219}
220
221} // namespace Botan
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::BigInt::is_zero
bool is_zero() const
Definition bigint.h:473
Botan::BufferStuffer
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition buffer_stuffer.h:24
Botan::BufferStuffer::append
constexpr void append(std::span< const uint8_t > buffer)
Definition buffer_stuffer.h:59
Botan::BufferStuffer::next
constexpr std::span< uint8_t > next(size_t bytes)
Definition buffer_stuffer.h:32
Botan::EC_AffinePoint_Data_BN::serialize_x_to
void serialize_x_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:148
Botan::EC_AffinePoint_Data_BN::group
const std::shared_ptr< const EC_Group_Data > & group() const override
Definition ec_inner_bn.cpp:100
Botan::EC_AffinePoint_Data_BN::mul_x_only
secure_vector< uint8_t > mul_x_only(const EC_Scalar_Data &scalar, RandomNumberGenerator &rng) const override
Definition ec_inner_bn.cpp:122
Botan::EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN
EC_AffinePoint_Data_BN(std::shared_ptr< const EC_Group_Data > group, EC_Point pt)
Definition ec_inner_bn.cpp:88
Botan::EC_AffinePoint_Data_BN::serialize_compressed_to
void serialize_compressed_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:169
Botan::EC_AffinePoint_Data_BN::mul
std::unique_ptr< EC_AffinePoint_Data > mul(const EC_Scalar_Data &scalar, RandomNumberGenerator &rng) const override
Definition ec_inner_bn.cpp:104
Botan::EC_AffinePoint_Data_BN::clone
std::unique_ptr< EC_AffinePoint_Data > clone() const override
Definition ec_inner_bn.cpp:96
Botan::EC_AffinePoint_Data_BN::field_element_bytes
size_t field_element_bytes() const override
Definition ec_inner_bn.cpp:140
Botan::EC_AffinePoint_Data_BN::is_identity
bool is_identity() const override
Definition ec_inner_bn.cpp:144
Botan::EC_AffinePoint_Data_BN::serialize_y_to
void serialize_y_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:155
Botan::EC_AffinePoint_Data_BN::serialize_xy_to
void serialize_xy_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:162
Botan::EC_AffinePoint_Data_BN::serialize_uncompressed_to
void serialize_uncompressed_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:180
Botan::EC_AffinePoint_Data
Definition ec_inner_data.h:71
Botan::EC_AffinePoint_Data::group
virtual const std::shared_ptr< const EC_Group_Data > & group() const =0
Botan::EC_Mul2Table_Data_BN::EC_Mul2Table_Data_BN
EC_Mul2Table_Data_BN(const EC_AffinePoint_Data &g, const EC_AffinePoint_Data &h)
Definition ec_inner_bn.cpp:189
Botan::EC_Mul2Table_Data_BN::mul2_vartime_x_mod_order_eq
bool mul2_vartime_x_mod_order_eq(const EC_Scalar_Data &v, const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:208
Botan::EC_Mul2Table_Data_BN::mul2_vartime
std::unique_ptr< EC_AffinePoint_Data > mul2_vartime(const EC_Scalar_Data &x, const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:194
Botan::EC_Point_Var_Point_Precompute
Definition point_mul.h:40
Botan::EC_Point
Definition ec_point.h:32
Botan::EC_Scalar_Data_BN::invert
std::unique_ptr< EC_Scalar_Data > invert() const override
Definition ec_inner_bn.cpp:62
Botan::EC_Scalar_Data_BN::clone
std::unique_ptr< EC_Scalar_Data > clone() const override
Definition ec_inner_bn.cpp:31
Botan::EC_Scalar_Data_BN::negate
std::unique_ptr< EC_Scalar_Data > negate() const override
Definition ec_inner_bn.cpp:58
Botan::EC_Scalar_Data_BN::group
const std::shared_ptr< const EC_Group_Data > & group() const override
Definition ec_inner_bn.cpp:23
Botan::EC_Scalar_Data_BN::is_zero
bool is_zero() const override
Definition ec_inner_bn.cpp:35
Botan::EC_Scalar_Data_BN::sub
std::unique_ptr< EC_Scalar_Data > sub(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:74
Botan::EC_Scalar_Data_BN::square_self
void square_self() override
Definition ec_inner_bn.cpp:54
Botan::EC_Scalar_Data_BN::add
std::unique_ptr< EC_Scalar_Data > add(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:70
Botan::EC_Scalar_Data_BN::mul
std::unique_ptr< EC_Scalar_Data > mul(const EC_Scalar_Data &other) const override
Definition ec_inner_bn.cpp:79
Botan::EC_Scalar_Data_BN::value
const BigInt & value() const
Definition ec_inner_bn.h:52
Botan::EC_Scalar_Data_BN::serialize_to
void serialize_to(std::span< uint8_t > bytes) const override
Definition ec_inner_bn.cpp:83
Botan::EC_Scalar_Data_BN::checked_ref
static const EC_Scalar_Data_BN & checked_ref(const EC_Scalar_Data &data)
Definition ec_inner_bn.cpp:15
Botan::EC_Scalar_Data_BN::EC_Scalar_Data_BN
EC_Scalar_Data_BN(std::shared_ptr< const EC_Group_Data > group, BigInt v)
Definition ec_inner_bn.h:17
Botan::EC_Scalar_Data_BN::is_eq
bool is_eq(const EC_Scalar_Data &y) const override
Definition ec_inner_bn.cpp:39
Botan::EC_Scalar_Data_BN::zeroize
void zeroize() override
Definition ec_inner_bn.cpp:47
Botan::EC_Scalar_Data_BN::invert_vartime
std::unique_ptr< EC_Scalar_Data > invert_vartime() const override
Definition ec_inner_bn.cpp:66
Botan::EC_Scalar_Data_BN::assign
void assign(const EC_Scalar_Data &y) override
Definition ec_inner_bn.cpp:43
Botan::EC_Scalar_Data_BN::bytes
size_t bytes() const override
Definition ec_inner_bn.cpp:27
Botan::EC_Scalar_Data
Definition ec_inner_data.h:36
Botan::EC_Scalar_Data::group
virtual const std::shared_ptr< const EC_Group_Data > & group() const =0
Botan::Invalid_State
Definition exceptn.h:207
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition mem_ops.h:144
Botan::inverse_mod_public_prime
BigInt inverse_mod_public_prime(const BigInt &x, const BigInt &p)
Definition mod_inv.cpp:293
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Generated by doxygen 1.15.0