Botan 3.0.0
Crypto and TLS for C&
monty.cpp
Go to the documentation of this file.
1/*
2* (C) 2018 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/monty.h>
8#include <botan/reducer.h>
9#include <botan/internal/mp_core.h>
10
11#include <utility>
12
13namespace Botan {
14
15word monty_inverse(word a)
16 {
17 if(a % 2 == 0)
18 throw Invalid_Argument("monty_inverse only valid for odd integers");
19
20 /*
21 * From "A New Algorithm for Inversion mod p^k" by Çetin Kaya Koç
22 * https://eprint.iacr.org/2017/411.pdf sections 5 and 7.
23 */
24
25 word b = 1;
26 word r = 0;
27
28 for(size_t i = 0; i != BOTAN_MP_WORD_BITS; ++i)
29 {
30 const word bi = b % 2;
31 r >>= 1;
32 r += bi << (BOTAN_MP_WORD_BITS - 1);
33
34 b -= a * bi;
35 b >>= 1;
36 }
37
38 // Now invert in addition space
39 r = (MP_WORD_MAX - r) + 1;
40
41 return r;
42 }
43
44Montgomery_Params::Montgomery_Params(const BigInt& p,
45 const Modular_Reducer& mod_p)
46 {
47 if(p.is_even() || p < 3)
48 throw Invalid_Argument("Montgomery_Params invalid modulus");
49
50 m_p = p;
51 m_p_words = m_p.sig_words();
52 m_p_dash = monty_inverse(m_p.word_at(0));
53
54 const BigInt r = BigInt::power_of_2(m_p_words * BOTAN_MP_WORD_BITS);
55
56 m_r1 = mod_p.reduce(r);
57 m_r2 = mod_p.square(m_r1);
58 m_r3 = mod_p.multiply(m_r1, m_r2);
59 }
60
61Montgomery_Params::Montgomery_Params(const BigInt& p)
62 {
63 if(p.is_even() || p < 3)
64 throw Invalid_Argument("Montgomery_Params invalid modulus");
65
66 m_p = p;
67 m_p_words = m_p.sig_words();
68 m_p_dash = monty_inverse(m_p.word_at(0));
69
70 const BigInt r = BigInt::power_of_2(m_p_words * BOTAN_MP_WORD_BITS);
71
72 // It might be faster to use ct_modulo here vs setting up Barrett reduction?
73 Modular_Reducer mod_p(p);
74
75 m_r1 = mod_p.reduce(r);
76 m_r2 = mod_p.square(m_r1);
77 m_r3 = mod_p.multiply(m_r1, m_r2);
78 }
79
80BigInt Montgomery_Params::inv_mod_p(const BigInt& x) const
81 {
82 // TODO use Montgomery inverse here?
83 return inverse_mod(x, p());
84 }
85
86BigInt Montgomery_Params::redc(const BigInt& x, secure_vector<word>& ws) const
87 {
88 const size_t output_size = m_p_words + 1;
89
90 if(ws.size() < output_size)
91 ws.resize(output_size);
92
93 BigInt z = x;
94 z.grow_to(2*m_p_words);
95
96 bigint_monty_redc(z.mutable_data(),
97 m_p.data(), m_p_words, m_p_dash,
98 ws.data(), ws.size());
99
100 return z;
101 }
102
103BigInt Montgomery_Params::mul(const BigInt& x, const BigInt& y,
104 secure_vector<word>& ws) const
105 {
106 const size_t output_size = 2*m_p_words + 2;
107
108 if(ws.size() < output_size)
109 ws.resize(output_size);
110
111 BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
112 BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words);
113
114 BigInt z = BigInt::with_capacity(output_size);
115 bigint_mul(z.mutable_data(), z.size(),
116 x.data(), x.size(), std::min(m_p_words, x.size()),
117 y.data(), y.size(), std::min(m_p_words, y.size()),
118 ws.data(), ws.size());
119
120 bigint_monty_redc(z.mutable_data(),
121 m_p.data(), m_p_words, m_p_dash,
122 ws.data(), ws.size());
123
124 return z;
125 }
126
127BigInt Montgomery_Params::mul(const BigInt& x,
128 const secure_vector<word>& y,
129 secure_vector<word>& ws) const
130 {
131 const size_t output_size = 2*m_p_words + 2;
132 if(ws.size() < output_size)
133 ws.resize(output_size);
134 BigInt z = BigInt::with_capacity(output_size);
135
136 BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
137
138 bigint_mul(z.mutable_data(), z.size(),
139 x.data(), x.size(), std::min(m_p_words, x.size()),
140 y.data(), y.size(), std::min(m_p_words, y.size()),
141 ws.data(), ws.size());
142
143 bigint_monty_redc(z.mutable_data(),
144 m_p.data(), m_p_words, m_p_dash,
145 ws.data(), ws.size());
146
147 return z;
148 }
149
150void Montgomery_Params::mul_by(BigInt& x,
151 const secure_vector<word>& y,
152 secure_vector<word>& ws) const
153 {
154 const size_t output_size = 2*m_p_words;
155
156 if(ws.size() < 2*output_size)
157 ws.resize(2*output_size);
158
159 word* z_data = &ws[0];
160 word* ws_data = &ws[output_size];
161
162 BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
163
164 bigint_mul(z_data, output_size,
165 x.data(), x.size(), std::min(m_p_words, x.size()),
166 y.data(), y.size(), std::min(m_p_words, y.size()),
167 ws_data, output_size);
168
169 bigint_monty_redc(z_data,
170 m_p.data(), m_p_words, m_p_dash,
171 ws_data, output_size);
172
173 if(x.size() < output_size)
174 x.grow_to(output_size);
175 copy_mem(x.mutable_data(), z_data, output_size);
176 }
177
178void Montgomery_Params::mul_by(BigInt& x,
179 const BigInt& y,
180 secure_vector<word>& ws) const
181 {
182 const size_t output_size = 2*m_p_words;
183
184 if(ws.size() < 2*output_size)
185 ws.resize(2*output_size);
186
187 word* z_data = &ws[0];
188 word* ws_data = &ws[output_size];
189
190 BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
191
192 bigint_mul(z_data, output_size,
193 x.data(), x.size(), std::min(m_p_words, x.size()),
194 y.data(), y.size(), std::min(m_p_words, y.size()),
195 ws_data, output_size);
196
197 bigint_monty_redc(z_data,
198 m_p.data(), m_p_words, m_p_dash,
199 ws_data, output_size);
200
201 if(x.size() < output_size)
202 x.grow_to(output_size);
203 copy_mem(x.mutable_data(), z_data, output_size);
204 }
205
206BigInt Montgomery_Params::sqr(const BigInt& x, secure_vector<word>& ws) const
207 {
208 const size_t output_size = 2*m_p_words;
209
210 if(ws.size() < output_size)
211 ws.resize(output_size);
212
213 BigInt z = BigInt::with_capacity(output_size);
214
215 BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
216
217 bigint_sqr(z.mutable_data(), z.size(),
218 x.data(), x.size(), std::min(m_p_words, x.size()),
219 ws.data(), ws.size());
220
221 bigint_monty_redc(z.mutable_data(),
222 m_p.data(), m_p_words, m_p_dash,
223 ws.data(), ws.size());
224
225 return z;
226 }
227
228void Montgomery_Params::square_this(BigInt& x,
229 secure_vector<word>& ws) const
230 {
231 const size_t output_size = 2*m_p_words;
232
233 if(ws.size() < 2*output_size)
234 ws.resize(2*output_size);
235
236 word* z_data = &ws[0];
237 word* ws_data = &ws[output_size];
238
239 BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words);
240
241 bigint_sqr(z_data, output_size,
242 x.data(), x.size(), std::min(m_p_words, x.size()),
243 ws_data, output_size);
244
245 bigint_monty_redc(z_data,
246 m_p.data(), m_p_words, m_p_dash,
247 ws_data, output_size);
248
249 if(x.size() < output_size)
250 x.grow_to(output_size);
251 copy_mem(x.mutable_data(), z_data, output_size);
252 }
253
254Montgomery_Int::Montgomery_Int(const std::shared_ptr<const Montgomery_Params>& params,
255 const BigInt& v,
256 bool redc_needed) :
257 m_params(params)
258 {
259 if(redc_needed == false)
260 {
261 m_v = v;
262 }
263 else
264 {
265 BOTAN_ASSERT_NOMSG(m_v < m_params->p());
266 secure_vector<word> ws;
267 m_v = m_params->mul(v, m_params->R2(), ws);
268 }
269 }
270
271Montgomery_Int::Montgomery_Int(const std::shared_ptr<const Montgomery_Params>& params,
272 const uint8_t bits[], size_t len,
273 bool redc_needed) :
274 m_params(params),
275 m_v(bits, len)
276 {
277 if(redc_needed)
278 {
279 BOTAN_ASSERT_NOMSG(m_v < m_params->p());
280 secure_vector<word> ws;
281 m_v = m_params->mul(m_v, m_params->R2(), ws);
282 }
283 }
284
285Montgomery_Int::Montgomery_Int(std::shared_ptr<const Montgomery_Params> params,
286 const word words[], size_t len,
287 bool redc_needed) :
288 m_params(std::move(params))
289 {
290 m_v.set_words(words, len);
291
292 if(redc_needed)
293 {
294 BOTAN_ASSERT_NOMSG(m_v < m_params->p());
295 secure_vector<word> ws;
296 m_v = m_params->mul(m_v, m_params->R2(), ws);
297 }
298 }
299
300void Montgomery_Int::fix_size()
301 {
302 const size_t p_words = m_params->p_words();
303
304 if(m_v.sig_words() > p_words)
305 throw Internal_Error("Montgomery_Int::fix_size v too large");
306
307 m_v.grow_to(p_words);
308 }
309
310bool Montgomery_Int::operator==(const Montgomery_Int& other) const
311 {
312 return m_v == other.m_v && m_params->p() == other.m_params->p();
313 }
314
315std::vector<uint8_t> Montgomery_Int::serialize() const
316 {
317 std::vector<uint8_t> v(size());
318 BigInt::encode_1363(v.data(), v.size(), value());
319 return v;
320 }
321
322size_t Montgomery_Int::size() const
323 {
324 return m_params->p().bytes();
325 }
326
327bool Montgomery_Int::is_one() const
328 {
329 return m_v == m_params->R1();
330 }
331
332bool Montgomery_Int::is_zero() const
333 {
334 return m_v.is_zero();
335 }
336
337BigInt Montgomery_Int::value() const
338 {
339 secure_vector<word> ws;
340 return m_params->redc(m_v, ws);
341 }
342
343Montgomery_Int Montgomery_Int::operator+(const Montgomery_Int& other) const
344 {
345 secure_vector<word> ws;
346 BigInt z = m_v;
347 z.mod_add(other.m_v, m_params->p(), ws);
348 return Montgomery_Int(m_params, z, false);
349 }
350
351Montgomery_Int Montgomery_Int::operator-(const Montgomery_Int& other) const
352 {
353 secure_vector<word> ws;
354 BigInt z = m_v;
355 z.mod_sub(other.m_v, m_params->p(), ws);
356 return Montgomery_Int(m_params, z, false);
357 }
358
359Montgomery_Int& Montgomery_Int::operator+=(const Montgomery_Int& other)
360 {
361 secure_vector<word> ws;
362 return this->add(other, ws);
363 }
364
365Montgomery_Int& Montgomery_Int::add(const Montgomery_Int& other, secure_vector<word>& ws)
366 {
367 m_v.mod_add(other.m_v, m_params->p(), ws);
368 return (*this);
369 }
370
371Montgomery_Int& Montgomery_Int::operator-=(const Montgomery_Int& other)
372 {
373 secure_vector<word> ws;
374 return this->sub(other, ws);
375 }
376
377Montgomery_Int& Montgomery_Int::sub(const Montgomery_Int& other, secure_vector<word>& ws)
378 {
379 m_v.mod_sub(other.m_v, m_params->p(), ws);
380 return (*this);
381 }
382
383Montgomery_Int Montgomery_Int::operator*(const Montgomery_Int& other) const
384 {
385 secure_vector<word> ws;
386 return Montgomery_Int(m_params, m_params->mul(m_v, other.m_v, ws), false);
387 }
388
389Montgomery_Int Montgomery_Int::mul(const Montgomery_Int& other,
390 secure_vector<word>& ws) const
391 {
392 return Montgomery_Int(m_params, m_params->mul(m_v, other.m_v, ws), false);
393 }
394
395Montgomery_Int& Montgomery_Int::mul_by(const Montgomery_Int& other,
396 secure_vector<word>& ws)
397 {
398 m_params->mul_by(m_v, other.m_v, ws);
399 return (*this);
400 }
401
402Montgomery_Int& Montgomery_Int::mul_by(const secure_vector<word>& other,
403 secure_vector<word>& ws)
404 {
405 m_params->mul_by(m_v, other, ws);
406 return (*this);
407 }
408
409Montgomery_Int& Montgomery_Int::operator*=(const Montgomery_Int& other)
410 {
411 secure_vector<word> ws;
412 return mul_by(other, ws);
413 }
414
415Montgomery_Int& Montgomery_Int::operator*=(const secure_vector<word>& other)
416 {
417 secure_vector<word> ws;
418 return mul_by(other, ws);
419 }
420
421Montgomery_Int& Montgomery_Int::square_this_n_times(secure_vector<word>& ws, size_t n)
422 {
423 for(size_t i = 0; i != n; ++i)
424 m_params->square_this(m_v, ws);
425 return (*this);
426 }
427
428Montgomery_Int& Montgomery_Int::square_this(secure_vector<word>& ws)
429 {
430 m_params->square_this(m_v, ws);
431 return (*this);
432 }
433
434Montgomery_Int Montgomery_Int::square(secure_vector<word>& ws) const
435 {
436 return Montgomery_Int(m_params, m_params->sqr(m_v, ws), false);
437 }
438
439Montgomery_Int Montgomery_Int::cube(secure_vector<word>& ws) const
440 {
441 return Montgomery_Int(m_params, m_params->sqr(m_v, ws), false);
442 }
443
444Montgomery_Int Montgomery_Int::multiplicative_inverse() const
445 {
446 secure_vector<word> ws;
447 const BigInt iv = m_params->mul(m_params->inv_mod_p(m_v), m_params->R3(), ws);
448 return Montgomery_Int(m_params, iv, false);
449 }
450
451Montgomery_Int Montgomery_Int::additive_inverse() const
452 {
453 return Montgomery_Int(m_params, m_params->p()) - (*this);
454 }
455
456Montgomery_Int& Montgomery_Int::mul_by_2(secure_vector<word>& ws)
457 {
458 m_v.mod_mul(2, m_params->p(), ws);
459 return (*this);
460 }
461
462Montgomery_Int& Montgomery_Int::mul_by_3(secure_vector<word>& ws)
463 {
464 m_v.mod_mul(3, m_params->p(), ws);
465 return (*this);
466 }
467
468Montgomery_Int& Montgomery_Int::mul_by_4(secure_vector<word>& ws)
469 {
470 m_v.mod_mul(4, m_params->p(), ws);
471 return (*this);
472 }
473
474Montgomery_Int& Montgomery_Int::mul_by_8(secure_vector<word>& ws)
475 {
476 m_v.mod_mul(8, m_params->p(), ws);
477 return (*this);
478 }
479
480}
y
static SIMD_4x64 y
Definition: argon2_avx2.cpp:135
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:67
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:122
Botan::BigInt::mod_mul
BigInt & mod_mul(uint8_t y, const BigInt &mod, secure_vector< word > &ws)
Definition: big_ops2.cpp:121
Botan::BigInt::sig_words
size_t sig_words() const
Definition: bigint.h:615
Botan::BigInt::mutable_data
word * mutable_data()
Definition: bigint.h:643
Botan::BigInt::size
size_t size() const
Definition: bigint.h:609
Botan::BigInt::grow_to
void grow_to(size_t n) const
Definition: bigint.h:665
Botan::BigInt::set_words
void set_words(const word w[], size_t len)
Definition: bigint.h:547
Botan::BigInt::mod_add
BigInt & mod_add(const BigInt &y, const BigInt &mod, secure_vector< word > &ws)
Definition: big_ops2.cpp:50
Botan::BigInt::data
const word * data() const
Definition: bigint.h:649
Botan::BigInt::word_at
word word_at(size_t n) const
Definition: bigint.h:537
Botan::BigInt::mod_sub
BigInt & mod_sub(const BigInt &y, const BigInt &mod, secure_vector< word > &ws)
Definition: big_ops2.cpp:94
Botan::BigInt::is_even
bool is_even() const
Definition: bigint.h:416
Botan::BigInt::power_of_2
static BigInt power_of_2(size_t n)
Definition: bigint.h:768
Botan::BigInt::encode_1363
static secure_vector< uint8_t > encode_1363(const BigInt &n, size_t bytes)
Definition: big_code.cpp:107
Botan::BigInt::is_zero
bool is_zero() const
Definition: bigint.h:434
Botan::BigInt::with_capacity
static BigInt with_capacity(size_t n)
Definition: bigint.cpp:60
Botan::Internal_Error
Definition: exceptn.h:339
Botan::Invalid_Argument
Definition: exceptn.h:133
Botan::Modular_Reducer
Definition: reducer.h:19
Botan::Modular_Reducer::square
BigInt square(const BigInt &x) const
Definition: reducer.h:46
Botan::Modular_Reducer::multiply
BigInt multiply(const BigInt &x, const BigInt &y) const
Definition: reducer.h:31
Botan::Modular_Reducer::reduce
BigInt reduce(const BigInt &x) const
Definition: reducer.cpp:37
Botan::Montgomery_Int
Definition: monty.h:29
Botan::Montgomery_Int::size
size_t size() const
Definition: monty.cpp:322
Botan::Montgomery_Int::operator*=
Montgomery_Int & operator*=(const Montgomery_Int &other)
Definition: monty.cpp:409
Botan::Montgomery_Int::Montgomery_Int
Montgomery_Int(std::shared_ptr< const Montgomery_Params > params)
Definition: monty.h:34
Botan::Montgomery_Int::operator==
bool operator==(const Montgomery_Int &other) const
Definition: monty.cpp:310
Botan::Montgomery_Int::is_one
bool is_one() const
Definition: monty.cpp:327
Botan::Montgomery_Int::add
Montgomery_Int & add(const Montgomery_Int &other, secure_vector< word > &ws)
Definition: monty.cpp:365
Botan::Montgomery_Int::operator+=
Montgomery_Int & operator+=(const Montgomery_Int &other)
Definition: monty.cpp:359
Botan::Montgomery_Int::operator-=
Montgomery_Int & operator-=(const Montgomery_Int &other)
Definition: monty.cpp:371
Botan::Montgomery_Int::square
Montgomery_Int square(secure_vector< word > &ws) const
Definition: monty.cpp:434
Botan::Montgomery_Int::cube
Montgomery_Int cube(secure_vector< word > &ws) const
Definition: monty.cpp:439
Botan::Montgomery_Int::additive_inverse
Montgomery_Int additive_inverse() const
Definition: monty.cpp:451
Botan::Montgomery_Int::operator*
Montgomery_Int operator*(const Montgomery_Int &other) const
Definition: monty.cpp:383
Botan::Montgomery_Int::mul_by_3
Montgomery_Int & mul_by_3(secure_vector< word > &ws)
Definition: monty.cpp:462
Botan::Montgomery_Int::mul_by_8
Montgomery_Int & mul_by_8(secure_vector< word > &ws)
Definition: monty.cpp:474
Botan::Montgomery_Int::mul_by_2
Montgomery_Int & mul_by_2(secure_vector< word > &ws)
Definition: monty.cpp:456
Botan::Montgomery_Int::sub
Montgomery_Int & sub(const Montgomery_Int &other, secure_vector< word > &ws)
Definition: monty.cpp:377
Botan::Montgomery_Int::operator-
Montgomery_Int operator-(const Montgomery_Int &other) const
Definition: monty.cpp:351
Botan::Montgomery_Int::operator+
Montgomery_Int operator+(const Montgomery_Int &other) const
Definition: monty.cpp:343
Botan::Montgomery_Int::is_zero
bool is_zero() const
Definition: monty.cpp:332
Botan::Montgomery_Int::value
BigInt value() const
Definition: monty.cpp:337
Botan::Montgomery_Int::square_this_n_times
Montgomery_Int & square_this_n_times(secure_vector< word > &ws, size_t n)
Definition: monty.cpp:421
Botan::Montgomery_Int::mul_by_4
Montgomery_Int & mul_by_4(secure_vector< word > &ws)
Definition: monty.cpp:468
Botan::Montgomery_Int::fix_size
void fix_size()
Definition: monty.cpp:300
Botan::Montgomery_Int::square_this
Montgomery_Int & square_this(secure_vector< word > &ws)
Definition: monty.cpp:428
Botan::Montgomery_Int::multiplicative_inverse
Montgomery_Int multiplicative_inverse() const
Definition: monty.cpp:444
Botan::Montgomery_Int::mul
Montgomery_Int mul(const Montgomery_Int &other, secure_vector< word > &ws) const
Definition: monty.cpp:389
Botan::Montgomery_Int::mul_by
Montgomery_Int & mul_by(const Montgomery_Int &other, secure_vector< word > &ws)
Definition: monty.cpp:395
Botan::Montgomery_Int::serialize
std::vector< uint8_t > serialize() const
Definition: monty.cpp:315
Botan::Montgomery_Params::redc
BigInt redc(const BigInt &x, secure_vector< word > &ws) const
Definition: monty.cpp:86
Botan::Montgomery_Params::mul_by
void mul_by(BigInt &x, const secure_vector< word > &y, secure_vector< word > &ws) const
Definition: monty.cpp:150
Botan::Montgomery_Params::mul
BigInt mul(const BigInt &x, const BigInt &y, secure_vector< word > &ws) const
Definition: monty.cpp:103
Botan::Montgomery_Params::sqr
BigInt sqr(const BigInt &x, secure_vector< word > &ws) const
Definition: monty.cpp:206
Botan::Montgomery_Params::inv_mod_p
BigInt inv_mod_p(const BigInt &x) const
Definition: monty.cpp:80
Botan::Montgomery_Params::Montgomery_Params
Montgomery_Params(const BigInt &p, const Modular_Reducer &mod_p)
Definition: monty.cpp:44
Botan::Montgomery_Params::square_this
void square_this(BigInt &x, secure_vector< word > &ws) const
Definition: monty.cpp:228
Botan::Montgomery_Params::p
const BigInt & p() const
Definition: monty.h:153
BOTAN_MP_WORD_BITS
#define BOTAN_MP_WORD_BITS
Definition: build.h:50
Botan
Definition: alg_id.cpp:12
Botan::MP_WORD_MAX
const word MP_WORD_MAX
Definition: mp_core.h:22
Botan::bigint_monty_redc
void bigint_monty_redc(word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size)
Definition: mp_core.h:823
Botan::bigint_sqr
void bigint_sqr(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size)
Definition: mp_karat.cpp:356
Botan::bigint_mul
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition: mp_karat.cpp:297
Botan::monty_inverse
word monty_inverse(word a)
Definition: monty.cpp:15
Botan::copy_mem
constexpr void copy_mem(T *out, const T *in, size_t n)
Definition: mem_ops.h:126
Botan::inverse_mod
BigInt inverse_mod(const BigInt &n, const BigInt &mod)
Definition: mod_inv.cpp:177
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:64
std
Definition: bigint.h:1092
Generated by doxygen 1.9.6