Botan 3.11.0
Crypto and TLS for C&
monty_exp.cpp
Go to the documentation of this file.
1/*
2* Montgomery Exponentiation
3* (C) 1999-2010,2012,2018,2025 Jack Lloyd
4* 2016 Matthias Gierlings
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/monty_exp.h>
10
11#include <botan/exceptn.h>
12#include <botan/mem_ops.h>
13#include <botan/internal/ct_utils.h>
14#include <botan/internal/monty.h>
15#include <botan/internal/rounding.h>
16
17namespace Botan {
18
19class Montgomery_Exponentiation_State final {
20 public:
21 Montgomery_Exponentiation_State(const Montgomery_Int& g, size_t window_bits, bool const_time);
22
23 Montgomery_Int exponentiation(const BigInt& k, size_t max_k_bits) const;
24
25 Montgomery_Int exponentiation_vartime(const BigInt& k) const;
26
27 private:
28 Montgomery_Params m_params;
29 std::vector<Montgomery_Int> m_g;
30 size_t m_window_bits;
31};
32
33Montgomery_Exponentiation_State::Montgomery_Exponentiation_State(const Montgomery_Int& g,
34 size_t window_bits,
35 bool const_time) :
36 m_params(g._params()), m_window_bits(window_bits == 0 ? 4 : window_bits) {
37 if(m_window_bits < 1 || m_window_bits > 12) { // really even 8 is too large ...
38 throw Invalid_Argument("Invalid window bits for Montgomery exponentiation");
39 }
40
41 const size_t window_size = (static_cast<size_t>(1) << m_window_bits);
42
43 m_g.reserve(window_size);
44
45 m_g.push_back(Montgomery_Int::one(m_params));
46
47 m_g.push_back(g);
48
49 secure_vector<word> ws(2 * m_params.p_words());
50
51 for(size_t i = 2; i != window_size; ++i) {
52 if(i % 2 == 0) {
53 m_g.push_back(m_g[i / 2].square(ws));
54 } else {
55 m_g.push_back(m_g[1].mul(m_g[i - 1], ws));
56 }
57 }
58
59 if(const_time) {
60 CT::poison_range(m_g);
61 }
62}
63
64namespace {
65
66void const_time_lookup(secure_vector<word>& output, const std::vector<Montgomery_Int>& g, size_t nibble) {
67 BOTAN_ASSERT_NOMSG(g.size() % 2 == 0); // actually a power of 2
68
69 const size_t words = output.size();
70
71 clear_mem(output.data(), output.size());
72
73 for(size_t i = 0; i != g.size(); i += 2) {
74 const secure_vector<word>& vec_0 = g[i].repr();
75 const secure_vector<word>& vec_1 = g[i + 1].repr();
76
77 BOTAN_ASSERT_NOMSG(vec_0.size() >= words && vec_1.size() >= words);
78
79 const auto mask_0 = CT::Mask<word>::is_equal(nibble, i);
80 const auto mask_1 = CT::Mask<word>::is_equal(nibble, i + 1);
81
82 for(size_t w = 0; w != words; ++w) {
83 output[w] |= mask_0.if_set_return(vec_0[w]);
84 output[w] |= mask_1.if_set_return(vec_1[w]);
85 }
86 }
87}
88
89} // namespace
90
91Montgomery_Int Montgomery_Exponentiation_State::exponentiation(const BigInt& scalar, size_t max_k_bits) const {
92 BOTAN_DEBUG_ASSERT(scalar.bits() <= max_k_bits);
93 // TODO add a const-time implementation of above assert and use it in release builds
94
95 const size_t exp_nibbles = (max_k_bits + m_window_bits - 1) / m_window_bits;
96
97 if(exp_nibbles == 0) {
98 return Montgomery_Int::one(m_params);
99 }
100
101 secure_vector<word> e_bits(m_params.p_words());
102 secure_vector<word> ws(2 * m_params.p_words());
103
104 const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits));
105 Montgomery_Int x(m_params, std::span{e_bits});
106
107 for(size_t i = exp_nibbles - 1; i > 0; --i) {
108 x.square_this_n_times(ws, m_window_bits);
109 const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (i - 1), m_window_bits));
110 x.mul_by(e_bits, ws);
111 }
112
113 CT::unpoison(x);
114 return x;
115}
116
117Montgomery_Int Montgomery_Exponentiation_State::exponentiation_vartime(const BigInt& scalar) const {
118 const size_t exp_nibbles = (scalar.bits() + m_window_bits - 1) / m_window_bits;
119
120 secure_vector<word> ws(2 * m_params.p_words());
121
122 if(exp_nibbles == 0) {
123 return Montgomery_Int::one(m_params);
124 }
125
126 Montgomery_Int x = m_g[scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)];
127
128 for(size_t i = exp_nibbles - 1; i > 0; --i) {
129 x.square_this_n_times(ws, m_window_bits);
130
131 const uint32_t nibble = scalar.get_substring(m_window_bits * (i - 1), m_window_bits);
132 if(nibble > 0) {
133 x.mul_by(m_g[nibble], ws);
134 }
135 }
136
137 CT::unpoison(x);
138 return x;
139}
140
141std::shared_ptr<const Montgomery_Exponentiation_State> monty_precompute(const Montgomery_Int& g,
142 size_t window_bits,
143 bool const_time) {
144 return std::make_shared<const Montgomery_Exponentiation_State>(g, window_bits, const_time);
145}
146
147std::shared_ptr<const Montgomery_Exponentiation_State> monty_precompute(const Montgomery_Params& params,
148 const BigInt& g,
149 size_t window_bits,
150 bool const_time) {
151 BOTAN_ARG_CHECK(g < params.p(), "Montgomery base too big");
152 const Montgomery_Int monty_g(params, g);
153 return monty_precompute(monty_g, window_bits, const_time);
154}
155
156Montgomery_Int monty_execute(const Montgomery_Exponentiation_State& precomputed_state,
157 const BigInt& k,
158 size_t max_k_bits) {
159 return precomputed_state.exponentiation(k, max_k_bits);
160}
161
162Montgomery_Int monty_execute_vartime(const Montgomery_Exponentiation_State& precomputed_state, const BigInt& k) {
163 return precomputed_state.exponentiation_vartime(k);
164}
165
166Montgomery_Int monty_multi_exp(
167 const Montgomery_Params& params_p, const BigInt& x_bn, const BigInt& z1, const BigInt& y_bn, const BigInt& z2) {
168 if(z1.is_negative() || z2.is_negative()) {
169 throw Invalid_Argument("multi_exponentiate exponents must be positive");
170 }
171
172 const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
173
174 secure_vector<word> ws(2 * params_p.p_words());
175
176 const Montgomery_Int one = Montgomery_Int::one(params_p);
177
178 const Montgomery_Int x1(params_p, x_bn);
179 const Montgomery_Int x2 = x1.square(ws);
180 const Montgomery_Int x3 = x2.mul(x1, ws);
181
182 const Montgomery_Int y1(params_p, y_bn);
183 const Montgomery_Int y2 = y1.square(ws);
184 const Montgomery_Int y3 = y2.mul(y1, ws);
185
186 const Montgomery_Int y1x1 = y1.mul(x1, ws);
187 const Montgomery_Int y1x2 = y1.mul(x2, ws);
188 const Montgomery_Int y1x3 = y1.mul(x3, ws);
189
190 const Montgomery_Int y2x1 = y2.mul(x1, ws);
191 const Montgomery_Int y2x2 = y2.mul(x2, ws);
192 const Montgomery_Int y2x3 = y2.mul(x3, ws);
193
194 const Montgomery_Int y3x1 = y3.mul(x1, ws);
195 const Montgomery_Int y3x2 = y3.mul(x2, ws);
196 const Montgomery_Int y3x3 = y3.mul(x3, ws);
197
198 // NOLINTNEXTLINE(*-const-correctness) bug in clang-tidy
199 const Montgomery_Int* M[16] = {&one,
200 &x1, // 0001
201 &x2, // 0010
202 &x3, // 0011
203 &y1, // 0100
204 &y1x1,
205 &y1x2,
206 &y1x3,
207 &y2, // 1000
208 &y2x1,
209 &y2x2,
210 &y2x3,
211 &y3, // 1100
212 &y3x1,
213 &y3x2,
214 &y3x3};
215
216 Montgomery_Int H = one;
217
218 for(size_t i = 0; i != z_bits; i += 2) {
219 if(i > 0) {
220 H.square_this_n_times(ws, 2);
221 }
222
223 const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
224 const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
225
226 const uint32_t z12 = (4 * z2_b) + z1_b;
227
228 if(z12 > 0) {
229 H.mul_by(*M[z12], ws);
230 }
231 }
232
233 return H;
234}
235
236} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:307
Botan::BigInt::is_negative
bool is_negative() const
Definition bigint.h:575
Botan::BigInt::get_substring
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:239
Botan::Invalid_Argument
Definition exceptn.h:132
Botan::Montgomery_Int
Definition monty.h:103
Botan::Montgomery_Int::square
Montgomery_Int square(secure_vector< word > &ws) const
Definition monty.cpp:374
Botan::Montgomery_Int::one
static Montgomery_Int one(const Montgomery_Params &params)
Definition monty.cpp:204
Botan::Montgomery_Int::square_this_n_times
Montgomery_Int & square_this_n_times(secure_vector< word > &ws, size_t n)
Definition monty.cpp:345
Botan::Montgomery_Int::mul
Montgomery_Int mul(const Montgomery_Int &other, secure_vector< word > &ws) const
Definition monty.cpp:293
Botan::Montgomery_Int::mul_by
Montgomery_Int & mul_by(const Montgomery_Int &other, secure_vector< word > &ws)
Definition monty.cpp:313
Botan::Montgomery_Params
Definition monty.h:23
Botan::Montgomery_Params::p_words
size_t p_words() const
Definition monty.h:51
Botan::Montgomery_Params::p
const BigInt & p() const
Definition monty.h:41
Botan::monty_precompute
std::shared_ptr< const Montgomery_Exponentiation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)
Definition monty_exp.cpp:141
Botan::square
BigInt square(const BigInt &x)
Definition numthry.cpp:184
Botan::round_up
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:26
Botan::monty_multi_exp
Montgomery_Int monty_multi_exp(const Montgomery_Params &params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
Definition monty_exp.cpp:166
Botan::monty_execute_vartime
Montgomery_Int monty_execute_vartime(const Montgomery_Exponentiation_State &precomputed_state, const BigInt &k)
Definition monty_exp.cpp:162
Botan::monty_execute
Montgomery_Int monty_execute(const Montgomery_Exponentiation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition monty_exp.cpp:156
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:118
Generated by doxygen 1.15.0