Botan 3.7.1
Crypto and TLS for C&
monty_exp.cpp
Go to the documentation of this file.
1/*
2* Montgomery Exponentiation
3* (C) 1999-2010,2012,2018,2025 Jack Lloyd
4* 2016 Matthias Gierlings
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/monty_exp.h>
10
11#include <botan/internal/ct_utils.h>
12#include <botan/internal/monty.h>
13#include <botan/internal/rounding.h>
14
15namespace Botan {
16
17class Montgomery_Exponentation_State final {
18 public:
19 Montgomery_Exponentation_State(const Montgomery_Int& g, size_t window_bits, bool const_time);
20
21 Montgomery_Int exponentiation(const BigInt& k, size_t max_k_bits) const;
22
23 Montgomery_Int exponentiation_vartime(const BigInt& k) const;
24
25 private:
26 std::shared_ptr<const Montgomery_Params> m_params;
27 std::vector<Montgomery_Int> m_g;
28 size_t m_window_bits;
29};
30
31Montgomery_Exponentation_State::Montgomery_Exponentation_State(const Montgomery_Int& g,
32 size_t window_bits,
33 bool const_time) :
34 m_params(g._params()), m_window_bits(window_bits == 0 ? 4 : window_bits) {
35 if(m_window_bits < 1 || m_window_bits > 12) { // really even 8 is too large ...
36 throw Invalid_Argument("Invalid window bits for Montgomery exponentiation");
37 }
38
39 const size_t window_size = (static_cast<size_t>(1) << m_window_bits);
40
41 m_g.reserve(window_size);
42
43 m_g.push_back(Montgomery_Int::one(m_params));
44
45 m_g.push_back(g);
46
47 for(size_t i = 2; i != window_size; ++i) {
48 m_g.push_back(m_g[1] * m_g[i - 1]);
49 }
50
51 // Resize each element to exactly p words
52 for(auto& x : m_g) {
53 x.fix_size();
54 }
55
56 if(const_time) {
57 CT::poison_range(m_g);
58 }
59}
60
61namespace {
62
63void const_time_lookup(secure_vector<word>& output, const std::vector<Montgomery_Int>& g, size_t nibble) {
64 BOTAN_ASSERT_NOMSG(g.size() % 2 == 0); // actually a power of 2
65
66 const size_t words = output.size();
67
68 clear_mem(output.data(), output.size());
69
70 for(size_t i = 0; i != g.size(); i += 2) {
71 const secure_vector<word>& vec_0 = g[i].repr().get_word_vector();
72 const secure_vector<word>& vec_1 = g[i + 1].repr().get_word_vector();
73
74 BOTAN_ASSERT_NOMSG(vec_0.size() >= words && vec_1.size() >= words);
75
76 const auto mask_0 = CT::Mask<word>::is_equal(nibble, i);
77 const auto mask_1 = CT::Mask<word>::is_equal(nibble, i + 1);
78
79 for(size_t w = 0; w != words; ++w) {
80 output[w] |= mask_0.if_set_return(vec_0[w]);
81 output[w] |= mask_1.if_set_return(vec_1[w]);
82 }
83 }
84}
85
86} // namespace
87
88Montgomery_Int Montgomery_Exponentation_State::exponentiation(const BigInt& scalar, size_t max_k_bits) const {
89 BOTAN_DEBUG_ASSERT(scalar.bits() <= max_k_bits);
90 // TODO add a const-time implementation of above assert and use it in release builds
91
92 const size_t exp_nibbles = (max_k_bits + m_window_bits - 1) / m_window_bits;
93
94 if(exp_nibbles == 0) {
95 return Montgomery_Int::one(m_params);
96 }
97
98 secure_vector<word> e_bits(m_params->p_words());
99 secure_vector<word> ws;
100
101 const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits));
102 Montgomery_Int x(m_params, e_bits.data(), e_bits.size(), false);
103
104 for(size_t i = exp_nibbles - 1; i > 0; --i) {
105 x.square_this_n_times(ws, m_window_bits);
106 const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (i - 1), m_window_bits));
107 x.mul_by(e_bits, ws);
108 }
109
110 CT::unpoison(x);
111 return x;
112}
113
114Montgomery_Int Montgomery_Exponentation_State::exponentiation_vartime(const BigInt& scalar) const {
115 const size_t exp_nibbles = (scalar.bits() + m_window_bits - 1) / m_window_bits;
116
117 secure_vector<word> ws;
118
119 if(exp_nibbles == 0) {
120 return Montgomery_Int::one(m_params);
121 }
122
123 Montgomery_Int x = m_g[scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)];
124
125 for(size_t i = exp_nibbles - 1; i > 0; --i) {
126 x.square_this_n_times(ws, m_window_bits);
127
128 const uint32_t nibble = scalar.get_substring(m_window_bits * (i - 1), m_window_bits);
129 if(nibble > 0) {
130 x.mul_by(m_g[nibble], ws);
131 }
132 }
133
134 CT::unpoison(x);
135 return x;
136}
137
138std::shared_ptr<const Montgomery_Exponentation_State> monty_precompute(const Montgomery_Int& g,
139 size_t window_bits,
140 bool const_time) {
141 return std::make_shared<const Montgomery_Exponentation_State>(g, window_bits, const_time);
142}
143
144std::shared_ptr<const Montgomery_Exponentation_State> monty_precompute(
145 const std::shared_ptr<const Montgomery_Params>& params, const BigInt& g, size_t window_bits, bool const_time) {
146 BOTAN_ARG_CHECK(g < params->p(), "Montgomery base too big");
147 Montgomery_Int monty_g(params, g);
148 return monty_precompute(monty_g, window_bits, const_time);
149}
150
151Montgomery_Int monty_execute(const Montgomery_Exponentation_State& precomputed_state,
152 const BigInt& k,
153 size_t max_k_bits) {
154 return precomputed_state.exponentiation(k, max_k_bits);
155}
156
157Montgomery_Int monty_execute_vartime(const Montgomery_Exponentation_State& precomputed_state, const BigInt& k) {
158 return precomputed_state.exponentiation_vartime(k);
159}
160
161Montgomery_Int monty_multi_exp(const std::shared_ptr<const Montgomery_Params>& params_p,
162 const BigInt& x_bn,
163 const BigInt& z1,
164 const BigInt& y_bn,
165 const BigInt& z2) {
166 if(z1.is_negative() || z2.is_negative()) {
167 throw Invalid_Argument("multi_exponentiate exponents must be positive");
168 }
169
170 const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
171
172 secure_vector<word> ws;
173
174 const Montgomery_Int one(params_p, params_p->R1(), false);
175 //const Montgomery_Int one(params_p, 1);
176
177 const Montgomery_Int x1(params_p, x_bn);
178 const Montgomery_Int x2 = x1.square(ws);
179 const Montgomery_Int x3 = x2.mul(x1, ws);
180
181 const Montgomery_Int y1(params_p, y_bn);
182 const Montgomery_Int y2 = y1.square(ws);
183 const Montgomery_Int y3 = y2.mul(y1, ws);
184
185 const Montgomery_Int y1x1 = y1.mul(x1, ws);
186 const Montgomery_Int y1x2 = y1.mul(x2, ws);
187 const Montgomery_Int y1x3 = y1.mul(x3, ws);
188
189 const Montgomery_Int y2x1 = y2.mul(x1, ws);
190 const Montgomery_Int y2x2 = y2.mul(x2, ws);
191 const Montgomery_Int y2x3 = y2.mul(x3, ws);
192
193 const Montgomery_Int y3x1 = y3.mul(x1, ws);
194 const Montgomery_Int y3x2 = y3.mul(x2, ws);
195 const Montgomery_Int y3x3 = y3.mul(x3, ws);
196
197 const Montgomery_Int* M[16] = {&one,
198 &x1, // 0001
199 &x2, // 0010
200 &x3, // 0011
201 &y1, // 0100
202 &y1x1,
203 &y1x2,
204 &y1x3,
205 &y2, // 1000
206 &y2x1,
207 &y2x2,
208 &y2x3,
209 &y3, // 1100
210 &y3x1,
211 &y3x2,
212 &y3x3};
213
214 Montgomery_Int H = one;
215
216 for(size_t i = 0; i != z_bits; i += 2) {
217 if(i > 0) {
218 H.square_this(ws);
219 H.square_this(ws);
220 }
221
222 const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
223 const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
224
225 const uint32_t z12 = (4 * z2_b) + z1_b;
226
227 H.mul_by(*M[z12], ws);
228 }
229
230 return H;
231}
232
233} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:295
Botan::BigInt::is_negative
bool is_negative() const
Definition bigint.h:560
Botan::BigInt::get_substring
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:227
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Montgomery_Int
Definition monty.h:23
Botan::Montgomery_Int::square
Montgomery_Int square(secure_vector< word > &ws) const
Definition monty.cpp:425
Botan::Montgomery_Int::square_this
Montgomery_Int & square_this(secure_vector< word > &ws)
Definition monty.cpp:420
Botan::Montgomery_Int::mul
Montgomery_Int mul(const Montgomery_Int &other, secure_vector< word > &ws) const
Definition monty.cpp:386
Botan::Montgomery_Int::mul_by
Montgomery_Int & mul_by(const Montgomery_Int &other, secure_vector< word > &ws)
Definition monty.cpp:391
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::monty_execute_vartime
Montgomery_Int monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition monty_exp.cpp:157
Botan::round_up
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:25
Botan::monty_execute
Montgomery_Int monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition monty_exp.cpp:151
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::monty_precompute
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)
Definition monty_exp.cpp:138
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:121
Botan::monty_multi_exp
Montgomery_Int monty_multi_exp(const std::shared_ptr< const Montgomery_Params > &params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
Definition monty_exp.cpp:161
Generated by doxygen 1.12.0