Botan 3.9.0
Crypto and TLS for C&
monty_exp.cpp
Go to the documentation of this file.
1/*
2* Montgomery Exponentiation
3* (C) 1999-2010,2012,2018,2025 Jack Lloyd
4* 2016 Matthias Gierlings
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/monty_exp.h>
10
11#include <botan/mem_ops.h>
12#include <botan/internal/ct_utils.h>
13#include <botan/internal/monty.h>
14#include <botan/internal/rounding.h>
15
16namespace Botan {
17
18class Montgomery_Exponentation_State final {
19 public:
20 Montgomery_Exponentation_State(const Montgomery_Int& g, size_t window_bits, bool const_time);
21
22 Montgomery_Int exponentiation(const BigInt& k, size_t max_k_bits) const;
23
24 Montgomery_Int exponentiation_vartime(const BigInt& k) const;
25
26 private:
27 Montgomery_Params m_params;
28 std::vector<Montgomery_Int> m_g;
29 size_t m_window_bits;
30};
31
32Montgomery_Exponentation_State::Montgomery_Exponentation_State(const Montgomery_Int& g,
33 size_t window_bits,
34 bool const_time) :
35 m_params(g._params()), m_window_bits(window_bits == 0 ? 4 : window_bits) {
36 if(m_window_bits < 1 || m_window_bits > 12) { // really even 8 is too large ...
37 throw Invalid_Argument("Invalid window bits for Montgomery exponentiation");
38 }
39
40 const size_t window_size = (static_cast<size_t>(1) << m_window_bits);
41
42 m_g.reserve(window_size);
43
44 m_g.push_back(Montgomery_Int::one(m_params));
45
46 m_g.push_back(g);
47
48 secure_vector<word> ws(2 * m_params.p_words());
49
50 for(size_t i = 2; i != window_size; ++i) {
51 m_g.push_back(m_g[1].mul(m_g[i - 1], ws));
52 }
53
54 if(const_time) {
55 CT::poison_range(m_g);
56 }
57}
58
59namespace {
60
61void const_time_lookup(secure_vector<word>& output, const std::vector<Montgomery_Int>& g, size_t nibble) {
62 BOTAN_ASSERT_NOMSG(g.size() % 2 == 0); // actually a power of 2
63
64 const size_t words = output.size();
65
66 clear_mem(output.data(), output.size());
67
68 for(size_t i = 0; i != g.size(); i += 2) {
69 const secure_vector<word>& vec_0 = g[i].repr();
70 const secure_vector<word>& vec_1 = g[i + 1].repr();
71
72 BOTAN_ASSERT_NOMSG(vec_0.size() >= words && vec_1.size() >= words);
73
74 const auto mask_0 = CT::Mask<word>::is_equal(nibble, i);
75 const auto mask_1 = CT::Mask<word>::is_equal(nibble, i + 1);
76
77 for(size_t w = 0; w != words; ++w) {
78 output[w] |= mask_0.if_set_return(vec_0[w]);
79 output[w] |= mask_1.if_set_return(vec_1[w]);
80 }
81 }
82}
83
84} // namespace
85
86Montgomery_Int Montgomery_Exponentation_State::exponentiation(const BigInt& scalar, size_t max_k_bits) const {
87 BOTAN_DEBUG_ASSERT(scalar.bits() <= max_k_bits);
88 // TODO add a const-time implementation of above assert and use it in release builds
89
90 const size_t exp_nibbles = (max_k_bits + m_window_bits - 1) / m_window_bits;
91
92 if(exp_nibbles == 0) {
93 return Montgomery_Int::one(m_params);
94 }
95
96 secure_vector<word> e_bits(m_params.p_words());
97 secure_vector<word> ws(2 * m_params.p_words());
98
99 const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits));
100 Montgomery_Int x(m_params, std::span{e_bits});
101
102 for(size_t i = exp_nibbles - 1; i > 0; --i) {
103 x.square_this_n_times(ws, m_window_bits);
104 const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits * (i - 1), m_window_bits));
105 x.mul_by(e_bits, ws);
106 }
107
108 CT::unpoison(x);
109 return x;
110}
111
112Montgomery_Int Montgomery_Exponentation_State::exponentiation_vartime(const BigInt& scalar) const {
113 const size_t exp_nibbles = (scalar.bits() + m_window_bits - 1) / m_window_bits;
114
115 secure_vector<word> ws(2 * m_params.p_words());
116
117 if(exp_nibbles == 0) {
118 return Montgomery_Int::one(m_params);
119 }
120
121 Montgomery_Int x = m_g[scalar.get_substring(m_window_bits * (exp_nibbles - 1), m_window_bits)];
122
123 for(size_t i = exp_nibbles - 1; i > 0; --i) {
124 x.square_this_n_times(ws, m_window_bits);
125
126 const uint32_t nibble = scalar.get_substring(m_window_bits * (i - 1), m_window_bits);
127 if(nibble > 0) {
128 x.mul_by(m_g[nibble], ws);
129 }
130 }
131
132 CT::unpoison(x);
133 return x;
134}
135
136std::shared_ptr<const Montgomery_Exponentation_State> monty_precompute(const Montgomery_Int& g,
137 size_t window_bits,
138 bool const_time) {
139 return std::make_shared<const Montgomery_Exponentation_State>(g, window_bits, const_time);
140}
141
142std::shared_ptr<const Montgomery_Exponentation_State> monty_precompute(const Montgomery_Params& params,
143 const BigInt& g,
144 size_t window_bits,
145 bool const_time) {
146 BOTAN_ARG_CHECK(g < params.p(), "Montgomery base too big");
147 Montgomery_Int monty_g(params, g);
148 return monty_precompute(monty_g, window_bits, const_time);
149}
150
151Montgomery_Int monty_execute(const Montgomery_Exponentation_State& precomputed_state,
152 const BigInt& k,
153 size_t max_k_bits) {
154 return precomputed_state.exponentiation(k, max_k_bits);
155}
156
157Montgomery_Int monty_execute_vartime(const Montgomery_Exponentation_State& precomputed_state, const BigInt& k) {
158 return precomputed_state.exponentiation_vartime(k);
159}
160
161Montgomery_Int monty_multi_exp(
162 const Montgomery_Params& params_p, const BigInt& x_bn, const BigInt& z1, const BigInt& y_bn, const BigInt& z2) {
163 if(z1.is_negative() || z2.is_negative()) {
164 throw Invalid_Argument("multi_exponentiate exponents must be positive");
165 }
166
167 const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
168
169 secure_vector<word> ws(2 * params_p.p_words());
170
171 const Montgomery_Int one = Montgomery_Int::one(params_p);
172
173 const Montgomery_Int x1(params_p, x_bn);
174 const Montgomery_Int x2 = x1.square(ws);
175 const Montgomery_Int x3 = x2.mul(x1, ws);
176
177 const Montgomery_Int y1(params_p, y_bn);
178 const Montgomery_Int y2 = y1.square(ws);
179 const Montgomery_Int y3 = y2.mul(y1, ws);
180
181 const Montgomery_Int y1x1 = y1.mul(x1, ws);
182 const Montgomery_Int y1x2 = y1.mul(x2, ws);
183 const Montgomery_Int y1x3 = y1.mul(x3, ws);
184
185 const Montgomery_Int y2x1 = y2.mul(x1, ws);
186 const Montgomery_Int y2x2 = y2.mul(x2, ws);
187 const Montgomery_Int y2x3 = y2.mul(x3, ws);
188
189 const Montgomery_Int y3x1 = y3.mul(x1, ws);
190 const Montgomery_Int y3x2 = y3.mul(x2, ws);
191 const Montgomery_Int y3x3 = y3.mul(x3, ws);
192
193 const Montgomery_Int* M[16] = {&one,
194 &x1, // 0001
195 &x2, // 0010
196 &x3, // 0011
197 &y1, // 0100
198 &y1x1,
199 &y1x2,
200 &y1x3,
201 &y2, // 1000
202 &y2x1,
203 &y2x2,
204 &y2x3,
205 &y3, // 1100
206 &y3x1,
207 &y3x2,
208 &y3x3};
209
210 Montgomery_Int H = one;
211
212 for(size_t i = 0; i != z_bits; i += 2) {
213 if(i > 0) {
214 H.square_this_n_times(ws, 2);
215 }
216
217 const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
218 const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
219
220 const uint32_t z12 = (4 * z2_b) + z1_b;
221
222 if(z12 > 0) {
223 H.mul_by(*M[z12], ws);
224 }
225 }
226
227 return H;
228}
229
230} // namespace Botan
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:129
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
Botan::BigInt::bits
size_t bits() const
Definition bigint.cpp:311
Botan::BigInt::is_negative
bool is_negative() const
Definition bigint.h:559
Botan::BigInt::get_substring
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:243
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Montgomery_Int
Definition monty.h:103
Botan::Montgomery_Int::square
Montgomery_Int square(secure_vector< word > &ws) const
Definition monty.cpp:373
Botan::Montgomery_Int::one
static Montgomery_Int one(const Montgomery_Params &params)
Definition monty.cpp:203
Botan::Montgomery_Int::square_this_n_times
Montgomery_Int & square_this_n_times(secure_vector< word > &ws, size_t n)
Definition monty.cpp:344
Botan::Montgomery_Int::mul
Montgomery_Int mul(const Montgomery_Int &other, secure_vector< word > &ws) const
Definition monty.cpp:292
Botan::Montgomery_Int::mul_by
Montgomery_Int & mul_by(const Montgomery_Int &other, secure_vector< word > &ws)
Definition monty.cpp:312
Botan::Montgomery_Params
Definition monty.h:23
Botan::Montgomery_Params::p_words
size_t p_words() const
Definition monty.h:51
Botan::Montgomery_Params::p
const BigInt & p() const
Definition monty.h:41
Botan::monty_execute_vartime
Montgomery_Int monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition monty_exp.cpp:157
Botan::round_up
constexpr size_t round_up(size_t n, size_t align_to)
Definition rounding.h:26
Botan::monty_multi_exp
Montgomery_Int monty_multi_exp(const Montgomery_Params &params_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2)
Definition monty_exp.cpp:161
Botan::monty_execute
Montgomery_Int monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition monty_exp.cpp:151
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::monty_precompute
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const Montgomery_Int &g, size_t window_bits, bool const_time)
Definition monty_exp.cpp:136
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119
Generated by doxygen 1.14.0