Botan 3.6.1
Crypto and TLS for C&
mp_karat.cpp
Go to the documentation of this file.
1/*
2* Multiplication and Squaring
3* (C) 1999-2010,2018 Jack Lloyd
4* 2016 Matthias Gierlings
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/mp_core.h>
10
11#include <botan/exceptn.h>
12#include <botan/mem_ops.h>
13#include <botan/internal/ct_utils.h>
14
15namespace Botan {
16
17/*
18* Simple O(N^2) Multiplication
19*/
20void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size) {
21 if(z_size < x_size + y_size) {
22 throw Invalid_Argument("basecase_mul z_size too small");
23 }
24
25 const size_t x_size_8 = x_size - (x_size % 8);
26
27 clear_mem(z, z_size);
28
29 for(size_t i = 0; i != y_size; ++i) {
30 const word y_i = y[i];
31
32 word carry = 0;
33
34 for(size_t j = 0; j != x_size_8; j += 8) {
35 carry = word8_madd3(z + i + j, x + j, y_i, carry);
36 }
37
38 for(size_t j = x_size_8; j != x_size; ++j) {
39 z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry);
40 }
41
42 z[x_size + i] = carry;
43 }
44}
45
46void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size) {
47 if(z_size < 2 * x_size) {
48 throw Invalid_Argument("basecase_sqr z_size too small");
49 }
50
51 const size_t x_size_8 = x_size - (x_size % 8);
52
53 clear_mem(z, z_size);
54
55 for(size_t i = 0; i != x_size; ++i) {
56 const word x_i = x[i];
57
58 word carry = 0;
59
60 for(size_t j = 0; j != x_size_8; j += 8) {
61 carry = word8_madd3(z + i + j, x + j, x_i, carry);
62 }
63
64 for(size_t j = x_size_8; j != x_size; ++j) {
65 z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry);
66 }
67
68 z[x_size + i] = carry;
69 }
70}
71
72namespace {
73
74const size_t KARATSUBA_MULTIPLY_THRESHOLD = 32;
75const size_t KARATSUBA_SQUARE_THRESHOLD = 32;
76
77/*
78* Karatsuba Multiplication Operation
79*/
80void karatsuba_mul(word z[], const word x[], const word y[], size_t N, word workspace[]) {
81 if(N < KARATSUBA_MULTIPLY_THRESHOLD || N % 2) {
82 switch(N) {
83 case 6:
84 return bigint_comba_mul6(z, x, y);
85 case 8:
86 return bigint_comba_mul8(z, x, y);
87 case 9:
88 return bigint_comba_mul9(z, x, y);
89 case 16:
90 return bigint_comba_mul16(z, x, y);
91 case 24:
92 return bigint_comba_mul24(z, x, y);
93 default:
94 return basecase_mul(z, 2 * N, x, N, y, N);
95 }
96 }
97
98 const size_t N2 = N / 2;
99
100 const word* x0 = x;
101 const word* x1 = x + N2;
102 const word* y0 = y;
103 const word* y1 = y + N2;
104 word* z0 = z;
105 word* z1 = z + N;
106
107 word* ws0 = workspace;
108 word* ws1 = workspace + N;
109
110 clear_mem(workspace, 2 * N);
111
112 /*
113 * If either of cmp0 or cmp1 is zero then z0 or z1 resp is zero here,
114 * resulting in a no-op - z0*z1 will be equal to zero so we don't need to do
115 * anything, clear_mem above already set the correct result.
116 *
117 * However we ignore the result of the comparisons and always perform the
118 * subtractions and recursively multiply to avoid the timing channel.
119 */
120
121 // First compute (X_lo - X_hi)*(Y_hi - Y_lo)
122 const auto cmp0 = bigint_sub_abs(z0, x0, x1, N2, workspace);
123 const auto cmp1 = bigint_sub_abs(z1, y1, y0, N2, workspace);
124 const auto neg_mask = ~(cmp0 ^ cmp1);
125
126 karatsuba_mul(ws0, z0, z1, N2, ws1);
127
128 // Compute X_lo * Y_lo
129 karatsuba_mul(z0, x0, y0, N2, ws1);
130
131 // Compute X_hi * Y_hi
132 karatsuba_mul(z1, x1, y1, N2, ws1);
133
134 const word ws_carry = bigint_add3_nc(ws1, z0, N, z1, N);
135 word z_carry = bigint_add2_nc(z + N2, N, ws1, N);
136
137 z_carry += bigint_add2_nc(z + N + N2, N2, &ws_carry, 1);
138 bigint_add2_nc(z + N + N2, N2, &z_carry, 1);
139
140 clear_mem(workspace + N, N2);
141
142 bigint_cnd_add_or_sub(neg_mask, z + N2, workspace, 2 * N - N2);
143}
144
145/*
146* Karatsuba Squaring Operation
147*/
148void karatsuba_sqr(word z[], const word x[], size_t N, word workspace[]) {
149 if(N < KARATSUBA_SQUARE_THRESHOLD || N % 2) {
150 switch(N) {
151 case 6:
152 return bigint_comba_sqr6(z, x);
153 case 8:
154 return bigint_comba_sqr8(z, x);
155 case 9:
156 return bigint_comba_sqr9(z, x);
157 case 16:
158 return bigint_comba_sqr16(z, x);
159 case 24:
160 return bigint_comba_sqr24(z, x);
161 default:
162 return basecase_sqr(z, 2 * N, x, N);
163 }
164 }
165
166 const size_t N2 = N / 2;
167
168 const word* x0 = x;
169 const word* x1 = x + N2;
170 word* z0 = z;
171 word* z1 = z + N;
172
173 word* ws0 = workspace;
174 word* ws1 = workspace + N;
175
176 clear_mem(workspace, 2 * N);
177
178 // See comment in karatsuba_mul
179 bigint_sub_abs(z0, x0, x1, N2, workspace);
180 karatsuba_sqr(ws0, z0, N2, ws1);
181
182 karatsuba_sqr(z0, x0, N2, ws1);
183 karatsuba_sqr(z1, x1, N2, ws1);
184
185 const word ws_carry = bigint_add3_nc(ws1, z0, N, z1, N);
186 word z_carry = bigint_add2_nc(z + N2, N, ws1, N);
187
188 z_carry += bigint_add2_nc(z + N + N2, N2, &ws_carry, 1);
189 bigint_add2_nc(z + N + N2, N2, &z_carry, 1);
190
191 /*
192 * This is only actually required if cmp (result of bigint_sub_abs) is != 0,
193 * however if cmp==0 then ws0[0:N] == 0 and avoiding the jump hides a
194 * timing channel.
195 */
196 bigint_sub2(z + N2, 2 * N - N2, ws0, N);
197}
198
199/*
200* Pick a good size for the Karatsuba multiply
201*/
202size_t karatsuba_size(size_t z_size, size_t x_size, size_t x_sw, size_t y_size, size_t y_sw) {
203 if(x_sw > x_size || x_sw > y_size || y_sw > x_size || y_sw > y_size) {
204 return 0;
205 }
206
207 if(((x_size == x_sw) && (x_size % 2)) || ((y_size == y_sw) && (y_size % 2))) {
208 return 0;
209 }
210
211 const size_t start = (x_sw > y_sw) ? x_sw : y_sw;
212 const size_t end = (x_size < y_size) ? x_size : y_size;
213
214 if(start == end) {
215 if(start % 2) {
216 return 0;
217 }
218 return start;
219 }
220
221 for(size_t j = start; j <= end; ++j) {
222 if(j % 2) {
223 continue;
224 }
225
226 if(2 * j > z_size) {
227 return 0;
228 }
229
230 if(x_sw <= j && j <= x_size && y_sw <= j && j <= y_size) {
231 if(j % 4 == 2 && (j + 2) <= x_size && (j + 2) <= y_size && 2 * (j + 2) <= z_size) {
232 return j + 2;
233 }
234 return j;
235 }
236 }
237
238 return 0;
239}
240
241/*
242* Pick a good size for the Karatsuba squaring
243*/
244size_t karatsuba_size(size_t z_size, size_t x_size, size_t x_sw) {
245 if(x_sw == x_size) {
246 if(x_sw % 2) {
247 return 0;
248 }
249 return x_sw;
250 }
251
252 for(size_t j = x_sw; j <= x_size; ++j) {
253 if(j % 2) {
254 continue;
255 }
256
257 if(2 * j > z_size) {
258 return 0;
259 }
260
261 if(j % 4 == 2 && (j + 2) <= x_size && 2 * (j + 2) <= z_size) {
262 return j + 2;
263 }
264 return j;
265 }
266
267 return 0;
268}
269
270template <size_t SZ>
271inline bool sized_for_comba_mul(size_t x_sw, size_t x_size, size_t y_sw, size_t y_size, size_t z_size) {
272 return (x_sw <= SZ && x_size >= SZ && y_sw <= SZ && y_size >= SZ && z_size >= 2 * SZ);
273}
274
275template <size_t SZ>
276inline bool sized_for_comba_sqr(size_t x_sw, size_t x_size, size_t z_size) {
277 return (x_sw <= SZ && x_size >= SZ && z_size >= 2 * SZ);
278}
279
280} // namespace
281
282void bigint_mul(word z[],
283 size_t z_size,
284 const word x[],
285 size_t x_size,
286 size_t x_sw,
287 const word y[],
288 size_t y_size,
289 size_t y_sw,
290 word workspace[],
291 size_t ws_size) {
292 clear_mem(z, z_size);
293
294 if(x_sw == 1) {
295 bigint_linmul3(z, y, y_sw, x[0]);
296 } else if(y_sw == 1) {
297 bigint_linmul3(z, x, x_sw, y[0]);
298 } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) {
299 bigint_comba_mul4(z, x, y);
300 } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) {
301 bigint_comba_mul6(z, x, y);
302 } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) {
303 bigint_comba_mul8(z, x, y);
304 } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) {
305 bigint_comba_mul9(z, x, y);
306 } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) {
307 bigint_comba_mul16(z, x, y);
308 } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) {
309 bigint_comba_mul24(z, x, y);
310 } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || !workspace) {
311 basecase_mul(z, z_size, x, x_sw, y, y_sw);
312 } else {
313 const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw);
314
315 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
316 karatsuba_mul(z, x, y, N, workspace);
317 } else {
318 basecase_mul(z, z_size, x, x_sw, y, y_sw);
319 }
320 }
321}
322
323/*
324* Squaring Algorithm Dispatcher
325*/
326void bigint_sqr(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size) {
327 clear_mem(z, z_size);
328
329 BOTAN_ASSERT(z_size / 2 >= x_sw, "Output size is sufficient");
330
331 if(x_sw == 1) {
332 bigint_linmul3(z, x, x_sw, x[0]);
333 } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) {
334 bigint_comba_sqr4(z, x);
335 } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) {
336 bigint_comba_sqr6(z, x);
337 } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) {
338 bigint_comba_sqr8(z, x);
339 } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) {
340 bigint_comba_sqr9(z, x);
341 } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) {
342 bigint_comba_sqr16(z, x);
343 } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) {
344 bigint_comba_sqr24(z, x);
345 } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || !workspace) {
346 basecase_sqr(z, z_size, x, x_sw);
347 } else {
348 const size_t N = karatsuba_size(z_size, x_size, x_sw);
349
350 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
351 karatsuba_sqr(z, x, N, workspace);
352 } else {
353 basecase_sqr(z, z_size, x, x_sw);
354 }
355 }
356}
357
358} // namespace Botan
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::bigint_linmul3
constexpr void bigint_linmul3(W z[], const W x[], size_t x_size, W y)
Definition mp_core.h:569
Botan::basecase_sqr
BOTAN_FUZZER_API void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size)
Definition mp_karat.cpp:46
Botan::bigint_comba_sqr4
void bigint_comba_sqr4(word z[8], const word x[4])
Definition mp_comba.cpp:16
Botan::bigint_comba_sqr6
void bigint_comba_sqr6(word z[12], const word x[6])
Definition mp_comba.cpp:74
Botan::word8_madd3
constexpr auto word8_madd3(W z[8], const W x[8], W y, W carry) -> W
Definition mp_asmi.h:463
Botan::bigint_comba_mul4
void bigint_comba_mul4(word z[8], const word x[4], const word y[4])
Definition mp_comba.cpp:42
Botan::bigint_sqr
void bigint_sqr(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:326
Botan::bigint_comba_mul16
void bigint_comba_mul16(word z[32], const word x[16], const word y[16])
Definition mp_comba.cpp:794
Botan::bigint_mul
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:282
Botan::bigint_comba_mul6
void bigint_comba_mul6(word z[12], const word x[6], const word y[6])
Definition mp_comba.cpp:115
Botan::bigint_comba_mul9
void bigint_comba_mul9(word z[18], const word x[9], const word y[9])
Definition mp_comba.cpp:511
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:28
Botan::bigint_comba_mul24
void bigint_comba_mul24(word z[48], const word x[24], const word y[24])
Definition mp_comba.cpp:1446
Botan::bigint_sub_abs
constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
Definition mp_core.h:439
Botan::bigint_sub2
constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:291
Botan::bigint_comba_sqr8
void bigint_comba_sqr8(word z[16], const word x[8])
Definition mp_comba.cpp:292
Botan::bigint_comba_sqr16
void bigint_comba_sqr16(word z[32], const word x[16])
Definition mp_comba.cpp:618
Botan::bigint_cnd_add_or_sub
constexpr void bigint_cnd_add_or_sub(CT::Mask< W > mask, W x[], const W y[], size_t size)
Definition mp_core.h:129
Botan::bigint_comba_sqr9
void bigint_comba_sqr9(word z[18], const word x[9])
Definition mp_comba.cpp:440
Botan::bigint_add2_nc
constexpr auto bigint_add2_nc(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:206
Botan::basecase_mul
BOTAN_FUZZER_API void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_karat.cpp:20
Botan::bigint_comba_sqr24
void bigint_comba_sqr24(word z[48], const word x[24])
Definition mp_comba.cpp:1090
Botan::bigint_comba_mul8
void bigint_comba_mul8(word z[16], const word x[8], const word y[8])
Definition mp_comba.cpp:352
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120
Botan::word_madd3
constexpr auto word_madd3(W a, W b, W c, W *d) -> W
Definition mp_asmi.h:92
Botan::bigint_add3_nc
constexpr auto bigint_add3_nc(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:232
Generated by doxygen 1.12.0