Botan  2.6.0
Crypto and TLS for C++11
mp_monty.cpp
Go to the documentation of this file.
1 /*
2 * Montgomery Reduction
3 * (C) 1999-2011 Jack Lloyd
4 * 2006 Luca Piccarreta
5 * 2016 Matthias Gierlings
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/internal/mp_core.h>
11 #include <botan/internal/mp_madd.h>
12 #include <botan/internal/mp_asmi.h>
13 #include <botan/internal/ct_utils.h>
14 #include <botan/mem_ops.h>
15 #include <botan/exceptn.h>
16 
17 namespace Botan {
18 
19 /*
20 * Montgomery Reduction Algorithm
21 */
22 void bigint_monty_redc(word z[],
23  const word p[], size_t p_size, word p_dash,
24  word ws[], size_t ws_size)
25  {
26  const size_t z_size = 2*(p_size+1);
27 
28  if(ws_size < z_size)
29  throw Invalid_Argument("bigint_monty_redc workspace too small");
30 
31  CT::poison(z, z_size);
32  CT::poison(p, p_size);
33  CT::poison(ws, 2*(p_size+1));
34 
35  /*
36  Montgomery reduction - product scanning form
37 
38  https://www.iacr.org/archive/ches2005/006.pdf
39  https://eprint.iacr.org/2013/882.pdf
40  https://www.microsoft.com/en-us/research/wp-content/uploads/1996/01/j37acmon.pdf
41  */
42 
43  word w2 = 0, w1 = 0, w0 = 0;
44 
45  w0 = z[0];
46 
47  ws[0] = w0 * p_dash;
48 
49  word3_muladd(&w2, &w1, &w0, ws[0], p[0]);
50 
51  w0 = w1;
52  w1 = w2;
53  w2 = 0;
54 
55  for(size_t i = 1; i != p_size; ++i)
56  {
57  for(size_t j = 0; j < i; ++j)
58  {
59  word3_muladd(&w2, &w1, &w0, ws[j], p[i-j]);
60  }
61 
62  word3_add(&w2, &w1, &w0, z[i]);
63 
64  ws[i] = w0 * p_dash;
65 
66  word3_muladd(&w2, &w1, &w0, ws[i], p[0]);
67 
68  w0 = w1;
69  w1 = w2;
70  w2 = 0;
71  }
72 
73  for(size_t i = 0; i != p_size; ++i)
74  {
75  for(size_t j = i + 1; j != p_size; ++j)
76  {
77  word3_muladd(&w2, &w1, &w0, ws[j], p[p_size + i-j]);
78  }
79 
80  word3_add(&w2, &w1, &w0, z[p_size+i]);
81 
82  ws[i] = w0;
83  w0 = w1;
84  w1 = w2;
85  w2 = 0;
86  }
87 
88  word3_add(&w2, &w1, &w0, z[z_size-1]);
89 
90  ws[p_size] = w0;
91  ws[p_size+1] = w1;
92 
93  /*
94  * The result might need to be reduced mod p. To avoid a timing
95  * channel, always perform the subtraction. If in the compution
96  * of x - p a borrow is required then x was already < p.
97  *
98  * x starts at ws[0] and is p_size+1 bytes long.
99  * x - p starts at ws[p_size+1] and is also p_size+1 bytes log
100  *
101  * Select which address to copy from indexing off of the final
102  * borrow.
103  */
104 
105  // word borrow = bigint_sub3(ws + p_size + 1, ws, p_size + 1, p, p_size);
106  word borrow = 0;
107  for(size_t i = 0; i != p_size; ++i)
108  ws[p_size + 1 + i] = word_sub(ws[i], p[i], &borrow);
109  ws[2*p_size+1] = word_sub(ws[p_size], 0, &borrow);
110 
111  CT::conditional_copy_mem(borrow, z, ws, ws + (p_size + 1), (p_size + 1));
112  clear_mem(z + p_size, z_size - p_size - 2);
113 
114  CT::unpoison(z, z_size);
115  CT::unpoison(p, p_size);
116  CT::unpoison(ws, 2*(p_size+1));
117 
118  // This check comes after we've used it but that's ok here
119  CT::unpoison(&borrow, 1);
120  BOTAN_ASSERT(borrow == 0 || borrow == 1, "Expected borrow");
121  }
122 
123 }
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:717
void conditional_copy_mem(T value, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:142
void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:97
void poison(const T *p, size_t n)
Definition: ct_utils.h:46
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:30
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:764
Definition: alg_id.cpp:13
void bigint_monty_redc(word z[], const word p[], size_t p_size, word p_dash, word workspace[], size_t ws_size)
Definition: mp_monty.cpp:22
word word_sub(word x, word y, word *carry)
Definition: mp_asmi.h:280
void unpoison(const T *p, size_t n)
Definition: ct_utils.h:57