doxygen/mp__monty_8cpp_source.html

/*

* Montgomery Reduction

* (C) 1999-2011 Jack Lloyd

*     2006 Luca Piccarreta

*     2016 Matthias Gierlings

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/internal/mp_core.h>

#include <botan/internal/ct_utils.h>

#include <botan/mem_ops.h>

#include <botan/exceptn.h>


namespace Botan {


/*

* Montgomery reduction - product scanning form

*

* https://www.iacr.org/archive/ches2005/006.pdf

* https://eprint.iacr.org/2013/882.pdf

* https://www.microsoft.com/en-us/research/wp-content/uploads/1996/01/j37acmon.pdf

*/

void bigint_monty_redc_generic(word z[], size_t z_size,

                               const word p[], size_t p_size, word p_dash,

                               word ws[])

   {

   word w2 = 0, w1 = 0, w0 = 0;


   w0 = z[0];


   ws[0] = w0 * p_dash;


   word3_muladd(&w2, &w1, &w0, ws[0], p[0]);


   w0 = w1;

   w1 = w2;

   w2 = 0;


   for(size_t i = 1; i != p_size; ++i)

      {

      for(size_t j = 0; j < i; ++j)

         {

         word3_muladd(&w2, &w1, &w0, ws[j], p[i-j]);

         }


      word3_add(&w2, &w1, &w0, z[i]);


      ws[i] = w0 * p_dash;


      word3_muladd(&w2, &w1, &w0, ws[i], p[0]);


      w0 = w1;

      w1 = w2;

      w2 = 0;

      }


   for(size_t i = 0; i != p_size; ++i)

      {

      for(size_t j = i + 1; j != p_size; ++j)

         {

         word3_muladd(&w2, &w1, &w0, ws[j], p[p_size + i-j]);

         }


      word3_add(&w2, &w1, &w0, z[p_size+i]);


      ws[i] = w0;

      w0 = w1;

      w1 = w2;

      w2 = 0;

      }


   word3_add(&w2, &w1, &w0, z[z_size-1]);


   ws[p_size] = w0;

   ws[p_size+1] = w1;


   /*

   * The result might need to be reduced mod p. To avoid a timing

   * channel, always perform the subtraction. If in the compution

   * of x - p a borrow is required then x was already < p.

   *

   * x starts at ws[0] and is p_size+1 bytes long.

   * x - p starts at ws[p_size+1] and is also p_size+1 bytes log

   *

   * Select which address to copy from indexing off of the final

   * borrow.

   */


   word borrow = bigint_sub3(ws + p_size + 1, ws, p_size + 1, p, p_size);


   BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);


   CT::conditional_copy_mem(borrow, z, ws, ws + (p_size + 1), (p_size + 1));

   clear_mem(z + p_size, z_size - p_size - 2);

   }


}

BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition: assert.h:122

Botan::CT::conditional_copy_mem
Mask< T > conditional_copy_mem(T cnd, T *to, const T *from0, const T *from1, size_t elems)
Definition: ct_utils.h:360

Botan
Definition: alg_id.cpp:13

Botan::word3_muladd
void word3_muladd(word *w2, word *w1, word *w0, word x, word y)
Definition: mp_asmi.h:566

Botan::word3_add
void word3_add(word *w2, word *w1, word *w0, word x)
Definition: mp_asmi.h:614

Botan::bigint_monty_redc_generic
void bigint_monty_redc_generic(word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
Definition: mp_monty.cpp:24

Botan::bigint_sub3
word bigint_sub3(word z[], const word x[], size_t x_size, const word y[], size_t y_size)
Definition: mp_core.h:342

Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition: mem_ops.h:115