Botan Namespace Reference
Namespaces | |
| namespace | AES_AARCH64 |
| namespace | ARIA_F |
| namespace | ASN1 |
| namespace | Camellia_F |
| namespace | Cert_Extension |
| namespace | concepts |
| namespace | CryptoBox |
| namespace | CRYSTALS |
| namespace | CT |
| namespace | detail |
| namespace | Dilithium_Algos |
| namespace | fmt_detail |
| namespace | FPE |
| namespace | HTTP |
| namespace | KeyPair |
| namespace | Kuznyechik_F |
| namespace | Kyber_Algos |
| namespace | OCSP |
| namespace | OIDS |
| namespace | OS |
| namespace | PCurve |
| namespace | PEM_Code |
| namespace | PK_Ops |
| namespace | PKCS11 |
| namespace | PKCS8 |
| namespace | PKIX |
| namespace | ranges |
| namespace | Roughtime |
| namespace | Serpent_F |
| namespace | SHA1_F |
| namespace | SHA1_SSE2_F |
| namespace | Sodium |
| namespace | Threefish_F |
| namespace | TLS |
| namespace | TPM2 |
| namespace | X509 |
Concepts | |
| concept | md_hash_implementation |
| concept | WordType |
| concept | updatable_object |
| concept | appendable_object |
| concept | absorbing_object |
Typedefs | |
| typedef __vector unsigned int | Altivec32x4 |
| typedef __vector unsigned long long | Altivec64x2 |
| typedef __vector unsigned char | Altivec8x16 |
| template<size_t bound> | |
| using | Bounded_XOF = detail::Bounded_XOF<XOF&, bound> |
| using | byte = std::uint8_t |
| typedef int32_t | CCCryptorStatus |
| typedef std::vector< std::set< Certificate_Status_Code > > | CertificatePathStatusCodes |
| typedef X25519_PrivateKey | Curve25519_PrivateKey |
| typedef X25519_PublicKey | Curve25519_PublicKey |
| using | DilithiumCommitmentHash = Strong<std::vector<uint8_t>, struct DilithiumCommitmentHash_> |
| Hash of the message representative and the signer's commitment. | |
| using | DilithiumHashedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumHashedPublicKey_> |
| using | DilithiumInternalKeypair |
| Internal representation of a Dilithium key pair. | |
| using | DilithiumMessageRepresentative = Strong<std::vector<uint8_t>, struct DilithiumMessageRepresentative_> |
| Representation of the message to be signed. | |
| using | DilithiumOptionalRandomness = Strong<secure_vector<uint8_t>, struct DilithiumOptionalRandomness_> |
| Optional randomness 'rnd' used for rho prime computation in ML-DSA. | |
| using | DilithiumPoly = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal> |
| using | DilithiumPolyMatNTT = Botan::CRYSTALS::PolynomialMatrix<DilithiumPolyTraits> |
| using | DilithiumPolyNTT = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT> |
| using | DilithiumPolyVec = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal> |
| using | DilithiumPolyVecNTT = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT> |
| using | DilithiumSeedRandomness = Strong<secure_vector<uint8_t>, struct DilithiumSeedRandomness_> |
| Principal seed used to generate Dilithium key pairs. | |
| using | DilithiumSeedRho = Strong<std::vector<uint8_t>, struct DilithiumPublicSeed_> |
| Public seed to sample the polynomial matrix A from. | |
| using | DilithiumSeedRhoPrime = Strong<secure_vector<uint8_t>, struct DilithiumSeedRhoPrime_> |
| Private seed to sample the polynomial vectors s1 and s2 from. | |
| using | DilithiumSerializedCommitment = Strong<std::vector<uint8_t>, struct DilithiumSerializedCommitment_> |
| Serialized representation of a commitment w1. | |
| using | DilithiumSerializedPrivateKey = Strong<secure_vector<uint8_t>, struct DilithiumSerializedPrivateKey_> |
| Serialized private key data. | |
| using | DilithiumSerializedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumSerializedPublicKey_> |
| Serialized public key data (result of pkEncode(pk)) | |
| using | DilithiumSerializedSignature = Strong<std::vector<uint8_t>, struct DilithiumSerializedSignature_> |
| Serialized signature data. | |
| using | DilithiumSigningSeedK = Strong<secure_vector<uint8_t>, struct DilithiumSeedK_> |
| Private seed K used during signing. | |
| typedef FE_25519 | fe |
| using | ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_> |
| using | ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_> |
| using | FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_> |
| using | FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_> |
| using | FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_> |
| using | FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_> |
| using | FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_> |
| using | FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_> |
| using | FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_> |
| using | FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_> |
| using | FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_> |
| using | FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_> |
| using | FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_> |
| using | FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_> |
| using | GenerateLeafFunction = std::function<void(StrongSpan<SphincsTreeNode> , TreeNodeIndex)> |
| typedef uint16_t | gf2m |
| using | HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber> |
| The HSS layer in the HSS multi tree starting at 0 from the root. | |
| using | HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber> |
| The index of a node within a specific LMS tree layer. | |
| using | HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_> |
| Index of a layer in the XMSS hyper-tree. | |
| using | InitializationVector = OctetString |
| typedef Invalid_Authentication_Tag | Integrity_Failure |
| using | KyberCompressedCiphertext = Strong<std::vector<uint8_t>, struct KyberCompressedCiphertext_> |
| Compressed and serialized ciphertext value. | |
| using | KyberEncryptionRandomness = Strong<secure_vector<uint8_t>, struct KyberEncryptionRandomness_> |
| Random value used to generate the Kyber ciphertext. | |
| using | KyberHashedCiphertext = Strong<std::vector<uint8_t>, struct KyberHashedCiphertext_> |
| using | KyberHashedPublicKey = Strong<std::vector<uint8_t>, struct KyberHashedPublicKey_> |
| Hash value of the serialized public key. | |
| using | KyberImplicitRejectionValue = Strong<secure_vector<uint8_t>, struct KyberImplicitRejectionValue_> |
| Secret random value (called Z in the spec), used for implicit rejection in the decapsulation. | |
| using | KyberInternalKeypair |
| using | KyberMessage = Strong<secure_vector<uint8_t>, struct KyberMessage_> |
| Random message value to be encrypted by the CPA-secure Kyber encryption scheme. | |
| using | KyberPoly = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal> |
| using | KyberPolyMat = Botan::CRYSTALS::PolynomialMatrix<KyberPolyTraits> |
| using | KyberPolyNTT = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT> |
| using | KyberPolyVec = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal> |
| using | KyberPolyVecNTT = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT> |
| using | KyberSamplingRandomness = Strong<secure_vector<uint8_t>, struct KyberSamplingRandomness_> |
| PRF value used for sampling of error polynomials. | |
| using | KyberSeedRandomness = Strong<secure_vector<uint8_t>, struct KyberSeedRandomness_> |
| Principal seed used to generate Kyber key pairs. | |
| using | KyberSeedRho = Strong<std::vector<uint8_t>, struct KyberSeedRho_> |
| Public seed value to generate the Kyber matrix A. | |
| using | KyberSeedSigma = Strong<secure_vector<uint8_t>, struct KyberSeedSigma_> |
| Private seed used to generate polynomial vectors s and e during key generation. | |
| using | KyberSerializedPublicKey = Strong<std::vector<uint8_t>, struct KyberSerializedPublicKey_> |
| Public key in serialized form (t || rho) | |
| using | KyberSharedSecret = Strong<secure_vector<uint8_t>, struct KyberSharedSecret_> |
| Shared secret value generated during encapsulation and recovered during decapsulation. | |
| using | KyberSigmaOrEncryptionRandomness |
| Variant value of either a KyberSeedSigma or a KyberEncryptionRandomness. | |
| using | LMOTS_K = Strong<std::vector<uint8_t>, struct LMOTS_K_> |
| The K value from the LM-OTS public key. | |
| using | LMOTS_Node = Strong<secure_vector<uint8_t>, struct LMOTS_Node_> |
| One node within one LM-OTS hash chain. | |
| using | LMOTS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMOTS_Signature_Bytes_> |
| Byte vector of an LM-OTS signature. | |
| using | LMS_AuthenticationPath = Strong<std::vector<uint8_t>, struct LMS_AuthenticationPath_> |
| The authentication path of an LMS signature. | |
| using | LMS_Identifier = Strong<std::vector<uint8_t>, struct LMS_Identifier_> |
| The identifier of an LMS tree (I in RFC 8554) | |
| using | LMS_Message = Strong<std::vector<uint8_t>, struct LMS_Message_> |
| A message that is signed with an LMS tree. | |
| using | LMS_Seed = Strong<secure_vector<uint8_t>, struct LMS_SEED_> |
| Seed of the LMS tree, used to generate the LM-OTS private keys. | |
| using | LMS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMS_Signature_Bytes_> |
| Raw bytes of an LMS signature. | |
| using | LMS_Tree_Node = Strong<std::vector<uint8_t>, struct LMS_Tree_Node_> |
| A node with the LMS tree. | |
| using | LMS_Tree_Node_Idx = Strong<uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber> |
| The index of a node within a specific LMS tree layer. | |
| template<typename T > | |
| using | lock_guard_type = lock_guard<T> |
| typedef MessageAuthenticationCode | MAC |
| using | ML_DSA_Mode = DilithiumMode |
| using | ML_DSA_PrivateKey = Dilithium_PrivateKey |
| using | ML_DSA_PublicKey = Dilithium_PublicKey |
| using | ML_KEM_Mode = KyberMode |
| using | ML_KEM_PrivateKey = Kyber_PrivateKey |
| using | ML_KEM_PublicKey = Kyber_PublicKey |
| using | mutex_type = noop_mutex |
| template<std::signed_integral T> | |
| using | next_longer_int_t |
| template<std::unsigned_integral T> | |
| using | next_longer_uint_t |
| using | Point448 = Strong<std::array<uint8_t, X448_LEN>, struct Point448_> |
| typedef EC_Point | PointGFp |
| using | recursive_mutex_type = noop_mutex |
| typedef RandomNumberGenerator | RNG |
| typedef PBKDF | S2K |
| using | s32bit = std::int32_t |
| using | ScalarX448 = Strong<std::array<uint8_t, X448_LEN>, struct ScalarX448_> |
| template<typename T > | |
| using | secure_deque = std::deque<T, secure_allocator<T>> |
| template<typename T > | |
| using | secure_vector = std::vector<T, secure_allocator<T>> |
| template<typename T > | |
| using | SecureVector = secure_vector<T> |
| typedef SM2_PrivateKey | SM2_Encryption_PrivateKey |
| typedef SM2_PublicKey | SM2_Encryption_PublicKey |
| typedef SM2_PrivateKey | SM2_Signature_PrivateKey |
| typedef SM2_PublicKey | SM2_Signature_PublicKey |
| using | SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_> |
| using | SphincsContext = Strong<std::vector<uint8_t>, struct SphincsContext_> |
| using | SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_> |
| using | SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_> |
| using | SphincsInputMessage = Strong<std::vector<uint8_t>, struct SphincsInputMessage_> |
| using | SphincsMessagePrefix = Strong<std::vector<uint8_t>, struct SphincsMessagePrefix_> |
| using | SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_> |
| using | SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_> |
| using | SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_> |
| using | SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_> |
| using | SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_> |
| using | SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_> |
| Either an XMSS or FORS tree node or leaf. | |
| using | SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_> |
| template<typename T > | |
| using | strong_type_wrapped_type = typename detail::wrapped_type_helper<std::remove_cvref_t<T>>::type |
| Extracts the wrapped type from a strong type. | |
| using | SymmetricKey = OctetString |
| using | TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber> |
| Index of the layer within a FORS/XMSS tree. | |
| using | TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber> |
| Index of an individual node inside an XMSS or FORS tree. | |
| using | u16bit = std::uint16_t |
| using | u32bit = std::uint32_t |
| using | u64bit = std::uint64_t |
| typedef std::vector< secure_vector< uint8_t > > | wots_keysig_t |
| using | WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_> |
| Index of a WOTS chain within a single usage of WOTS. | |
| using | WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber> |
| Index of a hash application inside a single WOTS chain (integers in "base_w") | |
| using | WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_> |
| Start (or intermediate) node of a WOTS+ chain. | |
| using | WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_> |
| using | WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_> |
| End node of a WOTS+ chain (part of the WOTS+ public key) | |
| using | WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_> |
| typedef ASN1_Time | X509_Time |
| using | XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber> |
| Index of an XMSS tree (unique for just the local hyper-tree layer) | |
Functions | |
| BigInt | abs (const BigInt &n) |
| BOTAN_MALLOC_FN void * | allocate_memory (size_t elems, size_t elem_size) |
| void | argon2 (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, const uint8_t key[], size_t key_len, const uint8_t ad[], size_t ad_len, uint8_t y, size_t p, size_t M, size_t t) |
| bool | argon2_check_pwhash (const char *password, size_t password_len, std::string_view input_hash) |
| std::string | argon2_generate_pwhash (const char *password, size_t password_len, RandomNumberGenerator &rng, size_t p, size_t M, size_t t, uint8_t y, size_t salt_len, size_t output_len) |
| std::string | asn1_class_to_string (ASN1_Class type) |
| std::string | asn1_tag_to_string (ASN1_Type type) |
| template<typename T > | |
| T | assert_is_some (std::optional< T > v, const char *expr, const char *func, const char *file, int line) |
| void | assert_unreachable (const char *file, int line) |
| void | assertion_failure (const char *expr_str, const char *assertion_made, const char *func, const char *file, int line) |
| secure_vector< uint8_t > | base32_decode (const char input[], size_t input_length, bool ignore_ws) |
| secure_vector< uint8_t > | base32_decode (std::string_view input, bool ignore_ws) |
| size_t | base32_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws) |
| size_t | base32_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws) |
| size_t | base32_decode (uint8_t output[], std::string_view input, bool ignore_ws) |
| size_t | base32_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs) |
| std::string | base32_encode (const uint8_t input[], size_t input_length) |
| std::string | base32_encode (std::span< const uint8_t > input) |
| std::vector< uint8_t > | base58_check_decode (const char input[], size_t input_length) |
| std::vector< uint8_t > | base58_check_decode (std::string_view s) |
| std::string | base58_check_encode (const uint8_t input[], size_t input_length) |
| std::string | base58_check_encode (std::span< const uint8_t > vec) |
| std::vector< uint8_t > | base58_decode (const char input[], size_t input_length) |
| std::vector< uint8_t > | base58_decode (std::string_view s) |
| std::string | base58_encode (const uint8_t input[], size_t input_length) |
| std::string | base58_encode (std::span< const uint8_t > vec) |
| secure_vector< uint8_t > | base64_decode (const char input[], size_t input_length, bool ignore_ws) |
| size_t | base64_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws) |
| secure_vector< uint8_t > | base64_decode (std::string_view input, bool ignore_ws) |
| size_t | base64_decode (uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws) |
| size_t | base64_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws) |
| size_t | base64_decode (uint8_t output[], std::string_view input, bool ignore_ws) |
| size_t | base64_decode_max_output (size_t input_length) |
| size_t | base64_encode (char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs) |
| std::string | base64_encode (const uint8_t input[], size_t input_length) |
| std::string | base64_encode (std::span< const uint8_t > input) |
| size_t | base64_encode_max_output (size_t input_length) |
| template<typename Base > | |
| size_t | base_decode (Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true) |
| template<typename Base > | |
| size_t | base_decode_full (Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws) |
| template<typename Vector , typename Base > | |
| Vector | base_decode_to_vec (Base &&base, const char input[], size_t input_length, bool ignore_ws) |
| template<class Base > | |
| size_t | base_encode (Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs) |
| template<typename Base > | |
| std::string | base_encode_to_string (Base &&base, const uint8_t input[], size_t input_length) |
| BOTAN_FUZZER_API void | basecase_mul (word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size) |
| BOTAN_FUZZER_API void | basecase_sqr (word z[], size_t z_size, const word x[], size_t x_size) |
| void | bcrypt_pbkdf (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t rounds) |
| template<WordType W, size_t N> | |
| constexpr auto | bigint_add (std::span< W, N > z, std::span< const W, N > x, std::span< const W, N > y) -> W |
| template<WordType W> | |
| constexpr void | bigint_add2 (W x[], size_t x_size, const W y[], size_t y_size) |
| template<WordType W> | |
| constexpr auto | bigint_add2_nc (W x[], size_t x_size, const W y[], size_t y_size) -> W |
| template<WordType W> | |
| constexpr void | bigint_add3 (W z[], const W x[], size_t x_size, const W y[], size_t y_size) |
| template<WordType W> | |
| constexpr auto | bigint_add3_nc (W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W |
| template<WordType W> | |
| constexpr int32_t | bigint_cmp (const W x[], size_t x_size, const W y[], size_t y_size) |
| template<WordType W> | |
| constexpr void | bigint_cnd_abs (W cnd, W x[], size_t size) |
| template<WordType W> | |
| constexpr W | bigint_cnd_add (W cnd, W x[], const W y[], size_t size) |
| template<WordType W> | |
| constexpr W | bigint_cnd_add (W cnd, W x[], size_t x_size, const W y[], size_t y_size) |
| template<WordType W> | |
| constexpr void | bigint_cnd_add_or_sub (CT::Mask< W > mask, W x[], const W y[], size_t size) |
| template<WordType W> | |
| constexpr auto | bigint_cnd_addsub (CT::Mask< W > mask, W x[], const W y[], const W z[], size_t size) -> W |
| template<WordType W> | |
| constexpr auto | bigint_cnd_sub (W cnd, W x[], const W y[], size_t size) -> W |
| template<WordType W> | |
| constexpr auto | bigint_cnd_sub (W cnd, W x[], size_t x_size, const W y[], size_t y_size) -> W |
| template<WordType W> | |
| constexpr void | bigint_cnd_swap (W cnd, W x[], W y[], size_t size) |
| void | bigint_comba_mul16 (word z[32], const word x[16], const word y[16]) |
| void | bigint_comba_mul24 (word z[48], const word x[24], const word y[24]) |
| void | bigint_comba_mul4 (word z[8], const word x[4], const word y[4]) |
| void | bigint_comba_mul6 (word z[12], const word x[6], const word y[6]) |
| void | bigint_comba_mul7 (word z[14], const word x[7], const word y[7]) |
| void | bigint_comba_mul8 (word z[16], const word x[8], const word y[8]) |
| void | bigint_comba_mul9 (word z[18], const word x[9], const word y[9]) |
| void | bigint_comba_sqr16 (word z[32], const word x[16]) |
| void | bigint_comba_sqr24 (word z[48], const word x[24]) |
| void | bigint_comba_sqr4 (word z[8], const word x[4]) |
| void | bigint_comba_sqr6 (word z[12], const word x[6]) |
| void | bigint_comba_sqr7 (word z[14], const word x[7]) |
| void | bigint_comba_sqr8 (word z[16], const word x[8]) |
| void | bigint_comba_sqr9 (word z[18], const word x[9]) |
| template<WordType W> | |
| constexpr auto | bigint_ct_is_eq (const W x[], size_t x_size, const W y[], size_t y_size) -> CT::Mask< W > |
| template<WordType W> | |
| constexpr auto | bigint_ct_is_lt (const W x[], size_t x_size, const W y[], size_t y_size, bool lt_or_equal=false) -> CT::Mask< W > |
| template<WordType W> | |
| constexpr auto | bigint_divop_vartime (W n1, W n0, W d) -> W |
| template<WordType W> | |
| constexpr auto | bigint_linmul2 (W x[], size_t x_size, W y) -> W |
| template<WordType W> | |
| constexpr void | bigint_linmul3 (W z[], const W x[], size_t x_size, W y) |
| template<WordType W> | |
| constexpr void | bigint_mod_sub (W t[], const W s[], const W mod[], size_t mod_sw, W ws[]) |
| template<size_t N, WordType W> | |
| constexpr void | bigint_mod_sub_n (W t[], const W s[], const W mod[], W ws[]) |
| template<WordType W> | |
| constexpr auto | bigint_modop_vartime (W n1, W n0, W d) -> W |
| template<WordType W> | |
| constexpr void | bigint_monty_maybe_sub (size_t N, W z[], W x0, const W x[], const W p[]) |
| template<size_t N, WordType W> | |
| constexpr void | bigint_monty_maybe_sub (W z[N], W x0, const W x[N], const W y[N]) |
| void | bigint_monty_redc (word z[], const word p[], size_t p_size, word p_dash, word ws[], size_t ws_size) |
| BOTAN_FUZZER_API void | bigint_monty_redc_16 (word z[32], const word p[16], word p_dash, word ws[]) |
| BOTAN_FUZZER_API void | bigint_monty_redc_24 (word z[48], const word p[24], word p_dash, word ws[]) |
| BOTAN_FUZZER_API void | bigint_monty_redc_32 (word z[64], const word p[32], word p_dash, word ws[]) |
| BOTAN_FUZZER_API void | bigint_monty_redc_4 (word z[8], const word p[4], word p_dash, word ws[]) |
| BOTAN_FUZZER_API void | bigint_monty_redc_6 (word z[12], const word p[6], word p_dash, word ws[]) |
| BOTAN_FUZZER_API void | bigint_monty_redc_8 (word z[16], const word p[8], word p_dash, word ws[]) |
| BOTAN_FUZZER_API void | bigint_monty_redc_generic (word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[]) |
| void | bigint_mul (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size) |
| template<WordType W> | |
| constexpr void | bigint_shl1 (W x[], size_t x_size, size_t x_words, size_t shift) |
| template<WordType W> | |
| constexpr void | bigint_shl2 (W y[], const W x[], size_t x_size, size_t shift) |
| template<WordType W> | |
| constexpr void | bigint_shr1 (W x[], size_t x_size, size_t shift) |
| template<WordType W> | |
| constexpr void | bigint_shr2 (W y[], const W x[], size_t x_size, size_t shift) |
| void | bigint_sqr (word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size) |
| template<WordType W> | |
| constexpr auto | bigint_sub2 (W x[], size_t x_size, const W y[], size_t y_size) -> W |
| template<WordType W> | |
| constexpr void | bigint_sub2_rev (W x[], const W y[], size_t y_size) |
| template<WordType W> | |
| constexpr auto | bigint_sub3 (W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W |
| template<WordType W> | |
| constexpr auto | bigint_sub_abs (W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W > |
| template<WordType W> | |
| constexpr int32_t | bigint_sub_abs (W z[], const W x[], size_t x_size, const W y[], size_t y_size) |
| template<typename T > | |
| constexpr T | bit_permute_step (T x, T mask, size_t shift) |
| size_t | bit_size_to_32bit_size (size_t bit_size) |
| size_t | bit_size_to_byte_size (size_t bit_size) |
| constexpr auto | bitlen (size_t x) |
| BOTAN_FUNC_ISA ("avx2") void Argon2 | |
| BOTAN_FUNC_ISA ("sse2") void IDEA | |
| BOTAN_FUNC_ISA ("ssse3,aes") void AES_128 | |
| BOTAN_FUNC_ISA (BOTAN_VPERM_ISA) size_t ZFEC | |
| BOTAN_FUNC_ISA_INLINE ("gfni,avx2") SIMD_8x32 gf2p8mul(const SIMD_8x32 &a | |
| template<typename T , typename Alloc , typename Alloc2 > | |
| size_t | buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const std::vector< T, Alloc2 > &input) |
| template<typename T , typename Alloc > | |
| size_t | buffer_insert (std::vector< T, Alloc > &buf, size_t buf_offset, const T input[], size_t input_length) |
| template<size_t S, int64_t MUL = 1> requires (S > 0 && S < 64) | |
| void | carry (int64_t &h0, int64_t &h1) |
| template<size_t S> requires (S > 0 && S < 32) | |
| void | carry0 (int32_t &h0, int32_t &h1) |
| template<size_t S> requires (S > 0 && S < 64) | |
| void | carry0 (int64_t &h0, int64_t &h1) |
| constexpr uint64_t | carry_shift (const donna128 &a, size_t shift) |
| uint8_t * | cast_char_ptr_to_uint8 (char *s) |
| const uint8_t * | cast_char_ptr_to_uint8 (const char *s) |
| const char * | cast_uint8_ptr_to_char (const uint8_t *b) |
| char * | cast_uint8_ptr_to_char (uint8_t *b) |
| template<std::unsigned_integral T> | |
| constexpr T | ceil_division (T a, T b) |
| template<typename T > requires (std::is_integral<T>::value && sizeof(T) < 32) | |
| constexpr uint8_t | ceil_log2 (T x) |
| template<typename T > requires (std::is_integral<T>::value) | |
| constexpr T | ceil_tobytes (T bits) |
| std::vector< WotsHashIndex > | chain_lengths (const SphincsTreeNode &msg, const Sphincs_Parameters ¶ms) |
| bool | check_bcrypt (std::string_view pass, std::string_view hash) |
| bool | check_passhash9 (std::string_view pass, std::string_view hash) |
| template<std::unsigned_integral T> | |
| constexpr std::optional< T > | checked_add (T a, T b) |
| template<std::unsigned_integral T, std::unsigned_integral... Ts> requires all_same_v<T, Ts...> | |
| constexpr std::optional< T > | checked_add (T a, T b, Ts... rest) |
| template<typename RT , typename AT > requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>> | |
| constexpr RT | checked_cast_to (AT i) |
| template<typename RT , typename ExceptionType , typename AT > requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>> | |
| constexpr RT | checked_cast_to_or_throw (AT i, std::string_view error_msg_on_fail) |
| template<std::unsigned_integral T> | |
| constexpr std::optional< T > | checked_mul (T a, T b) |
| template<std::unsigned_integral T> | |
| constexpr std::optional< T > | checked_sub (T a, T b) |
| template<typename T > | |
| constexpr T | choose (T mask, T a, T b) |
| constexpr void | clear_bytes (void *ptr, size_t bytes) |
| template<ranges::contiguous_output_range R> requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>> | |
| constexpr void | clear_mem (R &&mem) |
| template<typename T > | |
| constexpr void | clear_mem (T *ptr, size_t n) |
| template<size_t N, WordType W> | |
| constexpr void | comba_mul (W z[2 *N], const W x[N], const W y[N]) |
| template<size_t N, WordType W> | |
| constexpr void | comba_sqr (W z[2 *N], const W x[N]) |
| constexpr uint64_t | combine_lower (const donna128 &a, size_t s1, const donna128 &b, size_t s2) |
| void | commoncrypto_adjust_key_size (const uint8_t key[], size_t length, const CommonCryptor_Opts &opts, secure_vector< uint8_t > &full_key) |
| CommonCryptor_Opts | commoncrypto_opts_from_algo (std::string_view algo) |
| CommonCryptor_Opts | commoncrypto_opts_from_algo_name (std::string_view algo_name) |
| void | compute_root (StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address) |
| template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address > requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex> | |
| void | compute_root (StrongSpan< TreeNode > out_root, AuthPathSS authentication_path, TreeNodeIndex leaf_idx, StrongSpan< const TreeNode > leaf, size_t node_size, TreeLayerIndex total_tree_height, uint32_t idx_offset, concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash, Address &tree_address) |
| Uses an authentication path and a leaf node to reconstruct the root node of a merkle tree. | |
| template<typename OutR = detail::AutoDetect, ranges::spanable_range... Rs> requires (all_same_v<std::ranges::range_value_t<Rs>...>) | |
| constexpr auto | concat (Rs &&... ranges) |
| bool | constant_time_compare (const uint8_t x[], const uint8_t y[], size_t len) |
| bool | constant_time_compare (std::span< const uint8_t > x, std::span< const uint8_t > y) |
| template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR> requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>> | |
| constexpr void | copy_mem (OutR &&out, InR &&in) |
| template<typename T > requires std::is_trivial<typename std::decay<T>::type>::value | |
| constexpr void | copy_mem (T *out, const T *in, size_t n) |
| template<ranges::spanable_range InR> | |
| void | copy_out_be (std::span< uint8_t > out, InR &&in) |
| template<ranges::spanable_range InR> | |
| void | copy_out_le (std::span< uint8_t > out, InR &&in) |
| template<WordType W, size_t N, W C> | |
| consteval std::array< W, N > | crandall_p () |
| auto | create_aes_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a) |
| std::unique_ptr< Private_Key > | create_ec_private_key (std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng) |
| std::string | create_hex_fingerprint (const uint8_t bits[], size_t bits_len, std::string_view hash_name) |
| std::string | create_hex_fingerprint (std::span< const uint8_t > vec, std::string_view hash_name) |
| std::array< uint8_t, ED448_LEN > | create_pk_from_sk (std::span< const uint8_t, ED448_LEN > sk) |
| Create a public key point from a secret key (RFC 8032 5.2.5) | |
| std::unique_ptr< Private_Key > | create_private_key (std::string_view alg_name, RandomNumberGenerator &rng, std::string_view params, std::string_view provider) |
| auto | create_shake_row_generator (const FrodoKEMConstants &constants, StrongSpan< const FrodoSeedA > seed_a) |
| uint8_t | ct_compare_u8 (const uint8_t x[], const uint8_t y[], size_t len) |
| BigInt | ct_divide (const BigInt &x, const BigInt &y) |
| void | ct_divide (const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out) |
| void | ct_divide_word (const BigInt &x, word y, BigInt &q_out, word &r_out) |
| template<typename T > requires (std::is_integral<T>::value) | |
| constexpr T | ct_is_zero (T x) |
| BigInt | ct_modulo (const BigInt &x, const BigInt &y) |
| template<typename T > requires (std::is_integral<T>::value) | |
| constexpr size_t | ctz (T n) |
| void | curve25519_basepoint (uint8_t mypublic[32], const uint8_t secret[32]) |
| void | curve25519_donna (uint8_t mypublic[32], const uint8_t secret[32], const uint8_t basepoint[32]) |
| void | deallocate_memory (void *p, size_t elems, size_t elem_size) |
| gf2m | decode_gf2m (const uint8_t *mem) |
| Point448 | decode_point (std::span< const uint8_t > p_bytes) |
| Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate) | |
| ScalarX448 | decode_scalar (std::span< const uint8_t > scalar_bytes) |
| Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448) | |
| size_t | dl_exponent_size (size_t bits) |
| size_t | dl_work_factor (size_t bits) |
| template<typename E , typename... Args> | |
| void | do_throw_error (const char *file, int line, const char *func, Args... args) |
| size_t | ecp_work_factor (size_t bits) |
| void | ed25519_gen_keypair (uint8_t *pk, uint8_t *sk, const uint8_t seed[32]) |
| void | ed25519_gen_keypair (uint8_t pk[32], uint8_t sk[64], const uint8_t seed[32]) |
| void | ed25519_sign (uint8_t sig[64], const uint8_t m[], size_t mlen, const uint8_t sk[64], const uint8_t domain_sep[], size_t domain_sep_len) |
| bool | ed25519_verify (const uint8_t *m, size_t mlen, const uint8_t sig[64], const uint8_t *pk, const uint8_t domain_sep[], size_t domain_sep_len) |
| bool | ed25519_verify (const uint8_t msg[], size_t msg_len, const uint8_t sig[64], const uint8_t pk[32], const uint8_t domain_sep[], size_t domain_sep_len) |
| uint32_t | encode_gf2m (gf2m to_enc, uint8_t *mem) |
| secure_vector< uint8_t > | encode_point (const Point448 &p) |
| Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate) | |
| template<typename T > | |
| uint16_t | expand_mask_16bit (T tst) |
| void | expand_message_xmd (std::string_view hash_fn, std::span< uint8_t > output, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep) |
| void | expand_message_xmd (std::string_view hash_fn, std::span< uint8_t > output, std::string_view input_str, std::string_view domain_sep_str) |
| template<typename T > requires (std::is_integral<T>::value) | |
| constexpr T | expand_top_bit (T a) |
| template<std::integral T> | |
| consteval eea_result< T > | extended_euclidean_algorithm (T a, T b) |
| void | fe_0 (fe &x) |
| void | fe_1 (fe &x) |
| void | fe_add (fe &x, const fe &a, const fe &b) |
| void | fe_copy (fe &a, const fe &b) |
| void | fe_frombytes (fe &x, const uint8_t *b) |
| void | fe_invert (fe &x, const fe &z) |
| int | fe_isnegative (const fe &x) |
| int | fe_isnonzero (const fe &x) |
| void | fe_mul (fe &x, const fe &a, const fe &b) |
| void | fe_neg (fe &x, const fe &z) |
| void | fe_pow22523 (fe &x, const fe &y) |
| void | fe_sq (fe &x, const fe &z) |
| void | fe_sq2 (fe &x, const fe &z) |
| void | fe_sq_iter (fe &x, const fe &z, size_t iter) |
| void | fe_sub (fe &x, const fe &a, const fe &b) |
| void | fe_tobytes (uint8_t *b, const fe &x) |
| secure_vector< gf2m > | find_roots_gf2m_decomp (const polyn_gf2m &polyn, size_t code_length) |
| template<typename... T> | |
| std::string | fmt (std::string_view format, const T &... args) |
| std::string | format_char_for_display (char c) |
| SphincsTreeNode | fors_public_key_from_signature (const SphincsHashedMessage &hashed_message, StrongSpan< const ForsSignature > signature, const Sphincs_Address &address, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hash) |
| FIPS 205, Algorithm 17: fors_pkFromSig. | |
| SphincsTreeNode | fors_sign_and_pkgen (StrongSpan< ForsSignature > sig_out, const SphincsHashedMessage &hashed_message, const SphincsSecretSeed &secret_seed, const Sphincs_Address &address, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes) |
| FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation) | |
| void | gamma (SIMD_4x32 &A0, SIMD_4x32 &A1, SIMD_4x32 &A2, SIMD_4x32 &A3) |
| BigInt | gcd (const BigInt &a, const BigInt &b) |
| void | ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t *a, const ge_p3 *A, const uint8_t *b) |
| void | ge_double_scalarmult_vartime (uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[]) |
| int | ge_frombytes_negate_vartime (ge_p3 *v, const uint8_t *) |
| void | ge_scalarmult_base (uint8_t out[32], const uint8_t in[32]) |
| template<typename GeneralVariantT , typename SpecialT > requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>) | |
| constexpr GeneralVariantT | generalize_to (SpecialT &&specific) noexcept |
| Converts a given variant into another variant-ish whose type states are a super set of the given variant. | |
| template<typename GeneralVariantT , typename... SpecialTs> | |
| constexpr GeneralVariantT | generalize_to (std::variant< SpecialTs... > specific) noexcept |
| Converts a given variant into another variant-ish whose type states are a super set of the given variant. | |
| std::string | generate_bcrypt (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, char version) |
| std::vector< uint8_t > | generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits) |
| bool | generate_dsa_primes (RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset) |
| McEliece_PrivateKey | generate_mceliece_key (RandomNumberGenerator &rng, size_t ext_deg, size_t code_length, size_t t) |
| std::string | generate_passhash9 (std::string_view pass, RandomNumberGenerator &rng, uint16_t work_factor, uint8_t alg_id) |
| BigInt | generate_rfc6979_nonce (const BigInt &x, const BigInt &q, const BigInt &h, std::string_view hash) |
| BigInt | generate_rsa_prime (RandomNumberGenerator &keygen_rng, RandomNumberGenerator &prime_test_rng, size_t bits, const BigInt &coprime, size_t prob) |
| AEAD_Mode * | get_aead (std::string_view name, Cipher_Dir direction) |
| template<size_t B, typename T > requires (B < sizeof(T)) | |
| constexpr uint8_t | get_byte (T input) |
| template<typename T > | |
| constexpr uint8_t | get_byte_var (size_t byte_num, T input) |
| Keyed_Filter * | get_cipher (std::string_view algo_spec, Cipher_Dir direction) |
| Keyed_Filter * | get_cipher (std::string_view algo_spec, const SymmetricKey &key, Cipher_Dir direction) |
| Keyed_Filter * | get_cipher (std::string_view algo_spec, const SymmetricKey &key, const InitializationVector &iv, Cipher_Dir direction) |
| Cipher_Mode * | get_cipher_mode (std::string_view algo_spec, Cipher_Dir direction, std::string_view provider="") |
| std::vector< std::string > | get_files_recursive (std::string_view dir) |
| KDF * | get_kdf (std::string_view algo_spec) |
| PBKDF * | get_pbkdf (std::string_view algo_spec, std::string_view provider="") |
| PBKDF * | get_s2k (std::string_view algo_spec) |
| template<WordType W> | |
| constexpr uint32_t | get_uint32 (const W xw[], size_t i) |
| template<uint64_t A, uint8_t B> | |
| SIMD_8x32 | gf2p8affine (const SIMD_8x32 &x) |
| template<uint64_t A, uint8_t B> | |
| SIMD_8x32 | gf2p8affineinv (const SIMD_8x32 &x) |
| consteval uint64_t | gfni_matrix (std::string_view s) |
| gf2m | gray_to_lex (gf2m gray) |
| bool | has_filesystem_impl () |
| std::vector< uint8_t > | hex_decode (const char input[], size_t input_length, bool ignore_ws) |
| size_t | hex_decode (std::span< uint8_t > output, std::string_view input, bool ignore_ws) |
| std::vector< uint8_t > | hex_decode (std::string_view input, bool ignore_ws) |
| size_t | hex_decode (uint8_t output[], const char input[], size_t input_length, bool ignore_ws) |
| size_t | hex_decode (uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws) |
| size_t | hex_decode (uint8_t output[], std::string_view input, bool ignore_ws) |
| secure_vector< uint8_t > | hex_decode_locked (const char input[], size_t input_length, bool ignore_ws) |
| secure_vector< uint8_t > | hex_decode_locked (std::string_view input, bool ignore_ws) |
| void | hex_encode (char output[], const uint8_t input[], size_t input_length, bool uppercase) |
| std::string | hex_encode (const uint8_t input[], size_t input_length, bool uppercase) |
| std::string | hex_encode (std::span< const uint8_t > input, bool uppercase=true) |
| template<WordType W, size_t N> | |
| constexpr auto | hex_to_words (const char(&s)[N]) |
| template<typename T > requires (std::is_unsigned<T>::value) | |
| constexpr size_t | high_bit (T n) |
| secure_vector< uint8_t > | hkdf_expand_label (std::string_view hash_fn, const uint8_t secret[], size_t secret_len, std::string_view label, const uint8_t hash_val[], size_t hash_val_len, size_t length) |
| template<typename... Alts, typename... Ts> | |
| constexpr bool | holds_any_of (const std::variant< Ts... > &v) noexcept |
| bool | host_wildcard_match (std::string_view issued_, std::string_view host_) |
| void | ht_sign (StrongSpan< SphincsHypertreeSignature > out_sig, const SphincsTreeNode &message_to_sign, const SphincsSecretSeed &secret_seed, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes) |
| FIPS 205, Algorithm 12: ht_sign. | |
| bool | ht_verify (const SphincsTreeNode &signed_msg, StrongSpan< const SphincsHypertreeSignature > ht_sig, const SphincsTreeNode &pk_root, XmssTreeIndexInLayer tree_index_in_layer, TreeNodeIndex idx_leaf, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes) |
| FIPS 205, Algorithm 13: ht_verify. | |
| uint8_t | ieee1363_hash_id (std::string_view name) |
| size_t | if_work_factor (size_t bits) |
| template<typename T > | |
| constexpr void | ignore_param (T &&) |
| template<typename... T> | |
| constexpr void | ignore_params (T &&... args) |
| template<std::unsigned_integral T> | |
| constexpr size_t | index_of_first_set_byte (T v) |
| void | initialize_allocator () |
| bool | intersects (ASN1_Class x, ASN1_Class y) |
| BigInt | inverse_mod (const BigInt &n, const BigInt &mod) |
| std::string | ipv4_to_string (uint32_t ip) |
| bool | is_bailie_psw_probable_prime (const BigInt &n) |
| bool | is_bailie_psw_probable_prime (const BigInt &n, const Modular_Reducer &mod_n) |
| template<typename GeneralVariantT , typename SpecialT > | |
| constexpr bool | is_generalizable_to (const SpecialT &) noexcept |
| template<typename GeneralVariantT , typename... SpecialTs> | |
| constexpr bool | is_generalizable_to (const std::variant< SpecialTs... > &) noexcept |
| bool | is_lucas_probable_prime (const BigInt &C, const Modular_Reducer &mod_C) |
| bool | is_miller_rabin_probable_prime (const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations) |
| bool | is_passhash9_alg_supported (uint8_t alg_id) |
| BigInt | is_perfect_square (const BigInt &C) |
| template<typename T > requires (std::is_unsigned<T>::value) | |
| constexpr bool | is_power_of_2 (T arg) |
| bool | is_prime (const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random) |
| int32_t | jacobi (const BigInt &a, const BigInt &n) |
| template<absorbing_object T, typename... Ts> requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...) | |
| size_t | keccak_absorb_padded_strings_encoding (T &sink, size_t padding_mod, Ts... byte_strings) |
| size_t | keccak_int_encoding_size (size_t x) |
| std::span< const uint8_t > | keccak_int_left_encode (std::span< uint8_t > out, size_t x) |
| std::span< const uint8_t > | keccak_int_right_encode (std::span< uint8_t > out, size_t x) |
| constexpr size_t | keccak_max_int_encoding_size () |
| void | Keccak_Permutation_round (uint64_t T[25], const uint64_t A[25], uint64_t RC) |
| std::string | key_constraints_to_string (Key_Constraints c) |
| std::string | latin1_to_utf8 (const uint8_t chars[], size_t len) |
| BigInt | lcm (const BigInt &a, const BigInt &b) |
| gf2m | lex_to_gray (gf2m lex) |
| LMOTS_K | lmots_compute_pubkey_from_sig (const LMOTS_Signature &sig, const LMS_Message &msg, const LMS_Identifier &identifier, LMS_Tree_Node_Idx q) |
| Compute a public key candidate for an OTS-signature-message pair and the OTS instance parameters. | |
| uint64_t | load_3 (const uint8_t in[3]) |
| uint64_t | load_4 (const uint8_t *in) |
| template<typename OutT = detail::AutoDetect, typename... ParamTs> | |
| constexpr auto | load_be (ParamTs &&... params) |
| template<typename OutT = detail::AutoDetect, typename... ParamTs> | |
| constexpr auto | load_le (ParamTs &&... params) |
| std::unique_ptr< Private_Key > | load_private_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits) |
| std::unique_ptr< Public_Key > | load_public_key (const AlgorithmIdentifier &alg_id, std::span< const uint8_t > key_bits) |
| template<typename T > | |
| secure_vector< T > | lock (const std::vector< T > &in) |
| size_t | low_zero_bits (const BigInt &n) |
| template<typename T > | |
| constexpr T | majority (T a, T b, T c) |
| std::unique_ptr< BlockCipher > | make_commoncrypto_block_cipher (std::string_view name) |
| std::unique_ptr< Cipher_Mode > | make_commoncrypto_cipher_mode (std::string_view name, Cipher_Dir direction) |
| std::unique_ptr< HashFunction > | make_commoncrypto_hash (std::string_view name) |
| Compression_Algorithm * | make_compressor (std::string_view type) |
| Decompression_Algorithm * | make_decompressor (std::string_view type) |
| constexpr uint16_t | make_uint16 (uint8_t i0, uint8_t i1) |
| constexpr uint32_t | make_uint32 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3) |
| constexpr uint64_t | make_uint64 (uint8_t i0, uint8_t i1, uint8_t i2, uint8_t i3, uint8_t i4, uint8_t i5, uint8_t i6, uint8_t i7) |
| template<typename T , typename Pred > | |
| void | map_remove_if (Pred pred, T &assoc) |
| secure_vector< uint8_t > | mceliece_decrypt (secure_vector< gf2m > &error_pos, const uint8_t *ciphertext, size_t ciphertext_len, const McEliece_PrivateKey &key) |
| void | mceliece_decrypt (secure_vector< uint8_t > &plaintext, secure_vector< uint8_t > &error_mask, const uint8_t ciphertext[], size_t ciphertext_len, const McEliece_PrivateKey &key) |
| void | mceliece_decrypt (secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key) |
| void | mceliece_encrypt (secure_vector< uint8_t > &ciphertext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &plaintext, const McEliece_PublicKey &key, RandomNumberGenerator &rng) |
| size_t | mceliece_work_factor (size_t n, size_t t) |
| void | mgf1_mask (HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len) |
| void | mgf1_mask (HashFunction &hash, std::span< const uint8_t > input, std::span< uint8_t > output) |
| size_t | miller_rabin_test_iterations (size_t n_bits, size_t prob, bool random) |
| template<std::integral T, std::integral T2 = next_longer_int_t<T>> requires (sizeof(T) <= 4) | |
| consteval T | modular_inverse (T q, T2 m=T2(1)<< sizeof(T) *8) |
| template<std::integral T> requires (size_t(sizeof(T)) <= 4) | |
| consteval T | montgomery_R (T q) |
| template<std::integral T> requires (size_t(sizeof(T)) <= 4) | |
| consteval T | montgomery_R2 (T q) |
| BigInt | monty_execute (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits) |
| BigInt | monty_execute_vartime (const Montgomery_Exponentation_State &precomputed_state, const BigInt &k) |
| BigInt | monty_exp (const std::shared_ptr< const Montgomery_Params > ¶ms_p, const BigInt &g, const BigInt &k, size_t max_k_bits) |
| BigInt | monty_exp_vartime (const std::shared_ptr< const Montgomery_Params > ¶ms_p, const BigInt &g, const BigInt &k) |
| template<WordType W> | |
| constexpr auto | monty_inverse (W a) -> W |
| BigInt | monty_multi_exp (const std::shared_ptr< const Montgomery_Params > ¶ms_p, const BigInt &x_bn, const BigInt &z1, const BigInt &y_bn, const BigInt &z2) |
| std::shared_ptr< const Montgomery_Exponentation_State > | monty_precompute (const std::shared_ptr< const Montgomery_Params > ¶ms, const BigInt &g, size_t window_bits, bool const_time) |
| constexpr void | mul64x64_128 (uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi) |
| EC_Point | multi_exponentiate (const EC_Point &p1, const BigInt &z1, const EC_Point &p2, const BigInt &z2) |
| secure_vector< uint8_t > | nist_key_unwrap (const uint8_t input[], size_t input_len, const BlockCipher &bc) |
| secure_vector< uint8_t > | nist_key_unwrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc) |
| std::vector< uint8_t > | nist_key_wrap (const uint8_t input[], size_t input_len, const BlockCipher &bc) |
| std::vector< uint8_t > | nist_key_wrap_padded (const uint8_t input[], size_t input_len, const BlockCipher &bc) |
| CT::Option< size_t > | oaep_find_delim (std::span< const uint8_t > input, std::span< const uint8_t > phash) |
| bool | operator!= (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2) |
| bool | operator!= (const ASN1_Time &, const ASN1_Time &) |
| bool | operator!= (const BigInt &a, const BigInt &b) |
| bool | operator!= (const BigInt &a, word b) |
| bool | operator!= (const CRL_Entry &a1, const CRL_Entry &a2) |
| bool | operator!= (const EC_Group &lhs, const EC_Group &rhs) |
| bool | operator!= (const OctetString &s1, const OctetString &s2) |
| bool | operator!= (const OID &a, const OID &b) |
| template<typename T , typename U > | |
| bool | operator!= (const secure_allocator< T > &, const secure_allocator< U > &) |
| bool | operator!= (const X509_Certificate &cert1, const X509_Certificate &cert2) |
| bool | operator!= (const X509_DN &dn1, const X509_DN &dn2) |
| BigInt | operator% (const BigInt &n, const BigInt &mod) |
| word | operator% (const BigInt &n, word mod) |
| ECIES_Flags | operator& (ECIES_Flags a, ECIES_Flags b) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator& (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator& (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator& (T1 a, Strong< T2, Tags... > b) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator&= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator&= (Strong< T1, Tags... > &a, T2 b) |
| EC_Point | operator* (const BigInt &scalar, const EC_Point &point) |
| BigInt | operator* (const BigInt &x, const BigInt &y) |
| BigInt | operator* (const BigInt &x, word y) |
| template<std::unsigned_integral T> | |
| constexpr donna128 | operator* (const donna128 &x, T y) |
| EC_Point | operator* (const EC_Point &point, const BigInt &scalar) |
| Ed448Point | operator* (const Scalar448 &lhs, const Ed448Point &rhs) |
| Syntax sugar for scalar multiplication. | |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator* (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator* (Strong< T1, Tags... > a, T2 b) |
| template<std::unsigned_integral T> | |
| constexpr donna128 | operator* (T y, const donna128 &x) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator* (T1 a, Strong< T2, Tags... > b) |
| BigInt | operator* (word x, const BigInt &y) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator*= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator*= (Strong< T1, Tags... > &a, T2 b) |
| BigInt | operator+ (const BigInt &x, const BigInt &y) |
| BigInt | operator+ (const BigInt &x, word y) |
| constexpr donna128 | operator+ (const donna128 &x, const donna128 &y) |
| constexpr donna128 | operator+ (const donna128 &x, uint64_t y) |
| EC_Point | operator+ (const EC_Point &lhs, const EC_Point &rhs) |
| OctetString | operator+ (const OctetString &k1, const OctetString &k2) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator+ (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator+ (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator+ (T1 a, Strong< T2, Tags... > b) |
| BigInt | operator+ (word x, const BigInt &y) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator++ (Strong< T, Tags... > &a) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator++ (Strong< T, Tags... > &a, int) |
| template<typename T , typename Alloc , typename L > | |
| std::vector< T, Alloc > & | operator+= (std::vector< T, Alloc > &out, const std::pair< const T *, L > &in) |
| template<typename T , typename Alloc , typename L > | |
| std::vector< T, Alloc > & | operator+= (std::vector< T, Alloc > &out, const std::pair< T *, L > &in) |
| template<typename T , typename Alloc , typename Alloc2 > | |
| std::vector< T, Alloc > & | operator+= (std::vector< T, Alloc > &out, const std::vector< T, Alloc2 > &in) |
| template<typename T , typename Alloc > | |
| std::vector< T, Alloc > & | operator+= (std::vector< T, Alloc > &out, T in) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator+= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator+= (Strong< T1, Tags... > &a, T2 b) |
| BigInt | operator- (const BigInt &x, const BigInt &y) |
| BigInt | operator- (const BigInt &x, word y) |
| EC_Point | operator- (const EC_Point &lhs) |
| EC_Point | operator- (const EC_Point &lhs, const EC_Point &rhs) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator- (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator- (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator- (T1 a, Strong< T2, Tags... > b) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator-- (Strong< T, Tags... > &a) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator-- (Strong< T, Tags... > &a, int) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator-= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator-= (Strong< T1, Tags... > &a, T2 b) |
| BigInt | operator/ (const BigInt &x, const BigInt &y) |
| BigInt | operator/ (const BigInt &x, word y) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator/ (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator/ (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator/ (T1 a, Strong< T2, Tags... > b) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator/= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator/= (Strong< T1, Tags... > &a, T2 b) |
| bool | operator< (const ASN1_Time &, const ASN1_Time &) |
| bool | operator< (const BigInt &a, const BigInt &b) |
| bool | operator< (const BigInt &a, word b) |
| bool | operator< (const OID &a, const OID &b) |
| bool | operator< (const X509_DN &dn1, const X509_DN &dn2) |
| BigInt | operator<< (const BigInt &x, size_t shift) |
| int | operator<< (int fd, Pipe &pipe) |
| std::ostream & | operator<< (std::ostream &os, const GeneralName &gn) |
| std::ostream & | operator<< (std::ostream &os, const GeneralSubtree &gs) |
| template<typename T , typename... Tags> requires (concepts::streamable<T>) | |
| decltype(auto) | operator<< (std::ostream &os, const Strong< T, Tags... > &v) |
| std::ostream & | operator<< (std::ostream &out, const OID &oid) |
| std::ostream & | operator<< (std::ostream &out, const X509_DN &dn) |
| std::ostream & | operator<< (std::ostream &out, Pipe &pipe) |
| std::ostream & | operator<< (std::ostream &stream, const BigInt &n) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator<< (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator<< (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator<< (T1 a, Strong< T2, Tags... > b) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator<<= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator<<= (Strong< T1, Tags... > &a, T2 b) |
| bool | operator<= (const ASN1_Time &, const ASN1_Time &) |
| bool | operator<= (const BigInt &a, const BigInt &b) |
| bool | operator<= (const BigInt &a, word b) |
| template<typename T , typename... Tags> requires (std::three_way_comparable<T>) | |
| auto | operator<=> (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs) |
| template<std::integral T1, std::integral T2, typename... Tags> | |
| auto | operator<=> (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> | |
| auto | operator<=> (T1 a, Strong< T2, Tags... > b) |
| bool | operator== (const AlgorithmIdentifier &a1, const AlgorithmIdentifier &a2) |
| bool | operator== (const ASN1_Time &, const ASN1_Time &) |
| bool | operator== (const BigInt &a, const BigInt &b) |
| bool | operator== (const BigInt &a, word b) |
| bool | operator== (const CRL_Entry &a1, const CRL_Entry &a2) |
| bool | operator== (const OctetString &s1, const OctetString &s2) |
| template<typename T , typename U > | |
| bool | operator== (const secure_allocator< T > &, const secure_allocator< U > &) |
| template<typename T , typename... Tags> requires (std::equality_comparable<T>) | |
| bool | operator== (const Strong< T, Tags... > &lhs, const Strong< T, Tags... > &rhs) |
| bool | operator== (const X509_DN &dn1, const X509_DN &dn2) |
| template<std::integral T1, std::integral T2, typename... Tags> | |
| auto | operator== (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> | |
| auto | operator== (T1 a, Strong< T2, Tags... > b) |
| bool | operator> (const ASN1_Time &, const ASN1_Time &) |
| bool | operator> (const BigInt &a, const BigInt &b) |
| bool | operator> (const BigInt &a, word b) |
| bool | operator>= (const ASN1_Time &, const ASN1_Time &) |
| bool | operator>= (const BigInt &a, const BigInt &b) |
| bool | operator>= (const BigInt &a, word b) |
| BigInt | operator>> (const BigInt &x, size_t shift) |
| int | operator>> (int fd, Pipe &pipe) |
| std::istream & | operator>> (std::istream &in, Pipe &pipe) |
| std::istream & | operator>> (std::istream &in, X509_DN &dn) |
| std::istream & | operator>> (std::istream &stream, BigInt &n) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator>> (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator>> (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator>> (T1 a, Strong< T2, Tags... > b) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator>>= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator>>= (Strong< T1, Tags... > &a, T2 b) |
| OctetString | operator^ (const OctetString &k1, const OctetString &k2) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator^ (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator^ (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator^ (T1 a, Strong< T2, Tags... > b) |
| template<typename Alloc , typename Alloc2 > | |
| std::vector< uint8_t, Alloc > & | operator^= (std::vector< uint8_t, Alloc > &out, const std::vector< uint8_t, Alloc2 > &in) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator^= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator^= (Strong< T1, Tags... > &a, T2 b) |
| ASN1_Class | operator| (ASN1_Class x, ASN1_Class y) |
| uint32_t | operator| (ASN1_Class x, ASN1_Type y) |
| uint32_t | operator| (ASN1_Type x, ASN1_Class y) |
| ASN1_Type | operator| (ASN1_Type x, ASN1_Type y) |
| constexpr donna128 | operator| (const donna128 &x, const donna128 &y) |
| constexpr donna128 | operator| (const donna128 &x, uint64_t y) |
| ECIES_Flags | operator| (ECIES_Flags a, ECIES_Flags b) |
| template<std::integral T, typename... Tags> | |
| constexpr decltype(auto) | operator| (Strong< T, Tags... > a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator| (Strong< T1, Tags... > a, T2 b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr decltype(auto) | operator| (T1 a, Strong< T2, Tags... > b) |
| template<std::integral T, typename... Tags> | |
| constexpr auto | operator|= (Strong< T, Tags... > &a, Strong< T, Tags... > b) |
| template<std::integral T1, std::integral T2, typename... Tags> requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>) | |
| constexpr auto | operator|= (Strong< T1, Tags... > &a, T2 b) |
| std::pair< BigInt, BigInt > | OS2ECP (const uint8_t data[], size_t data_len, const BigInt &curve_p, const BigInt &curve_a, const BigInt &curve_b) |
| EC_Point | OS2ECP (const uint8_t data[], size_t data_len, const CurveGFp &curve) |
| EC_Point | OS2ECP (std::span< const uint8_t > data, const CurveGFp &curve) |
| template<typename T > requires std::is_default_constructible_v<T> | |
| constexpr auto | out_opt (std::optional< T > &outopt) noexcept |
| template<typename T > | |
| constexpr auto | out_ptr (T &outptr) noexcept |
| template<class... Ts> | |
| overloaded (Ts...) -> overloaded< Ts... > | |
| std::vector< std::string > | parse_algorithm_name (std::string_view namex) |
| bool | passes_miller_rabin_test (const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a) |
| secure_vector< uint8_t > | pbes2_decrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, const std::vector< uint8_t > ¶ms) |
| std::pair< AlgorithmIdentifier, std::vector< uint8_t > > | pbes2_encrypt (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng) |
| std::pair< AlgorithmIdentifier, std::vector< uint8_t > > | pbes2_encrypt_iter (std::span< const uint8_t > key_bits, std::string_view passphrase, size_t pbkdf_iter, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng) |
| std::pair< AlgorithmIdentifier, std::vector< uint8_t > > | pbes2_encrypt_msec (std::span< const uint8_t > key_bits, std::string_view passphrase, std::chrono::milliseconds msec, size_t *out_iterations_if_nonnull, std::string_view cipher, std::string_view digest, RandomNumberGenerator &rng) |
| void | pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, const uint8_t salt[], size_t salt_len, size_t iterations) |
| size_t | pbkdf2 (MessageAuthenticationCode &prf, uint8_t out[], size_t out_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t iterations, std::chrono::milliseconds msec) |
| std::vector< uint8_t > | pkcs_hash_id (std::string_view name) |
| void | poly_double_n (uint8_t buf[], size_t n) |
| void | poly_double_n (uint8_t out[], const uint8_t in[], size_t n) |
| void | poly_double_n_le (uint8_t out[], const uint8_t in[], size_t n) |
| bool | poly_double_supported_size (size_t n) |
| BigInt | power_mod (const BigInt &base, const BigInt &exp, const BigInt &mod) |
| uint64_t | prefetch_array_raw (size_t bytes, const void *arrayv) noexcept |
| template<typename T , size_t... Ns> requires std::is_integral<T>::value | |
| T | prefetch_arrays (T(&... arr)[Ns]) noexcept |
| BOTAN_TEST_API const BigInt & | prime_p192 () |
| BOTAN_TEST_API const BigInt & | prime_p224 () |
| BOTAN_TEST_API const BigInt & | prime_p256 () |
| BOTAN_TEST_API const BigInt & | prime_p384 () |
| BOTAN_TEST_API const BigInt & | prime_p521 () |
| std::vector< std::string > | probe_provider_private_key (std::string_view alg_name, const std::vector< std::string > &possible) |
| template<typename T > | |
| std::vector< std::string > | probe_providers_of (std::string_view algo_spec, const std::vector< std::string > &possible={"base"}) |
| gf2m | random_code_element (uint16_t code_length, RandomNumberGenerator &rng) |
| gf2m | random_gf2m (RandomNumberGenerator &rng) |
| BigInt | random_prime (RandomNumberGenerator &rng, size_t bits, const BigInt &coprime, size_t equiv, size_t modulo, size_t prob) |
| BigInt | random_safe_prime (RandomNumberGenerator &rng, size_t bits) |
| std::map< std::string, std::string > | read_cfg (std::istream &is) |
| BOTAN_TEST_API std::map< std::string, std::string > | read_kv (std::string_view kv) |
| template<WordType W, size_t N, W C> | |
| constexpr std::array< W, N > | redc_crandall (std::span< const W, 2 *N > z) |
| void | redc_mul (int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X) |
| BOTAN_TEST_API void | redc_p192 (BigInt &x, secure_vector< word > &ws) |
| BOTAN_TEST_API void | redc_p224 (BigInt &x, secure_vector< word > &ws) |
| BOTAN_TEST_API void | redc_p256 (BigInt &x, secure_vector< word > &ws) |
| BOTAN_TEST_API void | redc_p384 (BigInt &x, secure_vector< word > &ws) |
| BOTAN_TEST_API void | redc_p521 (BigInt &x, secure_vector< word > &ws) |
| template<typename RetT , typename KeyT , typename ReducerT > requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>> | |
| RetT | reduce (const std::vector< KeyT > &keys, RetT acc, ReducerT reducer) |
| template<std::unsigned_integral T> requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8) | |
| constexpr T | reverse_bytes (T x) |
| secure_vector< uint8_t > | rfc3394_keyunwrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek) |
| secure_vector< uint8_t > | rfc3394_keywrap (const secure_vector< uint8_t > &key, const SymmetricKey &kek) |
| size_t | RFC4880_decode_count (uint8_t iter) |
| uint8_t | RFC4880_encode_count (size_t desired_iterations) |
| size_t | RFC4880_round_iterations (size_t iterations) |
| template<size_t R1, size_t R2, size_t R3, typename T > | |
| constexpr T | rho (T x) |
| Gf448Elem | root (const Gf448Elem &elem) |
Compute the root of elem in the field. | |
| template<size_t R> | |
| SIMD_16x32 | rotl (SIMD_16x32 input) |
| template<size_t R> | |
| SIMD_4x32 | rotl (SIMD_4x32 input) |
| template<size_t R> | |
| SIMD_8x32 | rotl (SIMD_8x32 input) |
| template<size_t ROT, typename T > requires (ROT > 0 && ROT < 8 * sizeof(T)) | |
| constexpr T | rotl (T input) |
| template<typename T > | |
| constexpr T | rotl_var (T input, size_t rot) |
| template<size_t R> | |
| SIMD_16x32 | rotr (SIMD_16x32 input) |
| template<size_t R> | |
| SIMD_4x32 | rotr (SIMD_4x32 input) |
| template<size_t R> | |
| SIMD_8x32 | rotr (SIMD_8x32 input) |
| template<size_t ROT, typename T > requires (ROT > 0 && ROT < 8 * sizeof(T)) | |
| constexpr T | rotr (T input) |
| template<typename T > | |
| constexpr T | rotr_var (T input, size_t rot) |
| constexpr size_t | round_up (size_t n, size_t align_to) |
| std::string | runtime_version_check (uint32_t major, uint32_t minor, uint32_t patch) |
| template<typename T > | |
| bool | same_mem (const T *p1, const T *p2, size_t n) |
| BOTAN_FORCE_INLINE void | SBoxD0 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD1 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD2 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD3 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD4 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD5 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD6 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxD7 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE0 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE1 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE2 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE3 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE4 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE5 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE6 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| BOTAN_FORCE_INLINE void | SBoxE7 (SIMD_16x32 &a, SIMD_16x32 &b, SIMD_16x32 &c, SIMD_16x32 &d) |
| void | sc_muladd (uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *) |
| void | sc_reduce (uint8_t *) |
| void | scrypt (uint8_t output[], size_t output_len, const char *password, size_t password_len, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p) |
| void | scrypt (uint8_t output[], size_t output_len, std::string_view password, const uint8_t salt[], size_t salt_len, size_t N, size_t r, size_t p) |
| void | secure_scrub_memory (ranges::contiguous_output_range auto &&data) |
| void | secure_scrub_memory (void *ptr, size_t n) |
| constexpr void | set_mem (uint8_t *ptr, size_t n, uint8_t val) |
| BOTAN_FORCE_INLINE void | SHA2_32_F (uint32_t A, uint32_t B, uint32_t C, uint32_t &D, uint32_t E, uint32_t F, uint32_t G, uint32_t &H, uint32_t &M1, uint32_t M2, uint32_t M3, uint32_t M4, uint32_t magic) |
| BOTAN_FORCE_INLINE void | SHA2_64_F (uint64_t A, uint64_t B, uint64_t C, uint64_t &D, uint64_t E, uint64_t F, uint64_t G, uint64_t &H, uint64_t &M1, uint64_t M2, uint64_t M3, uint64_t M4, uint64_t magic) |
| template<size_t S, WordType W, size_t N> | |
| constexpr W | shift_left (std::array< W, N > &x) |
| template<size_t S, WordType W, size_t N> | |
| constexpr W | shift_right (std::array< W, N > &x) |
| template<size_t S> | |
| SIMD_16x32 | shl (SIMD_16x32 input) |
| template<size_t S> | |
| SIMD_4x32 | shl (SIMD_4x32 input) |
| template<size_t S> | |
| SIMD_8x32 | shl (SIMD_8x32 input) |
| const char * | short_version_cstr () |
| std::string | short_version_string () |
| template<size_t R1, size_t R2, size_t S, typename T > | |
| constexpr T | sigma (T x) |
| std::array< uint8_t, 2 *ED448_LEN > | sign_message (std::span< const uint8_t, ED448_LEN > sk, std::span< const uint8_t, ED448_LEN > pk, bool f, std::span< const uint8_t > context, std::span< const uint8_t > msg) |
| Sign a message using a keypair (RFC 8032 5.2.6) | |
| template<typename T > requires (std::is_integral<T>::value) | |
| constexpr size_t | significant_bytes (T n) |
| std::vector< uint8_t > | sm2_compute_za (HashFunction &hash, std::string_view user_id, const EC_Group &group, const EC_Point &point) |
| std::vector< std::string > | split_on (std::string_view str, char delim) |
| BigInt | sqrt_modulo_prime (const BigInt &a, const BigInt &p) |
| BigInt | square (const BigInt &x) |
| Gf448Elem | square (const Gf448Elem &elem) |
| Computes elem^2. Faster than operator*. | |
| std::pair< BigInt, SymmetricKey > | srp6_client_agree (std::string_view identifier, std::string_view password, const DL_Group &group, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, const size_t a_bits, RandomNumberGenerator &rng) |
| std::pair< BigInt, SymmetricKey > | srp6_client_agree (std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng) |
| BigInt | srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, const DL_Group &group, std::string_view hash_id) |
| BigInt | srp6_generate_verifier (std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id) |
| std::string | srp6_group_identifier (const BigInt &N, const BigInt &g) |
| template<typename ModifierT = detail::AutoDetect, typename... ParamTs> | |
| constexpr auto | store_be (ParamTs &&... params) |
| template<typename ModifierT = detail::AutoDetect, typename... ParamTs> | |
| constexpr auto | store_le (ParamTs &&... params) |
| std::string | string_join (const std::vector< std::string > &strs, char delim) |
| std::optional< uint32_t > | string_to_ipv4 (std::string_view str) |
| template<typename T > | |
| constexpr void | swap_bits (T &x, T &y, T mask, size_t shift) |
| template<std::unsigned_integral T> | |
| constexpr T | swar_in_range (T v, T lower, T upper) |
| template<std::unsigned_integral T> | |
| constexpr T | swar_lt (T a, T b) |
| std::vector< polyn_gf2m > | syndrome_init (const polyn_gf2m &generator, const std::vector< gf2m > &support, int n) |
| RandomNumberGenerator & | system_rng () |
| void | theta (SIMD_4x32 &A0, SIMD_4x32 &A1, SIMD_4x32 &A2, SIMD_4x32 &A3, const SIMD_4x32 &K0, const SIMD_4x32 &K1, const SIMD_4x32 &K2, const SIMD_4x32 &K3) |
| void | throw_invalid_argument (const char *message, const char *func, const char *file) |
| void | throw_invalid_state (const char *expr, const char *func, const char *file) |
| template<concepts::contiguous_container T = std::vector<uint8_t>> | |
| T | to_byte_vector (std::string_view s) |
| const char * | to_string (Certificate_Status_Code code) |
| std::string | to_string (ErrorType type) |
| Convert an ErrorType to string. | |
| std::string | to_string (std::span< const uint8_t > bytes) |
| uint32_t | to_u32bit (std::string_view str_view) |
| uint16_t | to_uint16 (std::string_view str) |
| template<typename T > requires std::is_enum_v<T> | |
| auto | to_underlying (T e) noexcept |
| std::string | tolower_string (std::string_view in) |
| void | treehash (StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address) |
| template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address > requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex> | |
| void | treehash (StrongSpan< TreeNode > out_root, std::optional< AuthPathSS > out_auth_path, std::optional< TreeNodeIndex > leaf_idx, size_t node_size, TreeLayerIndex total_tree_height, uint32_t idx_offset, concepts::tree_hash_node_pair< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto node_pair_hash, concepts::tree_gen_leaf< TreeNodeIndex, TreeLayerIndex, Address, StrongSpan< TreeNode > > auto gen_leaf, Address &tree_address) |
| Treehash logic to build up a merkle hash tree. | |
| template<typename To > requires std::is_trivial<To>::value | |
| constexpr To | typecast_copy (const uint8_t src[]) noexcept |
| template<typename ToT , ranges::contiguous_range FromR> requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> | |
| constexpr ToT | typecast_copy (FromR &&src) noexcept |
| template<typename T > requires std::is_trivial<typename std::decay<T>::type>::value | |
| constexpr void | typecast_copy (T &out, const uint8_t in[]) |
| template<typename T > requires std::is_trivial<T>::value | |
| constexpr void | typecast_copy (T out[], const uint8_t in[], size_t N) |
| template<ranges::contiguous_output_range ToR, typename FromT > requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>> | |
| constexpr void | typecast_copy (ToR &&out, const FromT &in) |
| template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR> requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>> | |
| constexpr void | typecast_copy (ToR &&out, FromR &&in) |
| template<typename ToT , ranges::contiguous_range FromR> requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>) | |
| constexpr void | typecast_copy (ToT &out, FromR &&in) noexcept |
| template<typename T > | |
| constexpr void | typecast_copy (uint8_t out[], const T &in) |
| template<typename T > requires std::is_trivially_copyable<T>::value | |
| constexpr void | typecast_copy (uint8_t out[], T in[], size_t N) |
| std::string | ucs2_to_utf8 (const uint8_t ucs2[], size_t len) |
| std::string | ucs4_to_utf8 (const uint8_t ucs4[], size_t len) |
| template<typename T > | |
| std::vector< T > | unlock (const secure_vector< T > &in) |
| template<typename T > | |
| constexpr decltype(auto) | unwrap_strong_type (T &&t) |
| Generically unwraps a strong type to its underlying type. | |
| template<typename T , typename OT > | |
| bool | value_exists (const std::vector< T > &vec, const OT &val) |
| constexpr size_t | var_ctz32 (uint32_t n) |
| void | vartime_divide (const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out) |
| bool | verify_signature (std::span< const uint8_t, ED448_LEN > pk, bool phflag, std::span< const uint8_t > context, std::span< const uint8_t > sig, std::span< const uint8_t > msg) |
| Verify a signature(RFC 8032 5.2.7) | |
| const char * | version_cstr () |
| uint32_t | version_datestamp () |
| uint32_t | version_major () |
| uint32_t | version_minor () |
| uint32_t | version_patch () |
| std::string | version_string () |
| template<WordType W> | |
| constexpr void | word3_add (W *w2, W *w1, W *w0, W x) |
| template<WordType W> | |
| constexpr void | word3_muladd (W *w2, W *w1, W *w0, W x, W y) |
| template<WordType W> | |
| constexpr void | word3_muladd_2 (W *w2, W *w1, W *w0, W x, W y) |
| template<WordType W> | |
| constexpr auto | word4_add3 (W z[4], const W x[4], const W y[4], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word4_sub3 (W z[4], const W x[4], const W y[4], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_add2 (W x[8], const W y[8], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_add3 (W z[8], const W x[8], const W y[8], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_linmul2 (W x[8], W y, W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_linmul3 (W z[8], const W x[8], W y, W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_madd3 (W z[8], const W x[8], W y, W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_sub2 (W x[8], const W y[8], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_sub2_rev (W x[8], const W y[8], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word8_sub3 (W z[8], const W x[8], const W y[8], W carry) -> W |
| template<WordType W> | |
| constexpr auto | word_add (W x, W y, W *carry) -> W |
| template<WordType W> | |
| constexpr auto | word_madd2 (W a, W b, W *c) -> W |
| template<WordType W> | |
| constexpr auto | word_madd3 (W a, W b, W c, W *d) -> W |
| template<WordType W> | |
| constexpr auto | word_sub (W x, W y, W *carry) -> W |
| constexpr size_t | words_for_bits (size_t x) |
| WotsPublicKey | wots_public_key_from_signature (const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes) |
| FIPS 205, Algorithm 8: wots_pkFromSig. | |
| void | wots_sign_and_pkgen (StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes) |
| FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign. | |
| template<typename T , typename ParamT > requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>) | |
| constexpr decltype(auto) | wrap_strong_type (ParamT &&t) |
| Wraps a value into a caller-defined (strong) type. | |
| Point448 | x448 (const ScalarX448 &k, const Point448 &u) |
Multiply a scalar k with a point u. | |
| Point448 | x448_basepoint (const ScalarX448 &k) |
| Multiply a scalar with the base group element (5) | |
| Path_Validation_Result | x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp) |
| Path_Validation_Result | x509_path_validate (const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp) |
| Path_Validation_Result | x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const Certificate_Store &store, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp) |
| Path_Validation_Result | x509_path_validate (const X509_Certificate &end_cert, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point when, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp) |
| SphincsTreeNode | xmss_gen_root (const Sphincs_Parameters ¶ms, const SphincsSecretSeed &secret_seed, Sphincs_Hash_Functions &hashes) |
| SphincsTreeNode | xmss_sign_and_pkgen (StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes) |
| FIPS 205, Algorithm 10: xmss_sign. | |
| constexpr void | xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in) |
| constexpr void | xor_buf (ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in1, ranges::contiguous_range< uint8_t > auto &&in2) |
| void | xor_buf (std::span< uint8_t > out, std::span< const uint8_t > in, size_t n) |
| template<typename Alloc , typename Alloc2 > | |
| void | xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, const std::vector< uint8_t, Alloc2 > &in2, size_t n) |
| template<typename Alloc > | |
| void | xor_buf (std::vector< uint8_t, Alloc > &out, const uint8_t *in, size_t n) |
| void | xor_buf (uint8_t out[], const uint8_t in[], const uint8_t in2[], size_t length) |
| void | xor_buf (uint8_t out[], const uint8_t in[], size_t length) |
| void | xts_update_tweak_block (uint8_t tweak[], size_t BS, size_t blocks_in_tweak) |
| template<typename T , typename Alloc > | |
| void | zap (std::vector< T, Alloc > &vec) |
| template<typename T , typename Alloc > | |
| void | zeroise (std::vector< T, Alloc > &vec) |
Variables | |
| const SIMD_8x32 & | b |
| constexpr size_t | BLAKE2B_BLOCKBYTES = 128 |
| constexpr size_t | BYTES_448 = ceil_tobytes(448) |
| constexpr size_t | ED448_LEN = 57 |
| const size_t | HEX_CODEC_BUFFER_SIZE = 256 |
| template<typename T > | |
| constexpr bool | is_strong_span_v = is_strong_span<T>::value |
| template<typename... Ts> | |
| constexpr bool | is_strong_type_v = is_strong_type<std::remove_const_t<Ts>...>::value |
| constexpr size_t | LMS_IDENTIFIER_LEN = 16 |
| The length in bytes of the LMS identifier (I). | |
| const size_t | MAX_EXT_DEG = 16 |
| const size_t | PRIME_TABLE_SIZE = 6541 |
| const uint16_t | PRIMES [] |
| const uint64_t | STREEBOG_Ax [8][256] |
| const uint64_t | STREEBOG_C [12][8] |
| constexpr size_t | WORDS_448 = 7 |
| constexpr size_t | X448_LEN = 56 |
Detailed Description
Wrapper for truncated hashes (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
(C) 2019 Jack Lloyd
Botan is released under the Simplified BSD License (see license.txt)
(C) 2018,2019,2021 Jack Lloyd
Botan is released under the Simplified BSD License (see license.txt)
(C) 2018,2019,2022 Jack Lloyd
Botan is released under the Simplified BSD License (see license.txt)
(C) 2018,2019 Jack Lloyd
Botan is released under the Simplified BSD License (see license.txt)
(C) 2023 Jack Lloyd
Botan is released under the Simplified BSD License (see license.txt)
(C) 2022 Jack Lloyd
Botan is released under the Simplified BSD License (see license.txt)
(C) 2018 Jack Lloyd (C) 2018 Ribose Inc
Botan is released under the Simplified BSD License (see license.txt)
Symmetric primitives for dilithium
(C) 2022-2023 Jack Lloyd (C) 2022-2023 Michael Boric, René Meusel - Rohde & Schwarz Cybersecurity (C) 2022 Manuel Glaser - Rohde & Schwarz Cybersecurity (C) 2024 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
HSS - Hierarchical Signatures System (RFC 8554) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
Botan is released under the Simplified BSD License (see license.txt)
HSS-LMS (C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel, Amos Treiber - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
Utils for HSS/LMS (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
Botan is released under the Simplified BSD License (see license.txt)
LM-OTS - Leighton-Micali One-Time Signatures (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
Botan is released under the Simplified BSD License (see license.txt)
LM-OTS - Leighton-Micali One-Time Signatures (RFC 8554 Section 4) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
Botan is released under the Simplified BSD License (see license.txt)
LMS - Leighton-Micali Hash-Based Signatures (RFC 8554) (C) 2023 Jack Lloyd 2023 Fabian Albert, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
Botan is released under the Simplified BSD License (see license.txt)
Ordinary applications should never need to include or use this header. It is exposed only for specialized applications which want to implement new versions of public key crypto without merging them as changes to the library. One actual example of such usage is an application which creates RSA signatures using a custom TPM library. Unless you're doing something like that, you don't need anything here. Instead use pubkey.h which wraps these types safely and provides a stable application-oriented API.
Note: This header was accidentally pulled from the public API between Botan 3.0.0 and 3.2.0, and then restored in 3.3.0. If you are maintaining an application which used this header in Botan 2.x, you should make sure to use Botan 3.3.0 or later when migrating.
Hybrid Session Manager emitting both Tickets and storing sessions in Memory (C) 2023 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
TLS Session Manager in Memory (C) 2011 Jack Lloyd (C) 2023 René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
TLS Stateless Session Manager for stateless servers (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
Useful concepts that are available throughout the library (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
A wrapper class to implement strong types (C) 2022 Jack Lloyd 2022 René Meusel - Rohde & Schwarz Cybersecurity
Botan is released under the Simplified BSD License (see license.txt)
Treehash logic used for hash-based signatures (C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel, Amos Treiber, Philippe Lieser - Rohde & Schwarz Cybersecurity GmbH
Parts of this file have been adapted from https://github.com/sphincs/sphincsplus
Botan is released under the Simplified BSD License (see license.txt)
utilities for PKIX::build_all_certificate_paths
Typedef Documentation
◆ Altivec32x4
| typedef __vector unsigned int Botan::Altivec32x4 |
Definition at line 23 of file aes_power8.cpp.
◆ Altivec64x2
| typedef __vector unsigned long long Botan::Altivec64x2 |
Definition at line 22 of file aes_power8.cpp.
◆ Altivec8x16
| typedef __vector unsigned char Botan::Altivec8x16 |
Definition at line 24 of file aes_power8.cpp.
◆ Bounded_XOF
template<size_t bound>
| using Botan::Bounded_XOF = detail::Bounded_XOF<XOF&, bound> |
Definition at line 221 of file pqcrystals_helpers.h.
◆ byte
| using Botan::byte = std::uint8_t |
◆ CCCryptorStatus
| typedef int32_t Botan::CCCryptorStatus |
Definition at line 24 of file commoncrypto.h.
◆ CertificatePathStatusCodes
| typedef std::vector<std::set<Certificate_Status_Code> > Botan::CertificatePathStatusCodes |
This type represents the validation status of an entire certificate path. There is one set of status codes for each certificate in the path.
Definition at line 29 of file x509path.h.
◆ Curve25519_PrivateKey
Definition at line 18 of file curve25519.h.
◆ Curve25519_PublicKey
Definition at line 17 of file curve25519.h.
◆ DilithiumCommitmentHash
| using Botan::DilithiumCommitmentHash = Strong<std::vector<uint8_t>, struct DilithiumCommitmentHash_> |
Hash of the message representative and the signer's commitment.
Definition at line 64 of file dilithium_types.h.
◆ DilithiumHashedPublicKey
| using Botan::DilithiumHashedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumHashedPublicKey_> |
Hash value of the serialized public key data (result of H(BytesToBits(pkEncode(pk)), also referred to as 'tr')
Definition at line 52 of file dilithium_types.h.
◆ DilithiumInternalKeypair
Initial value:
std::pair<std::shared_ptr<Dilithium_PublicKeyInternal>, std::shared_ptr<Dilithium_PrivateKeyInternal>>
Internal representation of a Dilithium key pair.
Definition at line 67 of file dilithium_types.h.
◆ DilithiumMessageRepresentative
| using Botan::DilithiumMessageRepresentative = Strong<std::vector<uint8_t>, struct DilithiumMessageRepresentative_> |
Representation of the message to be signed.
Definition at line 55 of file dilithium_types.h.
◆ DilithiumOptionalRandomness
| using Botan::DilithiumOptionalRandomness = Strong<secure_vector<uint8_t>, struct DilithiumOptionalRandomness_> |
Optional randomness 'rnd' used for rho prime computation in ML-DSA.
Definition at line 39 of file dilithium_types.h.
◆ DilithiumPoly
| using Botan::DilithiumPoly = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal> |
Definition at line 26 of file dilithium_types.h.
◆ DilithiumPolyMatNTT
Definition at line 24 of file dilithium_types.h.
◆ DilithiumPolyNTT
| using Botan::DilithiumPolyNTT = Botan::CRYSTALS::Polynomial<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT> |
Definition at line 22 of file dilithium_types.h.
◆ DilithiumPolyVec
| using Botan::DilithiumPolyVec = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::Normal> |
Definition at line 27 of file dilithium_types.h.
◆ DilithiumPolyVecNTT
| using Botan::DilithiumPolyVecNTT = Botan::CRYSTALS::PolynomialVector<DilithiumPolyTraits, Botan::CRYSTALS::Domain::NTT> |
Definition at line 23 of file dilithium_types.h.
◆ DilithiumSeedRandomness
| using Botan::DilithiumSeedRandomness = Strong<secure_vector<uint8_t>, struct DilithiumSeedRandomness_> |
Principal seed used to generate Dilithium key pairs.
Definition at line 30 of file dilithium_types.h.
◆ DilithiumSeedRho
| using Botan::DilithiumSeedRho = Strong<std::vector<uint8_t>, struct DilithiumPublicSeed_> |
Public seed to sample the polynomial matrix A from.
Definition at line 33 of file dilithium_types.h.
◆ DilithiumSeedRhoPrime
| using Botan::DilithiumSeedRhoPrime = Strong<secure_vector<uint8_t>, struct DilithiumSeedRhoPrime_> |
Private seed to sample the polynomial vectors s1 and s2 from.
Definition at line 36 of file dilithium_types.h.
◆ DilithiumSerializedCommitment
| using Botan::DilithiumSerializedCommitment = Strong<std::vector<uint8_t>, struct DilithiumSerializedCommitment_> |
Serialized representation of a commitment w1.
Definition at line 61 of file dilithium_types.h.
◆ DilithiumSerializedPrivateKey
| using Botan::DilithiumSerializedPrivateKey = Strong<secure_vector<uint8_t>, struct DilithiumSerializedPrivateKey_> |
Serialized private key data.
Definition at line 45 of file dilithium_types.h.
◆ DilithiumSerializedPublicKey
| using Botan::DilithiumSerializedPublicKey = Strong<std::vector<uint8_t>, struct DilithiumSerializedPublicKey_> |
Serialized public key data (result of pkEncode(pk))
Definition at line 48 of file dilithium_types.h.
◆ DilithiumSerializedSignature
| using Botan::DilithiumSerializedSignature = Strong<std::vector<uint8_t>, struct DilithiumSerializedSignature_> |
Serialized signature data.
Definition at line 58 of file dilithium_types.h.
◆ DilithiumSigningSeedK
| using Botan::DilithiumSigningSeedK = Strong<secure_vector<uint8_t>, struct DilithiumSeedK_> |
Private seed K used during signing.
Definition at line 42 of file dilithium_types.h.
◆ fe
Definition at line 140 of file ed25519_fe.h.
◆ ForsLeafSecret
| using Botan::ForsLeafSecret = Strong<secure_vector<uint8_t>, struct ForsLeafSecret_> |
Definition at line 71 of file sp_types.h.
◆ ForsSignature
| using Botan::ForsSignature = Strong<std::vector<uint8_t>, struct ForsSignature_> |
Definition at line 72 of file sp_types.h.
◆ FrodoDomainSeparator
| using Botan::FrodoDomainSeparator = Strong<std::array<uint8_t, 1>, struct FrodoDoaminSeparator_> |
Definition at line 47 of file frodo_types.h.
◆ FrodoIntermediateSharedSecret
| using Botan::FrodoIntermediateSharedSecret = Strong<secure_vector<uint8_t>, struct FrodoIntermediateSharedSecret_> |
Definition at line 56 of file frodo_types.h.
◆ FrodoPackedMatrix
| using Botan::FrodoPackedMatrix = Strong<std::vector<uint8_t>, struct FrodoPackedMatrix_> |
Definition at line 41 of file frodo_types.h.
◆ FrodoPlaintext
| using Botan::FrodoPlaintext = Strong<secure_vector<uint8_t>, struct FrodoPlaintext_> |
Definition at line 50 of file frodo_types.h.
◆ FrodoPublicKeyHash
| using Botan::FrodoPublicKeyHash = Strong<std::vector<uint8_t>, struct FrodoPublicKeyHash_> |
Definition at line 38 of file frodo_types.h.
◆ FrodoSalt
| using Botan::FrodoSalt = Strong<std::vector<uint8_t>, struct FrodoSalt_> |
Definition at line 53 of file frodo_types.h.
◆ FrodoSampleR
| using Botan::FrodoSampleR = Strong<secure_vector<uint8_t>, struct FrodoSampleR_> |
Definition at line 35 of file frodo_types.h.
◆ FrodoSeedA
| using Botan::FrodoSeedA = Strong<std::vector<uint8_t>, struct FrodoSeedA_> |
Definition at line 23 of file frodo_types.h.
◆ FrodoSeedS
| using Botan::FrodoSeedS = Strong<secure_vector<uint8_t>, struct FrodoSeedS_> |
Definition at line 26 of file frodo_types.h.
◆ FrodoSeedSE
| using Botan::FrodoSeedSE = Strong<secure_vector<uint8_t>, struct FrodoSeedSE_> |
Definition at line 29 of file frodo_types.h.
◆ FrodoSeedZ
| using Botan::FrodoSeedZ = Strong<std::vector<uint8_t>, struct FrodoSeedZ_> |
Definition at line 32 of file frodo_types.h.
◆ FrodoSerializedMatrix
| using Botan::FrodoSerializedMatrix = Strong<secure_vector<uint8_t>, struct FrodoSerializedMatrix_> |
Definition at line 44 of file frodo_types.h.
◆ GenerateLeafFunction
| using Botan::GenerateLeafFunction = std::function<void(StrongSpan<SphincsTreeNode> , TreeNodeIndex)> |
Definition at line 25 of file sp_treehash.h.
◆ gf2m
| typedef uint16_t Botan::gf2m |
Definition at line 20 of file gf2m_small_m.h.
◆ HSS_Level
| using Botan::HSS_Level = Strong<uint32_t, struct HSS_Level_, EnableArithmeticWithPlainNumber> |
◆ HSS_Sig_Idx
| using Botan::HSS_Sig_Idx = Strong<uint64_t, struct HSS_Sig_Idx_, EnableArithmeticWithPlainNumber> |
◆ HypertreeLayerIndex
| using Botan::HypertreeLayerIndex = Strong<uint32_t, struct HypertreeLayerIndex_> |
Index of a layer in the XMSS hyper-tree.
Definition at line 86 of file sp_types.h.
◆ InitializationVector
◆ Integrity_Failure
◆ KyberCompressedCiphertext
| using Botan::KyberCompressedCiphertext = Strong<std::vector<uint8_t>, struct KyberCompressedCiphertext_> |
Compressed and serialized ciphertext value.
Definition at line 63 of file kyber_types.h.
◆ KyberEncryptionRandomness
| using Botan::KyberEncryptionRandomness = Strong<secure_vector<uint8_t>, struct KyberEncryptionRandomness_> |
Random value used to generate the Kyber ciphertext.
Definition at line 48 of file kyber_types.h.
◆ KyberHashedCiphertext
| using Botan::KyberHashedCiphertext = Strong<std::vector<uint8_t>, struct KyberHashedCiphertext_> |
Hash of the compressed and serialized ciphertext value TODO: Remove this once Kyber-R3 is removed
Definition at line 67 of file kyber_types.h.
◆ KyberHashedPublicKey
| using Botan::KyberHashedPublicKey = Strong<std::vector<uint8_t>, struct KyberHashedPublicKey_> |
Hash value of the serialized public key.
Definition at line 60 of file kyber_types.h.
◆ KyberImplicitRejectionValue
| using Botan::KyberImplicitRejectionValue = Strong<secure_vector<uint8_t>, struct KyberImplicitRejectionValue_> |
Secret random value (called Z in the spec), used for implicit rejection in the decapsulation.
Definition at line 42 of file kyber_types.h.
◆ KyberInternalKeypair
Initial value:
std::pair<std::shared_ptr<Kyber_PublicKeyInternal>, std::shared_ptr<Kyber_PrivateKeyInternal>>
Definition at line 73 of file kyber_types.h.
◆ KyberMessage
| using Botan::KyberMessage = Strong<secure_vector<uint8_t>, struct KyberMessage_> |
Random message value to be encrypted by the CPA-secure Kyber encryption scheme.
Definition at line 45 of file kyber_types.h.
◆ KyberPoly
| using Botan::KyberPoly = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal> |
Definition at line 29 of file kyber_types.h.
◆ KyberPolyMat
Definition at line 27 of file kyber_types.h.
◆ KyberPolyNTT
| using Botan::KyberPolyNTT = Botan::CRYSTALS::Polynomial<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT> |
Definition at line 25 of file kyber_types.h.
◆ KyberPolyVec
| using Botan::KyberPolyVec = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::Normal> |
Definition at line 30 of file kyber_types.h.
◆ KyberPolyVecNTT
| using Botan::KyberPolyVecNTT = Botan::CRYSTALS::PolynomialVector<KyberPolyTraits, Botan::CRYSTALS::Domain::NTT> |
Definition at line 26 of file kyber_types.h.
◆ KyberSamplingRandomness
| using Botan::KyberSamplingRandomness = Strong<secure_vector<uint8_t>, struct KyberSamplingRandomness_> |
PRF value used for sampling of error polynomials.
Definition at line 51 of file kyber_types.h.
◆ KyberSeedRandomness
| using Botan::KyberSeedRandomness = Strong<secure_vector<uint8_t>, struct KyberSeedRandomness_> |
Principal seed used to generate Kyber key pairs.
Definition at line 33 of file kyber_types.h.
◆ KyberSeedRho
| using Botan::KyberSeedRho = Strong<std::vector<uint8_t>, struct KyberSeedRho_> |
Public seed value to generate the Kyber matrix A.
Definition at line 36 of file kyber_types.h.
◆ KyberSeedSigma
| using Botan::KyberSeedSigma = Strong<secure_vector<uint8_t>, struct KyberSeedSigma_> |
Private seed used to generate polynomial vectors s and e during key generation.
Definition at line 39 of file kyber_types.h.
◆ KyberSerializedPublicKey
| using Botan::KyberSerializedPublicKey = Strong<std::vector<uint8_t>, struct KyberSerializedPublicKey_> |
Public key in serialized form (t || rho)
Definition at line 57 of file kyber_types.h.
◆ KyberSharedSecret
| using Botan::KyberSharedSecret = Strong<secure_vector<uint8_t>, struct KyberSharedSecret_> |
Shared secret value generated during encapsulation and recovered during decapsulation.
Definition at line 54 of file kyber_types.h.
◆ KyberSigmaOrEncryptionRandomness
Initial value:
std::variant<StrongSpan<const KyberSeedSigma>, StrongSpan<const KyberEncryptionRandomness>>
Variant value of either a KyberSeedSigma or a KyberEncryptionRandomness.
Definition at line 70 of file kyber_types.h.
◆ LMOTS_K
| using Botan::LMOTS_K = Strong<std::vector<uint8_t>, struct LMOTS_K_> |
◆ LMOTS_Node
| using Botan::LMOTS_Node = Strong<secure_vector<uint8_t>, struct LMOTS_Node_> |
◆ LMOTS_Signature_Bytes
| using Botan::LMOTS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMOTS_Signature_Bytes_> |
◆ LMS_AuthenticationPath
| using Botan::LMS_AuthenticationPath = Strong<std::vector<uint8_t>, struct LMS_AuthenticationPath_> |
◆ LMS_Identifier
| using Botan::LMS_Identifier = Strong<std::vector<uint8_t>, struct LMS_Identifier_> |
◆ LMS_Message
| using Botan::LMS_Message = Strong<std::vector<uint8_t>, struct LMS_Message_> |
◆ LMS_Seed
| using Botan::LMS_Seed = Strong<secure_vector<uint8_t>, struct LMS_SEED_> |
◆ LMS_Signature_Bytes
| using Botan::LMS_Signature_Bytes = Strong<std::vector<uint8_t>, struct LMS_Signature_Bytes_> |
◆ LMS_Tree_Node
| using Botan::LMS_Tree_Node = Strong<std::vector<uint8_t>, struct LMS_Tree_Node_> |
◆ LMS_Tree_Node_Idx
| using Botan::LMS_Tree_Node_Idx = Strong<uint32_t, struct LMS_Tree_Node_Idx_, EnableArithmeticWithPlainNumber> |
◆ lock_guard_type
template<typename T >
| using Botan::lock_guard_type = lock_guard<T> |
◆ MAC
| typedef MessageAuthenticationCode Botan::MAC |
◆ ML_DSA_Mode
| using Botan::ML_DSA_Mode = DilithiumMode |
◆ ML_DSA_PrivateKey
◆ ML_DSA_PublicKey
◆ ML_KEM_Mode
| using Botan::ML_KEM_Mode = KyberMode |
◆ ML_KEM_PrivateKey
◆ ML_KEM_PublicKey
◆ mutex_type
| using Botan::mutex_type = noop_mutex |
◆ next_longer_int_t
template<std::signed_integral T>
| using Botan::next_longer_int_t |
◆ next_longer_uint_t
template<std::unsigned_integral T>
| using Botan::next_longer_uint_t |
Initial value:
Definition at line 28 of file pqcrystals_helpers.h.
◆ Point448
| using Botan::Point448 = Strong<std::array<uint8_t, X448_LEN>, struct Point448_> |
Definition at line 18 of file x448_internal.h.
◆ PointGFp
| typedef EC_Point Botan::PointGFp |
Definition at line 449 of file ec_point.h.
◆ recursive_mutex_type
◆ RNG
| typedef RandomNumberGenerator Botan::RNG |
◆ S2K
| typedef PBKDF Botan::S2K |
◆ s32bit
| using Botan::s32bit = std::int32_t |
◆ ScalarX448
| using Botan::ScalarX448 = Strong<std::array<uint8_t, X448_LEN>, struct ScalarX448_> |
Definition at line 24 of file x448_internal.h.
◆ secure_deque
template<typename T >
| using Botan::secure_deque = std::deque<T, secure_allocator<T>> |
◆ secure_vector
template<typename T >
| using Botan::secure_vector = std::vector<T, secure_allocator<T>> |
◆ SecureVector
template<typename T >
| using Botan::SecureVector = secure_vector<T> |
◆ SM2_Encryption_PrivateKey
◆ SM2_Encryption_PublicKey
◆ SM2_Signature_PrivateKey
◆ SM2_Signature_PublicKey
◆ SphincsAuthenticationPath
| using Botan::SphincsAuthenticationPath = Strong<std::vector<uint8_t>, struct SphincsAuthenticationPath_> |
Definition at line 67 of file sp_types.h.
◆ SphincsContext
| using Botan::SphincsContext = Strong<std::vector<uint8_t>, struct SphincsContext_> |
Definition at line 57 of file sp_types.h.
◆ SphincsHashedMessage
| using Botan::SphincsHashedMessage = Strong<std::vector<uint8_t>, struct SphincsHashedMessage_> |
Definition at line 59 of file sp_types.h.
◆ SphincsHypertreeSignature
| using Botan::SphincsHypertreeSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_> |
Definition at line 66 of file sp_types.h.
◆ SphincsInputMessage
| using Botan::SphincsInputMessage = Strong<std::vector<uint8_t>, struct SphincsInputMessage_> |
Definition at line 49 of file sp_types.h.
◆ SphincsMessagePrefix
| using Botan::SphincsMessagePrefix = Strong<std::vector<uint8_t>, struct SphincsMessagePrefix_> |
The prefix appended to the message in [hash_]slh_sign and slh_verify. E.g. for SLH-DSA (pure): 0x00 || |ctx| || ctx. Empty for SPHINCS+.
Definition at line 47 of file sp_types.h.
◆ SphincsMessageRandomness
| using Botan::SphincsMessageRandomness = Strong<secure_vector<uint8_t>, struct SphincsMessageRandomness_> |
Definition at line 64 of file sp_types.h.
◆ SphincsOptionalRandomness
| using Botan::SphincsOptionalRandomness = Strong<secure_vector<uint8_t>, struct SphincsOptionalRandomness_> |
Definition at line 63 of file sp_types.h.
◆ SphincsPublicSeed
| using Botan::SphincsPublicSeed = Strong<std::vector<uint8_t>, struct SphincsPublicSeed_> |
Definition at line 60 of file sp_types.h.
◆ SphincsSecretPRF
| using Botan::SphincsSecretPRF = Strong<secure_vector<uint8_t>, struct SphincsSecretPRF_> |
Definition at line 62 of file sp_types.h.
◆ SphincsSecretSeed
| using Botan::SphincsSecretSeed = Strong<secure_vector<uint8_t>, struct SphincsSecretSeed_> |
Definition at line 61 of file sp_types.h.
◆ SphincsTreeNode
| using Botan::SphincsTreeNode = Strong<std::vector<uint8_t>, struct SphincsTreeNode_> |
Either an XMSS or FORS tree node or leaf.
Definition at line 70 of file sp_types.h.
◆ SphincsXmssSignature
| using Botan::SphincsXmssSignature = Strong<std::vector<uint8_t>, struct SphincsXmssSignature_> |
Definition at line 65 of file sp_types.h.
◆ strong_type_wrapped_type
template<typename T >
| using Botan::strong_type_wrapped_type = typename detail::wrapped_type_helper<std::remove_cvref_t<T>>::type |
Extracts the wrapped type from a strong type.
If the provided type is not a strong type, it is returned as is.
- Note
- This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary
::wrapped_typedeclaration if you know that you are dealing with a strong type.
Definition at line 262 of file strong_type.h.
◆ SymmetricKey
| using Botan::SymmetricKey = OctetString |
◆ TreeLayerIndex
| using Botan::TreeLayerIndex = Strong<uint32_t, struct TreeLayerIndex_, EnableArithmeticWithPlainNumber> |
Index of the layer within a FORS/XMSS tree.
Definition at line 83 of file sp_types.h.
◆ TreeNodeIndex
| using Botan::TreeNodeIndex = Strong<uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber> |
Index of an individual node inside an XMSS or FORS tree.
Definition at line 92 of file sp_types.h.
◆ u16bit
| using Botan::u16bit = std::uint16_t |
◆ u32bit
| using Botan::u32bit = std::uint32_t |
◆ u64bit
| using Botan::u64bit = std::uint64_t |
◆ wots_keysig_t
| typedef std::vector< secure_vector< uint8_t > > Botan::wots_keysig_t |
Definition at line 20 of file xmss_common_ops.h.
◆ WotsChainIndex
| using Botan::WotsChainIndex = Strong<uint32_t, struct WotsChainIndex_> |
Index of a WOTS chain within a single usage of WOTS.
Definition at line 95 of file sp_types.h.
◆ WotsHashIndex
| using Botan::WotsHashIndex = Strong<uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber> |
Index of a hash application inside a single WOTS chain (integers in "base_w")
Definition at line 98 of file sp_types.h.
◆ WotsNode
| using Botan::WotsNode = Strong<secure_vector<uint8_t>, struct WotsNode_> |
Start (or intermediate) node of a WOTS+ chain.
Definition at line 79 of file sp_types.h.
◆ WotsPublicKey
| using Botan::WotsPublicKey = Strong<std::vector<uint8_t>, struct WotsPublicKey_> |
Definition at line 73 of file sp_types.h.
◆ WotsPublicKeyNode
| using Botan::WotsPublicKeyNode = Strong<std::vector<uint8_t>, struct WotsPublicKeyNode_> |
End node of a WOTS+ chain (part of the WOTS+ public key)
Definition at line 76 of file sp_types.h.
◆ WotsSignature
| using Botan::WotsSignature = Strong<secure_vector<uint8_t>, struct WotsSignature_> |
Definition at line 80 of file sp_types.h.
◆ X509_Time
| typedef ASN1_Time Botan::X509_Time |
Definition at line 409 of file asn1_obj.h.
◆ XmssTreeIndexInLayer
| using Botan::XmssTreeIndexInLayer = Strong<uint64_t, struct XmssTreeIndexInLayer_, EnableArithmeticWithPlainNumber> |
Index of an XMSS tree (unique for just the local hyper-tree layer)
Definition at line 89 of file sp_types.h.
Enumeration Type Documentation
◆ AlignmentBufferFinalBlock
|
strong |
Defines the strategy for handling the final block of input data in the handle_unaligned_data() method of the AlignmentBuffer<>.
- is_not_special: the final block is treated like any other block
- must_be_deferred: the final block is not emitted while bulk processing (typically add_data()) but is deferred until manually consumed (typically final_result())
The AlignmentBuffer<> assumes data to be "the final block" if no further input data is available in the BufferSlicer<>. This might result in some performance overhead when using the must_be_deferred strategy.
| Enumerator | |
|---|---|
| is_not_special | |
| must_be_deferred | |
Definition at line 34 of file alignment_buffer.h.
34 : size_t {
35 is_not_special = 0,
36 must_be_deferred = 1,
37};
@ must_be_deferred
@ is_not_special
◆ ASN1_Class
|
strong |
ASN.1 Class Tags
| Enumerator | |
|---|---|
| Universal | |
| Application | |
| ContextSpecific | |
| Private | |
| Constructed | |
| ExplicitContextSpecific | |
| NoObject | |
Definition at line 29 of file asn1_obj.h.
29 : uint32_t {
30 Universal = 0b0000'0000,
31 Application = 0b0100'0000,
32 ContextSpecific = 0b1000'0000,
33 Private = 0b1100'0000,
34
35 Constructed = 0b0010'0000,
37
38 NoObject = 0xFF00
39};
@ NoObject
@ ContextSpecific
@ Private
@ ExplicitContextSpecific
@ Universal
@ Constructed
@ Application
◆ ASN1_Type
|
strong |
ASN.1 Type Tags
Definition at line 44 of file asn1_obj.h.
44 : uint32_t {
45 Eoc = 0x00,
46 Boolean = 0x01,
47 Integer = 0x02,
48 BitString = 0x03,
49 OctetString = 0x04,
50 Null = 0x05,
51 ObjectId = 0x06,
52 Enumerated = 0x0A,
53 Sequence = 0x10,
54 Set = 0x11,
55
56 Utf8String = 0x0C,
57 NumericString = 0x12,
58 PrintableString = 0x13,
59 TeletexString = 0x14,
60 Ia5String = 0x16,
61 VisibleString = 0x1A,
62 UniversalString = 0x1C,
63 BmpString = 0x1E,
64
65 UtcTime = 0x17,
66 GeneralizedTime = 0x18,
67
68 NoObject = 0xFF00,
69};
Definition symkey.h:22
@ BitString
@ Enumerated
@ ObjectId
@ TeletexString
@ Boolean
@ UniversalString
@ Sequence
@ Ia5String
@ PrintableString
@ BmpString
@ Integer
@ Null
@ UtcTime
@ GeneralizedTime
@ VisibleString
@ Utf8String
@ NumericString
◆ Certificate_Status_Code
|
strong |
Certificate validation status code
Definition at line 20 of file pkix_enums.h.
20 {
21 OK = 0,
22 VERIFIED = 0,
23
24 // Revocation status
25 OCSP_RESPONSE_GOOD = 1,
26 OCSP_SIGNATURE_OK = 2,
27 VALID_CRL_CHECKED = 3,
28 OCSP_NO_HTTP = 4,
29
30 // Warnings
31 FIRST_WARNING_STATUS = 500,
32 CERT_SERIAL_NEGATIVE = 500,
33 DN_TOO_LONG = 501,
34 OCSP_NO_REVOCATION_URL = 502,
35 OCSP_SERVER_NOT_AVAILABLE = 503,
36 TRUSTED_CERT_HAS_EXPIRED = 504,
37 TRUSTED_CERT_NOT_YET_VALID = 505,
38
39 // Errors
40 FIRST_ERROR_STATUS = 1000,
41
42 SIGNATURE_METHOD_TOO_WEAK = 1000,
43 UNTRUSTED_HASH = 1001,
44 NO_REVOCATION_DATA = 1002,
45 NO_MATCHING_CRLDP = 1003,
46 OCSP_ISSUER_NOT_TRUSTED = 1004,
47
48 // Time problems
49 CERT_NOT_YET_VALID = 2000,
50 CERT_HAS_EXPIRED = 2001,
51 OCSP_NOT_YET_VALID = 2002,
52 OCSP_HAS_EXPIRED = 2003,
53 CRL_NOT_YET_VALID = 2004,
54 CRL_HAS_EXPIRED = 2005,
55 OCSP_IS_TOO_OLD = 2006,
56
57 // Chain generation problems
58 CERT_ISSUER_NOT_FOUND = 3000,
59 CANNOT_ESTABLISH_TRUST = 3001,
60 CERT_CHAIN_LOOP = 3002,
61 CHAIN_LACKS_TRUST_ROOT = 3003,
62 CHAIN_NAME_MISMATCH = 3004,
63
64 // Validation errors
65 POLICY_ERROR = 4000,
66 INVALID_USAGE = 4001,
67 CERT_CHAIN_TOO_LONG = 4002,
68 CA_CERT_NOT_FOR_CERT_ISSUER = 4003,
69 NAME_CONSTRAINT_ERROR = 4004,
70
71 // Revocation errors
72 CA_CERT_NOT_FOR_CRL_ISSUER = 4005,
73 OCSP_CERT_NOT_LISTED = 4006,
74 OCSP_BAD_STATUS = 4007,
75
76 // Other problems
77 CERT_NAME_NOMATCH = 4008,
78 UNKNOWN_CRITICAL_EXTENSION = 4009,
79 DUPLICATE_CERT_EXTENSION = 4010,
80 OCSP_SIGNATURE_ERROR = 4501,
81 OCSP_ISSUER_NOT_FOUND = 4502,
82 OCSP_RESPONSE_MISSING_KEYUSAGE = 4503,
83 OCSP_RESPONSE_INVALID = 4504,
84 EXT_IN_V1_V2_CERT = 4505,
85 DUPLICATE_CERT_POLICY = 4506,
86 V2_IDENTIFIERS_IN_V1_CERT = 4507,
87
88 // Hard failures
89 CERT_IS_REVOKED = 5000,
90 CRL_BAD_SIGNATURE = 5001,
91 SIGNATURE_ERROR = 5002,
92 CERT_PUBKEY_INVALID = 5003,
93 SIGNATURE_ALGO_UNKNOWN = 5004,
94 SIGNATURE_ALGO_BAD_PARAMS = 5005
95};
@ TRUSTED_CERT_NOT_YET_VALID
@ DUPLICATE_CERT_EXTENSION
@ CERT_SERIAL_NEGATIVE
@ INVALID_USAGE
@ NAME_CONSTRAINT_ERROR
@ OCSP_RESPONSE_MISSING_KEYUSAGE
@ OCSP_BAD_STATUS
@ DUPLICATE_CERT_POLICY
@ TRUSTED_CERT_HAS_EXPIRED
@ OCSP_ISSUER_NOT_TRUSTED
@ CERT_PUBKEY_INVALID
@ FIRST_WARNING_STATUS
@ CERT_NAME_NOMATCH
@ VERIFIED
@ CA_CERT_NOT_FOR_CRL_ISSUER
@ CA_CERT_NOT_FOR_CERT_ISSUER
@ OCSP_NO_REVOCATION_URL
@ CRL_BAD_SIGNATURE
@ SIGNATURE_ERROR
@ OCSP_CERT_NOT_LISTED
@ CRL_HAS_EXPIRED
@ CERT_CHAIN_LOOP
@ OCSP_RESPONSE_INVALID
@ OCSP_HAS_EXPIRED
@ OCSP_SERVER_NOT_AVAILABLE
@ OCSP_NO_HTTP
@ UNTRUSTED_HASH
@ VALID_CRL_CHECKED
@ FIRST_ERROR_STATUS
@ CERT_IS_REVOKED
@ CERT_HAS_EXPIRED
@ OCSP_SIGNATURE_ERROR
@ OCSP_IS_TOO_OLD
@ DN_TOO_LONG
@ POLICY_ERROR
@ UNKNOWN_CRITICAL_EXTENSION
@ OCSP_RESPONSE_GOOD
@ SIGNATURE_ALGO_BAD_PARAMS
@ SIGNATURE_ALGO_UNKNOWN
@ OCSP_SIGNATURE_OK
@ CERT_CHAIN_TOO_LONG
@ NO_REVOCATION_DATA
@ CERT_ISSUER_NOT_FOUND
@ CERT_NOT_YET_VALID
@ CANNOT_ESTABLISH_TRUST
@ CRL_NOT_YET_VALID
@ OCSP_NOT_YET_VALID
@ V2_IDENTIFIERS_IN_V1_CERT
@ NO_MATCHING_CRLDP
@ EXT_IN_V1_V2_CERT
@ OCSP_ISSUER_NOT_FOUND
@ SIGNATURE_METHOD_TOO_WEAK
@ CHAIN_LACKS_TRUST_ROOT
@ CHAIN_NAME_MISMATCH
◆ Cipher_Dir
|
strong |
The two possible directions for cipher filters, determining whether they actually perform encryption or decryption.
| Enumerator | |
|---|---|
| Encryption | |
| Decryption | |
| ENCRYPTION | |
| DECRYPTION | |
Definition at line 26 of file cipher_mode.h.
26 : int {
27 Encryption,
28 Decryption,
29
32};
@ DECRYPTION
@ Decryption
@ Encryption
@ ENCRYPTION
◆ CRL_Code
|
strong |
X.509v2 CRL Reason Code.
| Enumerator | |
|---|---|
| Unspecified | |
| KeyCompromise | |
| CaCompromise | |
| AffiliationChanged | |
| Superseded | |
| CessationOfOperation | |
| CertificateHold | |
| RemoveFromCrl | |
| PrivilegeWithdrawn | |
| AaCompromise | |
Definition at line 187 of file pkix_enums.h.
187 : uint32_t {
188 Unspecified = 0,
189 KeyCompromise = 1,
190 CaCompromise = 2,
191 AffiliationChanged = 3,
192 Superseded = 4,
193 CessationOfOperation = 5,
194 CertificateHold = 6,
195 RemoveFromCrl = 8,
196 PrivilegeWithdrawn = 9,
197 AaCompromise = 10,
198};
@ CaCompromise
@ AffiliationChanged
@ AaCompromise
@ CertificateHold
@ PrivilegeWithdrawn
@ CessationOfOperation
@ KeyCompromise
@ RemoveFromCrl
@ Superseded
◆ Decoder_Checking
◆ DL_Group_Format
|
strong |
The DL group encoding format variants.
| Enumerator | |
|---|---|
| ANSI_X9_42 | |
| ANSI_X9_57 | |
| PKCS_3 | |
| DSA_PARAMETERS | |
| DH_PARAMETERS | |
| ANSI_X9_42_DH_PARAMETERS | |
| PKCS3_DH_PARAMETERS | |
Definition at line 28 of file dl_group.h.
28 {
29 ANSI_X9_42,
30 ANSI_X9_57,
31 PKCS_3,
32
37};
@ PKCS_3
@ DSA_PARAMETERS
@ PKCS3_DH_PARAMETERS
@ ANSI_X9_42_DH_PARAMETERS
@ ANSI_X9_57
@ DH_PARAMETERS
@ ANSI_X9_42
◆ DL_Group_Source
|
strong |
| Enumerator | |
|---|---|
| Builtin | |
| RandomlyGenerated | |
| ExternalSource | |
Definition at line 19 of file dl_group.h.
◆ EC_Group_Encoding
|
strong |
This class represents elliptic curce domain parameters
| Enumerator | |
|---|---|
| Explicit | |
| ImplicitCA | |
| NamedCurve | |
| EC_DOMPAR_ENC_EXPLICIT | |
| EC_DOMPAR_ENC_IMPLICITCA | |
| EC_DOMPAR_ENC_OID | |
Definition at line 26 of file ec_group.h.
26 {
27 Explicit,
28 ImplicitCA,
29 NamedCurve,
30
34};
@ NamedCurve
@ ImplicitCA
@ EC_DOMPAR_ENC_EXPLICIT
@ EC_DOMPAR_ENC_OID
@ Explicit
@ EC_DOMPAR_ENC_IMPLICITCA
◆ EC_Group_Source
|
strong |
| Enumerator | |
|---|---|
| Builtin | |
| ExternalSource | |
Definition at line 36 of file ec_group.h.
◆ EC_Point_Format
|
strong |
| Enumerator | |
|---|---|
| Uncompressed | |
| Compressed | |
| UNCOMPRESSED | |
| COMPRESSED | |
| Hybrid | |
| HYBRID | |
Definition at line 19 of file ec_point.h.
19 {
20 Uncompressed = 0,
21 Compressed = 1,
22
25
28};
@ HYBRID
@ Compressed
@ COMPRESSED
@ UNCOMPRESSED
@ Uncompressed
@ Hybrid
◆ ECIES_Flags
|
strong |
Definition at line 27 of file ecies.h.
27 : uint32_t {
28 None = 0,
29 /// if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
30 SingleHashMode = 1,
31 /// (decryption only) if set: use cofactor multiplication during (ecdh) key agreement
32 CofactorMode = 2,
33 /// if set: use ecdhc instead of ecdh
34 OldCofactorMode = 4,
35 /// (decryption only) if set: test if the (ephemeral) public key is on the curve
36 CheckMode = 8,
37
43};
@ CofactorMode
(decryption only) if set: use cofactor multiplication during (ecdh) key agreement
@ OLD_COFACTOR_MODE
@ CHECK_MODE
@ COFACTOR_MODE
@ CheckMode
(decryption only) if set: test if the (ephemeral) public key is on the curve
@ SingleHashMode
if set: prefix the input of the (ecdh) key agreement with the encoded (ephemeral) public key
@ SINGLE_HASH_MODE
◆ ErrorType
|
strong |
Different types of errors that might occur
| Enumerator | |
|---|---|
| Unknown | Some unknown error |
| SystemError | An error while calling a system interface |
| NotImplemented | An operation seems valid, but not supported by the current version |
| OutOfMemory | Memory allocation failure |
| InternalError | An internal error occurred |
| IoError | An I/O error occurred |
| InvalidObjectState | Invalid object state |
| KeyNotSet | A key was not set on an object when this is required |
| InvalidArgument | The application provided an argument which is invalid |
| InvalidKeyLength | A key with invalid length was provided |
| InvalidNonceLength | A nonce with invalid length was provided |
| LookupError | An object type was requested but cannot be found |
| EncodingFailure | Encoding a message or datum failed |
| DecodingFailure | Decoding a message or datum failed |
| TLSError | A TLS error (error_code will be the alert type) |
| HttpError | An error during an HTTP operation |
| InvalidTag | A message with an invalid authentication tag was detected |
| RoughtimeError | An error during Roughtime validation |
| CommonCryptoError | An error when interacting with CommonCrypto API |
| Pkcs11Error | An error when interacting with a PKCS11 device |
| TPMError | An error when interacting with a TPM device |
| DatabaseError | An error when interacting with a database |
| ZlibError | An error when interacting with zlib |
| Bzip2Error | An error when interacting with bzip2 |
| LzmaError | An error when interacting with lzma |
Definition at line 20 of file exceptn.h.
20 {
21 /** Some unknown error */
22 Unknown = 1,
23 /** An error while calling a system interface */
24 SystemError,
25 /** An operation seems valid, but not supported by the current version */
26 NotImplemented,
27 /** Memory allocation failure */
28 OutOfMemory,
29 /** An internal error occurred */
30 InternalError,
31 /** An I/O error occurred */
32 IoError,
33
34 /** Invalid object state */
35 InvalidObjectState = 100,
36 /** A key was not set on an object when this is required */
37 KeyNotSet,
38 /** The application provided an argument which is invalid */
39 InvalidArgument,
40 /** A key with invalid length was provided */
41 InvalidKeyLength,
42 /** A nonce with invalid length was provided */
44 /** An object type was requested but cannot be found */
45 LookupError,
46 /** Encoding a message or datum failed */
47 EncodingFailure,
48 /** Decoding a message or datum failed */
49 DecodingFailure,
50 /** A TLS error (error_code will be the alert type) */
51 TLSError,
52 /** An error during an HTTP operation */
53 HttpError,
54 /** A message with an invalid authentication tag was detected */
55 InvalidTag,
56 /** An error during Roughtime validation */
57 RoughtimeError,
58
59 /** An error when interacting with CommonCrypto API */
60 CommonCryptoError = 201,
61 /** An error when interacting with a PKCS11 device */
62 Pkcs11Error,
63 /** An error when interacting with a TPM device */
64 TPMError,
65 /** An error when interacting with a database */
66 DatabaseError,
67
68 /** An error when interacting with zlib */
69 ZlibError = 300,
70 /** An error when interacting with bzip2 */
71 Bzip2Error,
72 /** An error when interacting with lzma */
73 LzmaError,
74
75};
@ InvalidNonceLength
@ EncodingFailure
@ InvalidArgument
@ HttpError
@ Pkcs11Error
@ CommonCryptoError
@ DecodingFailure
@ KeyNotSet
@ Unknown
@ NotImplemented
@ DatabaseError
@ TLSError
@ InvalidObjectState
@ LzmaError
@ ZlibError
@ OutOfMemory
@ SystemError
@ Bzip2Error
@ LookupError
@ InvalidKeyLength
@ IoError
@ InvalidTag
@ RoughtimeError
@ TPMError
◆ LMOTS_Algorithm_Type
|
strong |
Enum of available LM-OTS algorithm types.
The supported parameter sets are defined in RFC 8554 Section 4.1. and draft-fluhrer-lms-more-parm-sets-11 Section 4. HSS/LMS typecodes are introduced in RFC 8554 Section 3.2. and their format specified in Section 3.3.
Definition at line 65 of file lm_ots.h.
65 : uint32_t {
66 // --- RFC 8554 ---
67 RESERVED = 0x00,
68
69 // SHA-256 based
70 SHA256_N32_W1 = 0x01,
71 SHA256_N32_W2 = 0x02,
72 SHA256_N32_W4 = 0x03,
73 SHA256_N32_W8 = 0x04,
74
75 // --- draft-fluhrer-lms-more-parm-sets-11 ---
76 // SHA-256/192 based
77 SHA256_N24_W1 = 0x05,
78 SHA256_N24_W2 = 0x06,
79 SHA256_N24_W4 = 0x07,
80 SHA256_N24_W8 = 0x08,
81
82 // SHAKE-256/256 based
83 SHAKE_N32_W1 = 0x09,
84 SHAKE_N32_W2 = 0x0a,
85 SHAKE_N32_W4 = 0x0b,
86 SHAKE_N32_W8 = 0x0c,
87
88 // SHAKE-256/192 based
89 SHAKE_N24_W1 = 0x0d,
90 SHAKE_N24_W2 = 0x0e,
91 SHAKE_N24_W4 = 0x0f,
92 SHAKE_N24_W8 = 0x10,
93};
@ SHAKE_N24_W8
@ SHA256_N24_W2
@ SHA256_N32_W8
@ SHAKE_N32_W2
@ SHA256_N24_W1
@ SHAKE_N32_W8
@ SHA256_N32_W1
@ SHAKE_N32_W4
@ SHA256_N24_W8
@ SHAKE_N24_W4
@ RESERVED
@ SHA256_N32_W2
@ SHA256_N32_W4
@ SHA256_N24_W4
@ SHAKE_N24_W1
@ SHAKE_N32_W1
@ SHAKE_N24_W2
◆ LMS_Algorithm_Type
|
strong |
Enum of available LMS algorithm types.
The supported parameter sets are defined in RFC 8554 Section 5.1. and draft-fluhrer-lms-more-parm-sets-11 Section 5. HSS/LMS typecodes are introduced in RFC 8554 Section 3.2. and their format specified in Section 3.3.
Definition at line 30 of file lms.h.
30 : uint32_t {
31 // --- RFC 8554 ---
32 RESERVED = 0x00,
33
34 // SHA-256 based
35 SHA256_M32_H5 = 0x05,
36 SHA256_M32_H10 = 0x06,
37 SHA256_M32_H15 = 0x07,
38 SHA256_M32_H20 = 0x08,
39 SHA256_M32_H25 = 0x09,
40
41 // --- draft-fluhrer-lms-more-parm-sets-11 ---
42 // SHA-256/192 based
43 SHA256_M24_H5 = 0x0a,
44 SHA256_M24_H10 = 0x0b,
45 SHA256_M24_H15 = 0x0c,
46 SHA256_M24_H20 = 0x0d,
47 SHA256_M24_H25 = 0x0e,
48
49 // SHAKE-256/256 based
50 SHAKE_M32_H5 = 0x0f,
51 SHAKE_M32_H10 = 0x10,
52 SHAKE_M32_H15 = 0x11,
53 SHAKE_M32_H20 = 0x12,
54 SHAKE_M32_H25 = 0x13,
55
56 // SHAKE-256/192 based
57 SHAKE_M24_H5 = 0x14,
58 SHAKE_M24_H10 = 0x15,
59 SHAKE_M24_H15 = 0x16,
60 SHAKE_M24_H20 = 0x17,
61 SHAKE_M24_H25 = 0x18
62};
@ SHAKE_M32_H5
@ SHAKE_M32_H25
@ SHAKE_M32_H10
@ SHAKE_M24_H20
@ SHA256_M24_H20
@ SHA256_M32_H25
@ SHA256_M24_H5
@ SHA256_M32_H20
@ SHA256_M32_H5
@ SHAKE_M32_H15
@ SHA256_M24_H25
@ SHAKE_M24_H5
@ SHAKE_M24_H15
@ SHAKE_M32_H20
@ SHA256_M24_H15
@ SHA256_M32_H10
@ SHAKE_M24_H25
@ SHA256_M24_H10
@ SHAKE_M24_H10
@ SHA256_M32_H15
◆ MD_Endian
|
strong |
| Enumerator | |
|---|---|
| Little | |
| Big | |
Definition at line 20 of file mdx_hash.h.
◆ PublicKeyOperation
|
strong |
Enumeration of possible operations a public key could be used for.
It is possible to query if a key supports a particular operation type using Asymmetric_Key::supports_operation()
| Enumerator | |
|---|---|
| Encryption | |
| Signature | |
| KeyEncapsulation | |
| KeyAgreement | |
Definition at line 45 of file pk_keys.h.
45 {
46 Encryption,
47 Signature,
48 KeyEncapsulation,
49 KeyAgreement,
50};
@ KeyEncapsulation
@ KeyAgreement
@ Signature
◆ Signature_Format
|
strong |
Enumeration specifying the signature format.
This is mostly used for requesting DER encoding of ECDSA signatures; most other algorithms only support "standard".
| Enumerator | |
|---|---|
| Standard | |
| DerSequence | |
| IEEE_1363 | |
| DER_SEQUENCE | |
◆ Sphincs_Address_Type
|
strong |
| Enumerator | |
|---|---|
| WotsHash | |
| WotsPublicKeyCompression | |
| HashTree | |
| ForsTree | |
| ForsTreeRootsCompression | |
| WotsKeyGeneration | |
| ForsKeyGeneration | |
Definition at line 20 of file sp_address.h.
20 : uint32_t {
21 WotsHash = 0,
22 WotsPublicKeyCompression = 1,
23 HashTree = 2,
24 ForsTree = 3,
25 ForsTreeRootsCompression = 4,
26 WotsKeyGeneration = 5,
27 ForsKeyGeneration = 6
28};
@ ForsTree
@ ForsKeyGeneration
@ WotsKeyGeneration
@ HashTree
@ ForsTreeRootsCompression
@ WotsPublicKeyCompression
@ WotsHash
◆ Sphincs_Hash_Type
|
strong |
| Enumerator | |
|---|---|
| Shake256 | |
| Sha256 | |
| Haraka | Haraka is currently not supported. |
Definition at line 18 of file sp_parameters.h.
18 {
19 Shake256,
20 Sha256,
21 Haraka BOTAN_DEPRECATED("Haraka is not and will not be supported"), ///< Haraka is currently not supported
22};
@ Shake256
◆ Sphincs_Parameter_Set
|
strong |
| Enumerator | |
|---|---|
| Sphincs128Small | |
| Sphincs128Fast | |
| Sphincs192Small | |
| Sphincs192Fast | |
| Sphincs256Small | |
| Sphincs256Fast | |
| SLHDSA128Small | |
| SLHDSA128Fast | |
| SLHDSA192Small | |
| SLHDSA192Fast | |
| SLHDSA256Small | |
| SLHDSA256Fast | |
Definition at line 24 of file sp_parameters.h.
24 {
25 Sphincs128Small,
26 Sphincs128Fast,
27 Sphincs192Small,
28 Sphincs192Fast,
29 Sphincs256Small,
30 Sphincs256Fast,
31
32 SLHDSA128Small,
33 SLHDSA128Fast,
34 SLHDSA192Small,
35 SLHDSA192Fast,
36 SLHDSA256Small,
37 SLHDSA256Fast,
38};
@ Sphincs256Small
@ SLHDSA256Fast
@ SLHDSA128Fast
@ Sphincs192Fast
@ Sphincs192Small
@ SLHDSA256Small
@ Sphincs128Fast
@ Sphincs128Small
@ Sphincs256Fast
@ SLHDSA192Fast
@ SLHDSA128Small
@ SLHDSA192Small
◆ TPM_Storage_Type
|
strong |
◆ Usage_Type
|
strong |
| Enumerator | |
|---|---|
| UNSPECIFIED | |
| TLS_SERVER_AUTH | |
| TLS_CLIENT_AUTH | |
| CERTIFICATE_AUTHORITY | |
| OCSP_RESPONDER | |
| ENCRYPTION | |
Definition at line 22 of file x509cert.h.
22 {
24 TLS_SERVER_AUTH,
25 TLS_CLIENT_AUTH,
27 OCSP_RESPONDER,
28 ENCRYPTION
29};
@ UNSPECIFIED
@ CERTIFICATE_AUTHORITY
@ TLS_SERVER_AUTH
@ OCSP_RESPONDER
@ TLS_CLIENT_AUTH
◆ WOTS_Derivation_Method
|
strong |
Determines how WOTS+ private keys are derived from the XMSS private key
| Enumerator | |
|---|---|
| Botan2x | This roughly followed the suggestions in RFC 8391 but is vulnerable to a multi-target attack. For new private keys, we recommend using the derivation as suggested in NIST SP.800-208. Private keys generated with Botan 2.x will need to stay with this mode, otherwise they won't be able to generate valid signatures any longer. |
| NIST_SP800_208 | Derivation as specified in NIST SP.800-208 to avoid a multi-target attack on the WOTS+ key derivation suggested in RFC 8391. New private keys should use this mode. |
Definition at line 138 of file xmss.h.
138 {
139 /// This roughly followed the suggestions in RFC 8391 but is vulnerable
140 /// to a multi-target attack. For new private keys, we recommend using
141 /// the derivation as suggested in NIST SP.800-208.
142 /// Private keys generated with Botan 2.x will need to stay with this mode,
143 /// otherwise they won't be able to generate valid signatures any longer.
144 Botan2x = 1,
145
146 /// Derivation as specified in NIST SP.800-208 to avoid a multi-target attack
147 /// on the WOTS+ key derivation suggested in RFC 8391. New private keys
148 /// should use this mode.
149 NIST_SP800_208 = 2,
150};
@ NIST_SP800_208
Function Documentation
◆ abs()
Return the absolute value
- Parameters
-
n an integer
- Returns
- absolute value of n
Definition at line 22 of file numthry.h.
References Botan::BigInt::abs().
Referenced by Botan::EC_Group::EC_Group(), gcd(), and Botan::EC_Group::verify_group().
◆ allocate_memory()
| BOTAN_MALLOC_FN void * Botan::allocate_memory | ( | size_t | elems, |
| size_t | elem_size ) |
Allocate a memory buffer by some method. This should only be used for primitive types (uint8_t, uint32_t, etc).
- Parameters
-
elems the number of elements elem_size the size of each element
- Returns
- pointer to allocated and zeroed memory, or throw std::bad_alloc on failure
Definition at line 20 of file allocator.cpp.
20 {
21 if(elems == 0 || elem_size == 0) {
22 return nullptr;
23 }
24
25 // Some calloc implementations do not check for overflow (?!?)
26 if(!checked_mul(elems, elem_size).has_value()) {
27 throw std::bad_alloc();
28 }
29
30#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
31 if(void* p = mlock_allocator::instance().allocate(elems, elem_size)) {
32 return p;
33 }
34#endif
35
36#if defined(BOTAN_TARGET_OS_HAS_ALLOC_CONCEAL)
37 void* ptr = ::calloc_conceal(elems, elem_size);
38#else
39 void* ptr = std::calloc(elems, elem_size); // NOLINT(*-no-malloc)
40#endif
41 if(!ptr) {
42 [[unlikely]] throw std::bad_alloc();
43 }
44 return ptr;
45}
References checked_mul(), and Botan::mlock_allocator::instance().
Referenced by Botan::secure_allocator< T >::allocate().
◆ argon2()
|
inline |
Argon2 key derivation function
- Parameters
-
output the output will be placed here output_len length of output password the user password password_len the length of password salt the salt salt_len length of salt key an optional secret key key_len the length of key ad an optional additional input ad_len the length of ad y the Argon2 variant (0 = Argon2d, 1 = Argon2i, 2 = Argon2id) p the parallelization parameter M the amount of memory to use in Kb t the number of iterations to use
Definition at line 144 of file argon2.h.
157 {
158 auto pwdhash_fam = PasswordHashFamily::create_or_throw([y] {
159 switch(y) {
160 case 0:
161 return "Argon2d";
162 case 1:
163 return "Argon2i";
164 case 2:
165 return "Argon2id";
166 default:
168 }
169 }());
170 auto pwdhash = pwdhash_fam->from_params(M, t, p);
171 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len, ad, ad_len, key, key_len);
172}
Definition exceptn.h:334
◆ argon2_check_pwhash()
| bool Botan::argon2_check_pwhash | ( | const char * | password, |
| size_t | password_len, | ||
| std::string_view | hash ) |
Check a previously created password hash
Verify an Argon2 password hash against the provided password. Returns false if the input hash seems malformed or if the computed hash does not match.
- Parameters
-
password the password to check against password_len the length of password hash the stored hash to check against
Definition at line 77 of file argon2fmt.cpp.
77 {
79
80 if(parts.size() != 5) {
81 return false;
82 }
83
84 uint8_t family = 0;
85
86 if(parts[0] == "argon2d") {
87 family = 0;
88 } else if(parts[0] == "argon2i") {
89 family = 1;
90 } else if(parts[0] == "argon2id") {
91 family = 2;
92 } else {
93 return false;
94 }
95
96 if(parts[1] != "v=19") {
97 return false;
98 }
99
101
102 if(params.size() != 3) {
103 return false;
104 }
105
106 size_t M = 0, t = 0, p = 0;
107
108 for(const auto& param_str : params) {
110
111 if(param.size() != 2) {
112 return false;
113 }
114
115 std::string_view key = param[0];
117 if(key == "m") {
118 M = val;
119 } else if(key == "t") {
120 t = val;
121 } else if(key == "p") {
122 p = val;
123 } else {
124 return false;
125 }
126 }
127
128 std::vector<uint8_t> salt(base64_decode_max_output(parts[3].size()));
130
131 std::vector<uint8_t> hash(base64_decode_max_output(parts[4].size()));
133
134 if(hash.size() < 4) {
135 return false;
136 }
137
138 std::vector<uint8_t> generated(hash.size());
139 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(family));
140 auto pwdhash = pwdhash_fam->from_params(M, t, p);
141
142 pwdhash->derive_key(generated.data(), generated.size(), password, password_len, salt.data(), salt.size());
143
144 return CT::is_equal(generated.data(), hash.data(), generated.size()).as_bool();
145}
std::vector< std::string > split_on(std::string_view str, char delim)
Definition parsing.cpp:111
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:168
size_t base64_decode_max_output(size_t input_length)
Definition base64.cpp:200
References base64_decode(), base64_decode_max_output(), Botan::PasswordHashFamily::create_or_throw(), Botan::CT::is_equal(), split_on(), and to_u32bit().
◆ argon2_generate_pwhash()
| std::string Botan::argon2_generate_pwhash | ( | const char * | password, |
| size_t | password_len, | ||
| RandomNumberGenerator & | rng, | ||
| size_t | p, | ||
| size_t | M, | ||
| size_t | t, | ||
| uint8_t | y = 2, | ||
| size_t | salt_len = 16, | ||
| size_t | output_len = 32 ) |
Generate an Argon2 hash of the specified password. The y parameter specifies the variant: 0 for Argon2d, 1 for Argon2i, and 2 for Argon2id.
Definition at line 42 of file argon2fmt.cpp.
50 {
51 std::vector<uint8_t> salt(salt_len);
52 rng.randomize(salt.data(), salt.size());
53
54 std::vector<uint8_t> output(output_len);
55
56 auto pwdhash_fam = PasswordHashFamily::create_or_throw(argon2_family(y));
57 auto pwdhash = pwdhash_fam->from_params(M, t, p);
58
59 pwdhash->derive_key(output.data(), output.size(), password, password_len, salt.data(), salt.size());
60
63
64 const std::string argon2_mode = [&]() -> std::string {
65 if(y == 0) {
66 return "d";
67 } else if(y == 1) {
68 return "i";
69 } else {
70 return "id";
71 }
72 }();
73
75}
void randomize(std::span< uint8_t > output)
Definition rng.h:53
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:160
References base64_encode(), Botan::PasswordHashFamily::create_or_throw(), fmt(), and Botan::RandomNumberGenerator::randomize().
◆ asn1_class_to_string()
| std::string BOTAN_UNSTABLE_API Botan::asn1_class_to_string | ( | ASN1_Class | type | ) |
Definition at line 74 of file asn1_obj.cpp.
74 {
75 switch(type) {
76 case ASN1_Class::Universal:
77 return "UNIVERSAL";
78 case ASN1_Class::Constructed:
79 return "CONSTRUCTED";
80 case ASN1_Class::ContextSpecific:
81 return "CONTEXT_SPECIFIC";
82 case ASN1_Class::Application:
83 return "APPLICATION";
84 case ASN1_Class::Private:
85 return "PRIVATE";
86 case ASN1_Class::NoObject:
87 return "NO_OBJECT";
88 default:
89 return "CLASS(" + std::to_string(static_cast<size_t>(type)) + ")";
90 }
91}
References Application, Constructed, ContextSpecific, NoObject, Private, and Universal.
Referenced by Botan::BER_Object::assert_is_a().
◆ asn1_tag_to_string()
| std::string BOTAN_UNSTABLE_API Botan::asn1_tag_to_string | ( | ASN1_Type | type | ) |
Definition at line 93 of file asn1_obj.cpp.
93 {
94 switch(type) {
95 case ASN1_Type::Sequence:
96 return "SEQUENCE";
97
98 case ASN1_Type::Set:
99 return "SET";
100
101 case ASN1_Type::PrintableString:
102 return "PRINTABLE STRING";
103
104 case ASN1_Type::NumericString:
105 return "NUMERIC STRING";
106
107 case ASN1_Type::Ia5String:
108 return "IA5 STRING";
109
110 case ASN1_Type::TeletexString:
111 return "T61 STRING";
112
113 case ASN1_Type::Utf8String:
114 return "UTF8 STRING";
115
116 case ASN1_Type::VisibleString:
117 return "VISIBLE STRING";
118
119 case ASN1_Type::BmpString:
120 return "BMP STRING";
121
122 case ASN1_Type::UniversalString:
123 return "UNIVERSAL STRING";
124
125 case ASN1_Type::UtcTime:
126 return "UTC TIME";
127
128 case ASN1_Type::GeneralizedTime:
129 return "GENERALIZED TIME";
130
131 case ASN1_Type::OctetString:
132 return "OCTET STRING";
133
134 case ASN1_Type::BitString:
135 return "BIT STRING";
136
137 case ASN1_Type::Enumerated:
138 return "ENUMERATED";
139
140 case ASN1_Type::Integer:
141 return "INTEGER";
142
143 case ASN1_Type::Null:
144 return "NULL";
145
146 case ASN1_Type::ObjectId:
147 return "OBJECT";
148
149 case ASN1_Type::Boolean:
150 return "BOOLEAN";
151
152 case ASN1_Type::NoObject:
153 return "NO_OBJECT";
154
155 default:
156 return "TAG(" + std::to_string(static_cast<uint32_t>(type)) + ")";
157 }
158}
References BitString, BmpString, Boolean, Enumerated, GeneralizedTime, Ia5String, Integer, NoObject, Null, NumericString, ObjectId, OctetString, PrintableString, Sequence, Set, TeletexString, UniversalString, UtcTime, Utf8String, and VisibleString.
Referenced by Botan::BER_Object::assert_is_a().
◆ assert_is_some()
template<typename T >
| T Botan::assert_is_some | ( | std::optional< T > | v, |
| const char * | expr, | ||
| const char * | func, | ||
| const char * | file, | ||
| int | line ) |
Define BOTAN_ASSERT_IS_SOME
Definition at line 390 of file stl_util.h.
390 {
391 if(v) {
392 return *v;
393 } else {
395 }
396}
void assertion_failure(const char *expr_str, const char *assertion_made, const char *func, const char *file, int line)
Definition assert.cpp:29
References assertion_failure().
◆ assert_unreachable()
| void BOTAN_UNSTABLE_API Botan::assert_unreachable | ( | const char * | file, |
| int | line ) |
Definition at line 54 of file assert.cpp.
54 {
55 const std::string msg = fmt("Codepath that was marked unreachable was reached @{}:{}", file, line);
56
57#if defined(BOTAN_TERMINATE_ON_ASSERTS)
58 std::cerr << msg << '\n';
59 std::abort();
60#else
62#endif
63}
Definition exceptn.h:321
References fmt().
◆ assertion_failure()
| void Botan::assertion_failure | ( | const char * | expr_str, |
| const char * | assertion_made, | ||
| const char * | func, | ||
| const char * | file, | ||
| int | line ) |
Called when an assertion fails Throws an Exception object
Definition at line 29 of file assert.cpp.
29 {
30 std::ostringstream format;
31
32 format << "False assertion ";
33
34 if(assertion_made && assertion_made[0] != 0) {
35 format << "'" << assertion_made << "' (expression " << expr_str << ") ";
36 } else {
37 format << expr_str << " ";
38 }
39
40 if(func) {
41 format << "in " << func << " ";
42 }
43
44 format << "@" << file << ":" << line;
45
46#if defined(BOTAN_TERMINATE_ON_ASSERTS)
47 std::cerr << format.str() << '\n';
48 std::abort();
49#else
51#endif
52}
@ Internal_Error
Referenced by assert_is_some().
◆ base32_decode() [1/5]
| secure_vector< uint8_t > Botan::base32_decode | ( | const char | input[], |
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform base32 decoding
- Parameters
-
input some base32 input input_length the length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded base32 output
Definition at line 162 of file base32.cpp.
162 {
163 return base_decode_to_vec<secure_vector<uint8_t>>(Base32(), input, input_length, ignore_ws);
164}
References base_decode_to_vec().
◆ base32_decode() [2/5]
| secure_vector< uint8_t > Botan::base32_decode | ( | std::string_view | input, |
| bool | ignore_ws = true ) |
Perform base32 decoding
- Parameters
-
input some base32 input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded base32 output
Definition at line 166 of file base32.cpp.
166 {
168}
size_t base32_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base32.cpp:149
References base32_decode().
◆ base32_decode() [3/5]
| size_t Botan::base32_decode | ( | uint8_t | output[], |
| const char | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | final_inputs, | ||
| bool | ignore_ws = true ) |
Perform base32 decoding
- Parameters
-
output an array of at least base32_decode_max_output bytes input some base32 input input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. final_inputs true iff this is the last input, in which case padding is allowed ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 149 of file base32.cpp.
150 {
152}
size_t base_decode(Base &&base, uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws=true)
Definition codec_base.h:112
References base_decode().
Referenced by base32_decode(), and base32_decode().
◆ base32_decode() [4/5]
| size_t Botan::base32_decode | ( | uint8_t | output[], |
| const char | input[], | ||
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform base32 decoding
- Parameters
-
output an array of at least base32_decode_max_output bytes input some base32 input input_length length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 154 of file base32.cpp.
154 {
156}
size_t base_decode_full(Base &&base, uint8_t output[], const char input[], size_t input_length, bool ignore_ws)
Definition codec_base.h:171
References base_decode_full().
◆ base32_decode() [5/5]
| size_t Botan::base32_decode | ( | uint8_t | output[], |
| std::string_view | input, | ||
| bool | ignore_ws = true ) |
Perform base32 decoding
- Parameters
-
output an array of at least base32_decode_max_output bytes input some base32 input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 158 of file base32.cpp.
References base32_decode().
◆ base32_encode() [1/3]
| size_t Botan::base32_encode | ( | char | output[], |
| const uint8_t | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | final_inputs ) |
Perform base32 encoding
- Parameters
-
output an array of at least base32_encode_max_output bytes input is some binary data input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. final_inputs true iff this is the last input, in which case padding chars will be applied if needed
- Returns
- number of bytes written to output
Definition at line 141 of file base32.cpp.
141 {
143}
size_t base_encode(Base &&base, char output[], const uint8_t input[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition codec_base.h:34
References base_encode().
Referenced by base32_encode().
◆ base32_encode() [2/3]
| std::string Botan::base32_encode | ( | const uint8_t | input[], |
| size_t | input_length ) |
Perform base32 encoding
- Parameters
-
input some input input_length length of input in bytes
- Returns
- base32 representation of input
Definition at line 145 of file base32.cpp.
145 {
147}
std::string base_encode_to_string(Base &&base, const uint8_t input[], size_t input_length)
Definition codec_base.h:78
References base_encode_to_string().
◆ base32_encode() [3/3]
|
inline |
Perform base32 encoding
- Parameters
-
input some input
- Returns
- base32 representation of input
Definition at line 47 of file base32.h.
47 {
49}
size_t base32_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base32.cpp:141
References base32_encode().
◆ base58_check_decode() [1/2]
| std::vector< uint8_t > Botan::base58_check_decode | ( | const char | input[], |
| size_t | input_length ) |
Perform base58 decoding with checksum
Definition at line 164 of file base58.cpp.
164 {
165 std::vector<uint8_t> dec = base58_decode(input, input_length);
166
167 if(dec.size() < 4) {
169 }
170
171 const uint32_t computed_checksum = sha256_d_checksum(dec.data(), dec.size() - 4);
172 const uint32_t checksum = load_be<uint32_t>(&dec[dec.size() - 4], 0);
173
174 if(checksum != computed_checksum) {
175 throw Decoding_Error("Invalid base58 checksum");
176 }
177
178 dec.resize(dec.size() - 4);
179
180 return dec;
181}
Definition exceptn.h:191
std::vector< uint8_t > base58_decode(const char input[], size_t input_length)
Definition base58.cpp:139
References base58_decode(), and load_be().
Referenced by base58_check_decode().
◆ base58_check_decode() [2/2]
|
inline |
Definition at line 58 of file base58.h.
58 {
60}
std::vector< uint8_t > base58_check_decode(const char input[], size_t input_length)
Definition base58.cpp:164
References base58_check_decode().
◆ base58_check_encode() [1/2]
| std::string Botan::base58_check_encode | ( | const uint8_t | input[], |
| size_t | input_length ) |
Perform base58 encoding with checksum
Definition at line 132 of file base58.cpp.
132 {
133 BigInt v(input, input_length);
134 v <<= 32;
135 v += sha256_d_checksum(input, input_length);
137}
Definition bigint.h:26
std::string base58_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:127
References base58_encode().
Referenced by base58_check_encode().
◆ base58_check_encode() [2/2]
|
inline |
Definition at line 50 of file base58.h.
50 {
52}
std::string base58_check_encode(const uint8_t input[], size_t input_length)
Definition base58.cpp:132
References base58_check_encode().
◆ base58_decode() [1/2]
| std::vector< uint8_t > Botan::base58_decode | ( | const char | input[], |
| size_t | input_length ) |
Perform base58 decoding
This is raw base58 encoding, without the checksum
Definition at line 139 of file base58.cpp.
139 {
140 const size_t leading_zeros = count_leading_zeros(input, input_length, '1');
141
142 BigInt v;
143
144 for(size_t i = leading_zeros; i != input_length; ++i) {
145 const char c = input[i];
146
147 if(c == ' ' || c == '\n') {
148 continue;
149 }
150
151 const uint8_t idx = base58_value_of(c);
152
153 if(idx == 0xFF) {
154 throw Decoding_Error("Invalid base58");
155 }
156
157 v *= 58;
158 v += idx;
159 }
160
162}
References Botan::BigInt::bytes(), and Botan::BigInt::serialize().
Referenced by base58_check_decode(), and base58_decode().
◆ base58_decode() [2/2]
|
inline |
Definition at line 54 of file base58.h.
References base58_decode().
◆ base58_encode() [1/2]
| std::string Botan::base58_encode | ( | const uint8_t | input[], |
| size_t | input_length ) |
Perform base58 encoding
This is raw base58 encoding, without the checksum
Definition at line 127 of file base58.cpp.
References base58_encode().
Referenced by base58_check_encode(), base58_encode(), and base58_encode().
◆ base58_encode() [2/2]
|
inline |
Definition at line 46 of file base58.h.
References base58_encode().
◆ base64_decode() [1/6]
| secure_vector< uint8_t > Botan::base64_decode | ( | const char | input[], |
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform base64 decoding
- Parameters
-
input some base64 input input_length the length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded base64 output
Definition at line 188 of file base64.cpp.
188 {
189 return base_decode_to_vec<secure_vector<uint8_t>>(Base64(), input, input_length, ignore_ws);
190}
References base_decode_to_vec().
◆ base64_decode() [2/6]
| size_t Botan::base64_decode | ( | std::span< uint8_t > | output, |
| std::string_view | input, | ||
| bool | ignore_ws = true ) |
Perform base64 decoding
- Parameters
-
output a contiguous byte buffer of at least base64_decode_max_output bytes input some base64 input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 181 of file base64.cpp.
181 {
184 }
185 return base64_decode(output.data(), input.data(), input.length(), ignore_ws);
186}
Definition exceptn.h:131
References base64_decode(), and base64_decode_max_output().
◆ base64_decode() [3/6]
| secure_vector< uint8_t > Botan::base64_decode | ( | std::string_view | input, |
| bool | ignore_ws = true ) |
Perform base64 decoding
- Parameters
-
input some base64 input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded base64 output
Definition at line 192 of file base64.cpp.
References base64_decode().
◆ base64_decode() [4/6]
| size_t Botan::base64_decode | ( | uint8_t | output[], |
| const char | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | final_inputs, | ||
| bool | ignore_ws = true ) |
Perform base64 decoding
- Parameters
-
output an array of at least base64_decode_max_output bytes input some base64 input input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. final_inputs true iff this is the last input, in which case padding is allowed ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 168 of file base64.cpp.
169 {
171}
References base_decode().
Referenced by argon2_check_pwhash(), base64_decode(), base64_decode(), base64_decode(), botan_base64_decode(), Botan::Roughtime::Chain::Chain(), check_passhash9(), Botan::PEM_Code::decode(), Botan::Base64_Decoder::end_msg(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::list_names(), Botan::Roughtime::servers_from_str(), and Botan::Base64_Decoder::write().
◆ base64_decode() [5/6]
| size_t Botan::base64_decode | ( | uint8_t | output[], |
| const char | input[], | ||
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform base64 decoding
- Parameters
-
output an array of at least base64_decode_max_output bytes input some base64 input input_length length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 173 of file base64.cpp.
References base_decode_full().
◆ base64_decode() [6/6]
| size_t Botan::base64_decode | ( | uint8_t | output[], |
| std::string_view | input, | ||
| bool | ignore_ws = true ) |
Perform base64 decoding
- Parameters
-
output an array of at least base64_decode_max_output bytes input some base64 input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 177 of file base64.cpp.
References base64_decode().
◆ base64_decode_max_output()
| size_t Botan::base64_decode_max_output | ( | size_t | input_length | ) |
Calculate the size of output buffer for base64_decode
- Parameters
-
input_length the length of input in bytes
- Returns
- the size of output buffer in bytes
Definition at line 200 of file base64.cpp.
200 {
201 return Base64::decode_max_output(input_length);
202}
Referenced by argon2_check_pwhash(), base64_decode(), and botan_base64_decode().
◆ base64_encode() [1/3]
| size_t Botan::base64_encode | ( | char | output[], |
| const uint8_t | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | final_inputs ) |
Perform base64 encoding
- Parameters
-
output an array of at least base64_encode_max_output bytes input is some binary data input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. final_inputs true iff this is the last input, in which case padding chars will be applied if needed
- Returns
- number of bytes written to output
Definition at line 160 of file base64.cpp.
References base_encode().
Referenced by argon2_generate_pwhash(), base64_encode(), Botan::OCSP::Request::base64_encode(), botan_base64_encode(), Botan::PEM_Code::encode(), generate_passhash9(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), Botan::Encrypted_PSK_Database::set(), and Botan::Roughtime::Chain::to_string().
◆ base64_encode() [2/3]
| std::string Botan::base64_encode | ( | const uint8_t | input[], |
| size_t | input_length ) |
Perform base64 encoding
- Parameters
-
input some input input_length length of input in bytes
- Returns
- base64adecimal representation of input
Definition at line 164 of file base64.cpp.
References base_encode_to_string().
◆ base64_encode() [3/3]
|
inline |
Perform base64 encoding
- Parameters
-
input some input
- Returns
- base64adecimal representation of input
Definition at line 47 of file base64.h.
References base64_encode().
◆ base64_encode_max_output()
| size_t Botan::base64_encode_max_output | ( | size_t | input_length | ) |
Calculate the size of output buffer for base64_encode
- Parameters
-
input_length the length of input in bytes
- Returns
- the size of output buffer in bytes
Definition at line 196 of file base64.cpp.
196 {
197 return Base64::encode_max_output(input_length);
198}
◆ base_decode()
template<typename Base >
| size_t Botan::base_decode | ( | Base && | base, |
| uint8_t | output[], | ||
| const char | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | final_inputs, | ||
| bool | ignore_ws = true ) |
Perform decoding using the base provided
- Parameters
-
base object giving access to the encodings specifications output an array of at least Base::decode_max_output bytes input some base input input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. final_inputs true iff this is the last input, in which case padding is allowed ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 112 of file codec_base.h.
118 {
119 const size_t decoding_bytes_in = base.decoding_bytes_in();
120 const size_t decoding_bytes_out = base.decoding_bytes_out();
121
122 uint8_t* out_ptr = output;
123 std::vector<uint8_t> decode_buf(decoding_bytes_in, 0);
124 size_t decode_buf_pos = 0;
125 size_t final_truncate = 0;
126
127 clear_mem(output, base.decode_max_output(input_length));
128
129 for(size_t i = 0; i != input_length; ++i) {
130 const uint8_t bin = base.lookup_binary_value(input[i]);
131
132 // This call might throw Invalid_Argument
133 if(base.check_bad_char(bin, input[i], ignore_ws)) {
134 decode_buf[decode_buf_pos] = bin;
135 ++decode_buf_pos;
136 }
137
138 /*
139 * If we're at the end of the input, pad with 0s and truncate
140 */
141 if(final_inputs && (i == input_length - 1)) {
142 if(decode_buf_pos) {
143 for(size_t j = decode_buf_pos; j < decoding_bytes_in; ++j) {
144 decode_buf[j] = 0;
145 }
146
147 final_truncate = decoding_bytes_in - decode_buf_pos;
148 decode_buf_pos = decoding_bytes_in;
149 }
150 }
151
152 if(decode_buf_pos == decoding_bytes_in) {
153 base.decode(out_ptr, decode_buf.data());
154
155 out_ptr += decoding_bytes_out;
156 decode_buf_pos = 0;
157 input_consumed = i + 1;
158 }
159 }
160
161 while(input_consumed < input_length && base.lookup_binary_value(input[input_consumed]) == 0x80) {
162 ++input_consumed;
163 }
164
166
167 return written;
168}
References clear_mem(), and out_ptr().
Referenced by base32_decode(), base64_decode(), and base_decode_full().
◆ base_decode_full()
template<typename Base >
| size_t Botan::base_decode_full | ( | Base && | base, |
| uint8_t | output[], | ||
| const char | input[], | ||
| size_t | input_length, | ||
| bool | ignore_ws ) |
Definition at line 171 of file codec_base.h.
171 {
172 size_t consumed = 0;
173 const size_t written = base_decode(base, output, input, input_length, consumed, true, ignore_ws);
174
175 if(consumed != input_length) {
177 }
178
179 return written;
180}
References base_decode().
Referenced by base32_decode(), base64_decode(), and base_decode_to_vec().
◆ base_decode_to_vec()
template<typename Vector , typename Base >
| Vector Botan::base_decode_to_vec | ( | Base && | base, |
| const char | input[], | ||
| size_t | input_length, | ||
| bool | ignore_ws ) |
Definition at line 183 of file codec_base.h.
183 {
184 const size_t output_length = base.decode_max_output(input_length);
185 Vector bin(output_length);
186
188
189 bin.resize(written);
190 return bin;
191}
References base_decode_full().
Referenced by base32_decode(), and base64_decode().
◆ base_encode()
template<class Base >
| size_t Botan::base_encode | ( | Base && | base, |
| char | output[], | ||
| const uint8_t | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | final_inputs ) |
Perform encoding using the base provided
- Parameters
-
base object giving access to the encodings specifications output an array of at least base.encode_max_output bytes input is some binary data input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. final_inputs true iff this is the last input, in which case padding chars will be applied if needed
- Returns
- number of bytes written to output
Definition at line 34 of file codec_base.h.
35 {
36 input_consumed = 0;
37
38 const size_t encoding_bytes_in = base.encoding_bytes_in();
39 const size_t encoding_bytes_out = base.encoding_bytes_out();
40
41 size_t input_remaining = input_length;
42 size_t output_produced = 0;
43
44 while(input_remaining >= encoding_bytes_in) {
45 base.encode(output + output_produced, input + input_consumed);
46
47 input_consumed += encoding_bytes_in;
48 output_produced += encoding_bytes_out;
49 input_remaining -= encoding_bytes_in;
50 }
51
52 if(final_inputs && input_remaining) {
53 std::vector<uint8_t> remainder(encoding_bytes_in, 0);
54 for(size_t i = 0; i != input_remaining; ++i) {
55 remainder[i] = input[input_consumed + i];
56 }
57
58 base.encode(output + output_produced, remainder.data());
59
60 const size_t bits_consumed = base.bits_consumed();
61 const size_t remaining_bits_before_padding = base.remaining_bits_before_padding();
62
63 size_t empty_bits = 8 * (encoding_bytes_in - input_remaining);
64 size_t index = output_produced + encoding_bytes_out - 1;
65 while(empty_bits >= remaining_bits_before_padding) {
66 output[index--] = '=';
67 empty_bits -= bits_consumed;
68 }
69
70 input_consumed += input_remaining;
71 output_produced += encoding_bytes_out;
72 }
73
74 return output_produced;
75}
Referenced by base32_encode(), base64_encode(), and base_encode_to_string().
◆ base_encode_to_string()
template<typename Base >
| std::string Botan::base_encode_to_string | ( | Base && | base, |
| const uint8_t | input[], | ||
| size_t | input_length ) |
Definition at line 78 of file codec_base.h.
78 {
79 const size_t output_length = base.encode_max_output(input_length);
80 std::string output(output_length, 0);
81
82 size_t consumed = 0;
83 size_t produced = 0;
84
85 if(output_length > 0) {
87 }
88
91
92 return output;
93}
References base_encode(), and BOTAN_ASSERT_EQUAL.
Referenced by base32_encode(), and base64_encode().
◆ basecase_mul()
| void Botan::basecase_mul | ( | word | z[], |
| size_t | z_size, | ||
| const word | x[], | ||
| size_t | x_size, | ||
| const word | y[], | ||
| size_t | y_size ) |
Basecase O(N^2) multiplication
Definition at line 20 of file mp_karat.cpp.
20 {
21 if(z_size < x_size + y_size) {
23 }
24
25 const size_t x_size_8 = x_size - (x_size % 8);
26
27 clear_mem(z, z_size);
28
29 for(size_t i = 0; i != y_size; ++i) {
30 const word y_i = y[i];
31
32 word carry = 0;
33
34 for(size_t j = 0; j != x_size_8; j += 8) {
35 carry = word8_madd3(z + i + j, x + j, y_i, carry);
36 }
37
38 for(size_t j = x_size_8; j != x_size; ++j) {
39 z[i + j] = word_madd3(x[j], y_i, z[i + j], &carry);
40 }
41
42 z[x_size + i] = carry;
43 }
44}
References carry(), clear_mem(), word8_madd3(), and word_madd3().
Referenced by bigint_mul().
◆ basecase_sqr()
| void Botan::basecase_sqr | ( | word | z[], |
| size_t | z_size, | ||
| const word | x[], | ||
| size_t | x_size ) |
Basecase O(N^2) squaring
Definition at line 46 of file mp_karat.cpp.
46 {
47 if(z_size < 2 * x_size) {
49 }
50
51 const size_t x_size_8 = x_size - (x_size % 8);
52
53 clear_mem(z, z_size);
54
55 for(size_t i = 0; i != x_size; ++i) {
56 const word x_i = x[i];
57
58 word carry = 0;
59
60 for(size_t j = 0; j != x_size_8; j += 8) {
61 carry = word8_madd3(z + i + j, x + j, x_i, carry);
62 }
63
64 for(size_t j = x_size_8; j != x_size; ++j) {
65 z[i + j] = word_madd3(x[j], x_i, z[i + j], &carry);
66 }
67
68 z[x_size + i] = carry;
69 }
70}
References carry(), clear_mem(), word8_madd3(), and word_madd3().
Referenced by bigint_sqr().
◆ bcrypt_pbkdf()
|
inline |
Bcrypt PBKDF compatible with OpenBSD bcrypt_pbkdf
Definition at line 74 of file bcrypt_pbkdf.h.
80 {
81 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Bcrypt-PBKDF");
82 auto pwdhash = pwdhash_fam->from_params(rounds);
83 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
84}
◆ bigint_add()
template<WordType W, size_t N>
|
inlineconstexpr |
Definition at line 257 of file mp_core.h.
257 {
258 if constexpr(N == 4) {
259 return word4_add3<W>(z.data(), x.data(), y.data(), 0);
260 } else if constexpr(N == 8) {
261 return word8_add3<W>(z.data(), x.data(), y.data(), 0);
262 } else {
264 }
265}
constexpr auto bigint_add3_nc(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:232
References bigint_add3_nc(), word4_add3(), and word8_add3().
◆ bigint_add2()
template<WordType W>
|
inlineconstexpr |
Two operand addition
- Parameters
-
x the first operand (and output) x_size size of x y the second operand y_size size of y (must be <= x_size)
Definition at line 275 of file mp_core.h.
275 {
276 x[x_size] += bigint_add2_nc(x, x_size, y, y_size);
277}
constexpr auto bigint_add2_nc(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:206
References bigint_add2_nc().
Referenced by Botan::BigInt::add().
◆ bigint_add2_nc()
template<WordType W>
|
inlineconstexpr |
Two operand addition with carry out
Definition at line 206 of file mp_core.h.
206 {
207 W carry = 0;
208
210
211 const size_t blocks = y_size - (y_size % 8);
212
213 for(size_t i = 0; i != blocks; i += 8) {
215 }
216
217 for(size_t i = blocks; i != y_size; ++i) {
218 x[i] = word_add(x[i], y[i], &carry);
219 }
220
221 for(size_t i = y_size; i != x_size; ++i) {
223 }
224
226}
constexpr auto word8_add2(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:210
References BOTAN_ASSERT, carry(), word8_add2(), and word_add().
Referenced by bigint_add2(), and redc_crandall().
◆ bigint_add3()
template<WordType W>
|
inlineconstexpr |
Three operand addition
Definition at line 283 of file mp_core.h.
References bigint_add3_nc().
Referenced by Botan::BigInt::add2().
◆ bigint_add3_nc()
template<WordType W>
|
inlineconstexpr |
Three operand addition with carry out
Definition at line 232 of file mp_core.h.
232 {
233 if(x_size < y_size) {
235 }
236
237 W carry = 0;
238
239 const size_t blocks = y_size - (y_size % 8);
240
241 for(size_t i = 0; i != blocks; i += 8) {
242 carry = word8_add3(z + i, x + i, y + i, carry);
243 }
244
245 for(size_t i = blocks; i != y_size; ++i) {
246 z[i] = word_add(x[i], y[i], &carry);
247 }
248
249 for(size_t i = y_size; i != x_size; ++i) {
251 }
252
254}
References bigint_add3_nc(), carry(), word8_add3(), and word_add().
Referenced by bigint_add(), bigint_add3(), bigint_add3_nc(), Botan::BigInt::mod_add(), and redc_p521().
◆ bigint_cmp()
template<WordType W>
|
inlineconstexpr |
Compare x and y Return -1 if x < y Return 0 if x == y Return 1 if x > y
Definition at line 592 of file mp_core.h.
592 {
593 static_assert(sizeof(W) >= sizeof(uint32_t), "Size assumption");
594
595 const W LT = static_cast<W>(-1);
596 const W EQ = 0;
597 const W GT = 1;
598
599 const size_t common_elems = std::min(x_size, y_size);
600
601 W result = EQ; // until found otherwise
602
603 for(size_t i = 0; i != common_elems; i++) {
606
607 result = is_eq.select(result, is_lt.select(LT, GT));
608 }
609
610 if(x_size < y_size) {
611 W mask = 0;
612 for(size_t i = x_size; i != y_size; i++) {
613 mask |= y[i];
614 }
615
616 // If any bits were set in high part of y, then x < y
617 result = CT::Mask<W>::is_zero(mask).select(result, LT);
618 } else if(y_size < x_size) {
619 W mask = 0;
620 for(size_t i = y_size; i != x_size; i++) {
621 mask |= x[i];
622 }
623
624 // If any bits were set in high part of x, then x > y
625 result = CT::Mask<W>::is_zero(mask).select(result, GT);
626 }
627
628 CT::unpoison(result);
629 BOTAN_DEBUG_ASSERT(result == LT || result == GT || result == EQ);
630 return static_cast<int32_t>(result);
631}
Definition ct_utils.h:360
References BOTAN_DEBUG_ASSERT, Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::unpoison().
Referenced by Botan::BigInt::add(), bigint_sub_abs(), Botan::BigInt::cmp(), Botan::BigInt::cmp_word(), and gcd().
◆ bigint_cnd_abs()
template<WordType W>
|
inlineconstexpr |
Definition at line 192 of file mp_core.h.
192 {
194
195 W carry = mask.if_set_return(1);
196 for(size_t i = 0; i != size; ++i) {
198 x[i] = mask.select(z, x[i]);
199 }
200}
References carry(), Botan::CT::Mask< T >::expand(), and word_add().
◆ bigint_cnd_add() [1/2]
template<WordType W>
|
inlineconstexpr |
Definition at line 75 of file mp_core.h.
75 {
77}
constexpr W bigint_cnd_add(W cnd, W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:42
References bigint_cnd_add().
◆ bigint_cnd_add() [2/2]
template<WordType W>
|
inlineconstexpr |
Definition at line 42 of file mp_core.h.
42 {
44
46
47 W carry = 0;
48
49 const size_t blocks = y_size - (y_size % 8);
50 W z[8] = {0};
51
52 for(size_t i = 0; i != blocks; i += 8) {
53 carry = word8_add3(z, x + i, y + i, carry);
54 mask.select_n(x + i, z, x + i, 8);
55 }
56
57 for(size_t i = blocks; i != y_size; ++i) {
58 z[0] = word_add(x[i], y[i], &carry);
59 x[i] = mask.select(z[0], x[i]);
60 }
61
62 for(size_t i = y_size; i != x_size; ++i) {
64 x[i] = mask.select(z[0], x[i]);
65 }
66
67 return mask.if_set_return(carry);
68}
References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), word8_add3(), and word_add().
Referenced by bigint_cnd_add(), Botan::BigInt::ct_cond_add(), redc_p192(), redc_p224(), redc_p256(), and redc_p384().
◆ bigint_cnd_add_or_sub()
template<WordType W>
|
inlineconstexpr |
Definition at line 129 of file mp_core.h.
129 {
130 const size_t blocks = size - (size % 8);
131
132 W carry = 0;
133 W borrow = 0;
134
135 W t0[8] = {0};
136 W t1[8] = {0};
137
138 for(size_t i = 0; i != blocks; i += 8) {
140 borrow = word8_sub3(t1, x + i, y + i, borrow);
141 mask.select_n(x + i, t0, t1, 8);
142 }
143
144 for(size_t i = blocks; i != size; ++i) {
147
148 x[i] = mask.select(a, s);
149 }
150}
constexpr void select_n(T output[], const T x[], const T y[], size_t len) const
Definition ct_utils.h:557
constexpr auto word8_sub3(W z[8], const W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:366
constexpr auto word8_add3(W z[8], const W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:236
References carry(), Botan::CT::Mask< T >::select(), Botan::CT::Mask< T >::select_n(), word8_add3(), word8_sub3(), word_add(), and word_sub().
◆ bigint_cnd_addsub()
template<WordType W>
|
inlineconstexpr |
Definition at line 162 of file mp_core.h.
162 {
163 const size_t blocks = size - (size % 8);
164
165 W carry = 0;
166 W borrow = 0;
167
168 W t0[8] = {0};
169 W t1[8] = {0};
170
171 for(size_t i = 0; i != blocks; i += 8) {
173 borrow = word8_sub3(t1, x + i, z + i, borrow);
174 mask.select_n(x + i, t0, t1, 8);
175 }
176
177 for(size_t i = blocks; i != size; ++i) {
178 t0[0] = word_add(x[i], y[i], &carry);
179 t1[0] = word_sub(x[i], z[i], &borrow);
180 x[i] = mask.select(t0[0], t1[0]);
181 }
182
184}
References carry(), word8_add3(), word8_sub3(), word_add(), and word_sub().
Referenced by bigint_mod_sub(), and bigint_mod_sub_n().
◆ bigint_cnd_sub() [1/2]
template<WordType W>
|
inlineconstexpr |
Definition at line 117 of file mp_core.h.
117 {
119}
constexpr auto bigint_cnd_sub(W cnd, W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:84
References bigint_cnd_sub().
◆ bigint_cnd_sub() [2/2]
template<WordType W>
|
inlineconstexpr |
Definition at line 84 of file mp_core.h.
84 {
86
88
89 W carry = 0;
90
91 const size_t blocks = y_size - (y_size % 8);
92 W z[8] = {0};
93
94 for(size_t i = 0; i != blocks; i += 8) {
95 carry = word8_sub3(z, x + i, y + i, carry);
96 mask.select_n(x + i, z, x + i, 8);
97 }
98
99 for(size_t i = blocks; i != y_size; ++i) {
100 z[0] = word_sub(x[i], y[i], &carry);
101 x[i] = mask.select(z[0], x[i]);
102 }
103
104 for(size_t i = y_size; i != x_size; ++i) {
106 x[i] = mask.select(z[0], x[i]);
107 }
108
109 return mask.if_set_return(carry);
110}
References BOTAN_ASSERT, carry(), Botan::CT::Mask< T >::expand(), word8_sub3(), and word_sub().
Referenced by bigint_cnd_sub(), and redc_p521().
◆ bigint_cnd_swap()
template<WordType W>
|
inlineconstexpr |
Definition at line 30 of file mp_core.h.
30 {
32
33 for(size_t i = 0; i != size; ++i) {
34 const W a = x[i];
36 x[i] = mask.select(b, a);
37 y[i] = mask.select(a, b);
38 }
39}
References b, and Botan::CT::Mask< T >::expand().
Referenced by Botan::BigInt::ct_cond_swap().
◆ bigint_comba_mul16()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul16 | ( | word | z[32], |
| const word | x[16], | ||
| const word | y[16] ) |
Definition at line 794 of file mp_comba.cpp.
794 {
795 word3<word> accum;
796
797 accum.mul(x[0], y[0]);
798 z[0] = accum.extract();
799 accum.mul(x[0], y[1]);
800 accum.mul(x[1], y[0]);
801 z[1] = accum.extract();
802 accum.mul(x[0], y[2]);
803 accum.mul(x[1], y[1]);
804 accum.mul(x[2], y[0]);
805 z[2] = accum.extract();
806 accum.mul(x[0], y[3]);
807 accum.mul(x[1], y[2]);
808 accum.mul(x[2], y[1]);
809 accum.mul(x[3], y[0]);
810 z[3] = accum.extract();
811 accum.mul(x[0], y[4]);
812 accum.mul(x[1], y[3]);
813 accum.mul(x[2], y[2]);
814 accum.mul(x[3], y[1]);
815 accum.mul(x[4], y[0]);
816 z[4] = accum.extract();
817 accum.mul(x[0], y[5]);
818 accum.mul(x[1], y[4]);
819 accum.mul(x[2], y[3]);
820 accum.mul(x[3], y[2]);
821 accum.mul(x[4], y[1]);
822 accum.mul(x[5], y[0]);
823 z[5] = accum.extract();
824 accum.mul(x[0], y[6]);
825 accum.mul(x[1], y[5]);
826 accum.mul(x[2], y[4]);
827 accum.mul(x[3], y[3]);
828 accum.mul(x[4], y[2]);
829 accum.mul(x[5], y[1]);
830 accum.mul(x[6], y[0]);
831 z[6] = accum.extract();
832 accum.mul(x[0], y[7]);
833 accum.mul(x[1], y[6]);
834 accum.mul(x[2], y[5]);
835 accum.mul(x[3], y[4]);
836 accum.mul(x[4], y[3]);
837 accum.mul(x[5], y[2]);
838 accum.mul(x[6], y[1]);
839 accum.mul(x[7], y[0]);
840 z[7] = accum.extract();
841 accum.mul(x[0], y[8]);
842 accum.mul(x[1], y[7]);
843 accum.mul(x[2], y[6]);
844 accum.mul(x[3], y[5]);
845 accum.mul(x[4], y[4]);
846 accum.mul(x[5], y[3]);
847 accum.mul(x[6], y[2]);
848 accum.mul(x[7], y[1]);
849 accum.mul(x[8], y[0]);
850 z[8] = accum.extract();
851 accum.mul(x[0], y[9]);
852 accum.mul(x[1], y[8]);
853 accum.mul(x[2], y[7]);
854 accum.mul(x[3], y[6]);
855 accum.mul(x[4], y[5]);
856 accum.mul(x[5], y[4]);
857 accum.mul(x[6], y[3]);
858 accum.mul(x[7], y[2]);
859 accum.mul(x[8], y[1]);
860 accum.mul(x[9], y[0]);
861 z[9] = accum.extract();
862 accum.mul(x[0], y[10]);
863 accum.mul(x[1], y[9]);
864 accum.mul(x[2], y[8]);
865 accum.mul(x[3], y[7]);
866 accum.mul(x[4], y[6]);
867 accum.mul(x[5], y[5]);
868 accum.mul(x[6], y[4]);
869 accum.mul(x[7], y[3]);
870 accum.mul(x[8], y[2]);
871 accum.mul(x[9], y[1]);
872 accum.mul(x[10], y[0]);
873 z[10] = accum.extract();
874 accum.mul(x[0], y[11]);
875 accum.mul(x[1], y[10]);
876 accum.mul(x[2], y[9]);
877 accum.mul(x[3], y[8]);
878 accum.mul(x[4], y[7]);
879 accum.mul(x[5], y[6]);
880 accum.mul(x[6], y[5]);
881 accum.mul(x[7], y[4]);
882 accum.mul(x[8], y[3]);
883 accum.mul(x[9], y[2]);
884 accum.mul(x[10], y[1]);
885 accum.mul(x[11], y[0]);
886 z[11] = accum.extract();
887 accum.mul(x[0], y[12]);
888 accum.mul(x[1], y[11]);
889 accum.mul(x[2], y[10]);
890 accum.mul(x[3], y[9]);
891 accum.mul(x[4], y[8]);
892 accum.mul(x[5], y[7]);
893 accum.mul(x[6], y[6]);
894 accum.mul(x[7], y[5]);
895 accum.mul(x[8], y[4]);
896 accum.mul(x[9], y[3]);
897 accum.mul(x[10], y[2]);
898 accum.mul(x[11], y[1]);
899 accum.mul(x[12], y[0]);
900 z[12] = accum.extract();
901 accum.mul(x[0], y[13]);
902 accum.mul(x[1], y[12]);
903 accum.mul(x[2], y[11]);
904 accum.mul(x[3], y[10]);
905 accum.mul(x[4], y[9]);
906 accum.mul(x[5], y[8]);
907 accum.mul(x[6], y[7]);
908 accum.mul(x[7], y[6]);
909 accum.mul(x[8], y[5]);
910 accum.mul(x[9], y[4]);
911 accum.mul(x[10], y[3]);
912 accum.mul(x[11], y[2]);
913 accum.mul(x[12], y[1]);
914 accum.mul(x[13], y[0]);
915 z[13] = accum.extract();
916 accum.mul(x[0], y[14]);
917 accum.mul(x[1], y[13]);
918 accum.mul(x[2], y[12]);
919 accum.mul(x[3], y[11]);
920 accum.mul(x[4], y[10]);
921 accum.mul(x[5], y[9]);
922 accum.mul(x[6], y[8]);
923 accum.mul(x[7], y[7]);
924 accum.mul(x[8], y[6]);
925 accum.mul(x[9], y[5]);
926 accum.mul(x[10], y[4]);
927 accum.mul(x[11], y[3]);
928 accum.mul(x[12], y[2]);
929 accum.mul(x[13], y[1]);
930 accum.mul(x[14], y[0]);
931 z[14] = accum.extract();
932 accum.mul(x[0], y[15]);
933 accum.mul(x[1], y[14]);
934 accum.mul(x[2], y[13]);
935 accum.mul(x[3], y[12]);
936 accum.mul(x[4], y[11]);
937 accum.mul(x[5], y[10]);
938 accum.mul(x[6], y[9]);
939 accum.mul(x[7], y[8]);
940 accum.mul(x[8], y[7]);
941 accum.mul(x[9], y[6]);
942 accum.mul(x[10], y[5]);
943 accum.mul(x[11], y[4]);
944 accum.mul(x[12], y[3]);
945 accum.mul(x[13], y[2]);
946 accum.mul(x[14], y[1]);
947 accum.mul(x[15], y[0]);
948 z[15] = accum.extract();
949 accum.mul(x[1], y[15]);
950 accum.mul(x[2], y[14]);
951 accum.mul(x[3], y[13]);
952 accum.mul(x[4], y[12]);
953 accum.mul(x[5], y[11]);
954 accum.mul(x[6], y[10]);
955 accum.mul(x[7], y[9]);
956 accum.mul(x[8], y[8]);
957 accum.mul(x[9], y[7]);
958 accum.mul(x[10], y[6]);
959 accum.mul(x[11], y[5]);
960 accum.mul(x[12], y[4]);
961 accum.mul(x[13], y[3]);
962 accum.mul(x[14], y[2]);
963 accum.mul(x[15], y[1]);
964 z[16] = accum.extract();
965 accum.mul(x[2], y[15]);
966 accum.mul(x[3], y[14]);
967 accum.mul(x[4], y[13]);
968 accum.mul(x[5], y[12]);
969 accum.mul(x[6], y[11]);
970 accum.mul(x[7], y[10]);
971 accum.mul(x[8], y[9]);
972 accum.mul(x[9], y[8]);
973 accum.mul(x[10], y[7]);
974 accum.mul(x[11], y[6]);
975 accum.mul(x[12], y[5]);
976 accum.mul(x[13], y[4]);
977 accum.mul(x[14], y[3]);
978 accum.mul(x[15], y[2]);
979 z[17] = accum.extract();
980 accum.mul(x[3], y[15]);
981 accum.mul(x[4], y[14]);
982 accum.mul(x[5], y[13]);
983 accum.mul(x[6], y[12]);
984 accum.mul(x[7], y[11]);
985 accum.mul(x[8], y[10]);
986 accum.mul(x[9], y[9]);
987 accum.mul(x[10], y[8]);
988 accum.mul(x[11], y[7]);
989 accum.mul(x[12], y[6]);
990 accum.mul(x[13], y[5]);
991 accum.mul(x[14], y[4]);
992 accum.mul(x[15], y[3]);
993 z[18] = accum.extract();
994 accum.mul(x[4], y[15]);
995 accum.mul(x[5], y[14]);
996 accum.mul(x[6], y[13]);
997 accum.mul(x[7], y[12]);
998 accum.mul(x[8], y[11]);
999 accum.mul(x[9], y[10]);
1000 accum.mul(x[10], y[9]);
1001 accum.mul(x[11], y[8]);
1002 accum.mul(x[12], y[7]);
1003 accum.mul(x[13], y[6]);
1004 accum.mul(x[14], y[5]);
1005 accum.mul(x[15], y[4]);
1006 z[19] = accum.extract();
1007 accum.mul(x[5], y[15]);
1008 accum.mul(x[6], y[14]);
1009 accum.mul(x[7], y[13]);
1010 accum.mul(x[8], y[12]);
1011 accum.mul(x[9], y[11]);
1012 accum.mul(x[10], y[10]);
1013 accum.mul(x[11], y[9]);
1014 accum.mul(x[12], y[8]);
1015 accum.mul(x[13], y[7]);
1016 accum.mul(x[14], y[6]);
1017 accum.mul(x[15], y[5]);
1018 z[20] = accum.extract();
1019 accum.mul(x[6], y[15]);
1020 accum.mul(x[7], y[14]);
1021 accum.mul(x[8], y[13]);
1022 accum.mul(x[9], y[12]);
1023 accum.mul(x[10], y[11]);
1024 accum.mul(x[11], y[10]);
1025 accum.mul(x[12], y[9]);
1026 accum.mul(x[13], y[8]);
1027 accum.mul(x[14], y[7]);
1028 accum.mul(x[15], y[6]);
1029 z[21] = accum.extract();
1030 accum.mul(x[7], y[15]);
1031 accum.mul(x[8], y[14]);
1032 accum.mul(x[9], y[13]);
1033 accum.mul(x[10], y[12]);
1034 accum.mul(x[11], y[11]);
1035 accum.mul(x[12], y[10]);
1036 accum.mul(x[13], y[9]);
1037 accum.mul(x[14], y[8]);
1038 accum.mul(x[15], y[7]);
1039 z[22] = accum.extract();
1040 accum.mul(x[8], y[15]);
1041 accum.mul(x[9], y[14]);
1042 accum.mul(x[10], y[13]);
1043 accum.mul(x[11], y[12]);
1044 accum.mul(x[12], y[11]);
1045 accum.mul(x[13], y[10]);
1046 accum.mul(x[14], y[9]);
1047 accum.mul(x[15], y[8]);
1048 z[23] = accum.extract();
1049 accum.mul(x[9], y[15]);
1050 accum.mul(x[10], y[14]);
1051 accum.mul(x[11], y[13]);
1052 accum.mul(x[12], y[12]);
1053 accum.mul(x[13], y[11]);
1054 accum.mul(x[14], y[10]);
1055 accum.mul(x[15], y[9]);
1056 z[24] = accum.extract();
1057 accum.mul(x[10], y[15]);
1058 accum.mul(x[11], y[14]);
1059 accum.mul(x[12], y[13]);
1060 accum.mul(x[13], y[12]);
1061 accum.mul(x[14], y[11]);
1062 accum.mul(x[15], y[10]);
1063 z[25] = accum.extract();
1064 accum.mul(x[11], y[15]);
1065 accum.mul(x[12], y[14]);
1066 accum.mul(x[13], y[13]);
1067 accum.mul(x[14], y[12]);
1068 accum.mul(x[15], y[11]);
1069 z[26] = accum.extract();
1070 accum.mul(x[12], y[15]);
1071 accum.mul(x[13], y[14]);
1072 accum.mul(x[14], y[13]);
1073 accum.mul(x[15], y[12]);
1074 z[27] = accum.extract();
1075 accum.mul(x[13], y[15]);
1076 accum.mul(x[14], y[14]);
1077 accum.mul(x[15], y[13]);
1078 z[28] = accum.extract();
1079 accum.mul(x[14], y[15]);
1080 accum.mul(x[15], y[14]);
1081 z[29] = accum.extract();
1082 accum.mul(x[15], y[15]);
1083 z[30] = accum.extract();
1084 z[31] = accum.extract();
1085}
Definition mp_asmi.h:596
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by bigint_mul(), and comba_mul().
◆ bigint_comba_mul24()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul24 | ( | word | z[48], |
| const word | x[24], | ||
| const word | y[24] ) |
Definition at line 1446 of file mp_comba.cpp.
1446 {
1447 word3<word> accum;
1448
1449 accum.mul(x[0], y[0]);
1450 z[0] = accum.extract();
1451 accum.mul(x[0], y[1]);
1452 accum.mul(x[1], y[0]);
1453 z[1] = accum.extract();
1454 accum.mul(x[0], y[2]);
1455 accum.mul(x[1], y[1]);
1456 accum.mul(x[2], y[0]);
1457 z[2] = accum.extract();
1458 accum.mul(x[0], y[3]);
1459 accum.mul(x[1], y[2]);
1460 accum.mul(x[2], y[1]);
1461 accum.mul(x[3], y[0]);
1462 z[3] = accum.extract();
1463 accum.mul(x[0], y[4]);
1464 accum.mul(x[1], y[3]);
1465 accum.mul(x[2], y[2]);
1466 accum.mul(x[3], y[1]);
1467 accum.mul(x[4], y[0]);
1468 z[4] = accum.extract();
1469 accum.mul(x[0], y[5]);
1470 accum.mul(x[1], y[4]);
1471 accum.mul(x[2], y[3]);
1472 accum.mul(x[3], y[2]);
1473 accum.mul(x[4], y[1]);
1474 accum.mul(x[5], y[0]);
1475 z[5] = accum.extract();
1476 accum.mul(x[0], y[6]);
1477 accum.mul(x[1], y[5]);
1478 accum.mul(x[2], y[4]);
1479 accum.mul(x[3], y[3]);
1480 accum.mul(x[4], y[2]);
1481 accum.mul(x[5], y[1]);
1482 accum.mul(x[6], y[0]);
1483 z[6] = accum.extract();
1484 accum.mul(x[0], y[7]);
1485 accum.mul(x[1], y[6]);
1486 accum.mul(x[2], y[5]);
1487 accum.mul(x[3], y[4]);
1488 accum.mul(x[4], y[3]);
1489 accum.mul(x[5], y[2]);
1490 accum.mul(x[6], y[1]);
1491 accum.mul(x[7], y[0]);
1492 z[7] = accum.extract();
1493 accum.mul(x[0], y[8]);
1494 accum.mul(x[1], y[7]);
1495 accum.mul(x[2], y[6]);
1496 accum.mul(x[3], y[5]);
1497 accum.mul(x[4], y[4]);
1498 accum.mul(x[5], y[3]);
1499 accum.mul(x[6], y[2]);
1500 accum.mul(x[7], y[1]);
1501 accum.mul(x[8], y[0]);
1502 z[8] = accum.extract();
1503 accum.mul(x[0], y[9]);
1504 accum.mul(x[1], y[8]);
1505 accum.mul(x[2], y[7]);
1506 accum.mul(x[3], y[6]);
1507 accum.mul(x[4], y[5]);
1508 accum.mul(x[5], y[4]);
1509 accum.mul(x[6], y[3]);
1510 accum.mul(x[7], y[2]);
1511 accum.mul(x[8], y[1]);
1512 accum.mul(x[9], y[0]);
1513 z[9] = accum.extract();
1514 accum.mul(x[0], y[10]);
1515 accum.mul(x[1], y[9]);
1516 accum.mul(x[2], y[8]);
1517 accum.mul(x[3], y[7]);
1518 accum.mul(x[4], y[6]);
1519 accum.mul(x[5], y[5]);
1520 accum.mul(x[6], y[4]);
1521 accum.mul(x[7], y[3]);
1522 accum.mul(x[8], y[2]);
1523 accum.mul(x[9], y[1]);
1524 accum.mul(x[10], y[0]);
1525 z[10] = accum.extract();
1526 accum.mul(x[0], y[11]);
1527 accum.mul(x[1], y[10]);
1528 accum.mul(x[2], y[9]);
1529 accum.mul(x[3], y[8]);
1530 accum.mul(x[4], y[7]);
1531 accum.mul(x[5], y[6]);
1532 accum.mul(x[6], y[5]);
1533 accum.mul(x[7], y[4]);
1534 accum.mul(x[8], y[3]);
1535 accum.mul(x[9], y[2]);
1536 accum.mul(x[10], y[1]);
1537 accum.mul(x[11], y[0]);
1538 z[11] = accum.extract();
1539 accum.mul(x[0], y[12]);
1540 accum.mul(x[1], y[11]);
1541 accum.mul(x[2], y[10]);
1542 accum.mul(x[3], y[9]);
1543 accum.mul(x[4], y[8]);
1544 accum.mul(x[5], y[7]);
1545 accum.mul(x[6], y[6]);
1546 accum.mul(x[7], y[5]);
1547 accum.mul(x[8], y[4]);
1548 accum.mul(x[9], y[3]);
1549 accum.mul(x[10], y[2]);
1550 accum.mul(x[11], y[1]);
1551 accum.mul(x[12], y[0]);
1552 z[12] = accum.extract();
1553 accum.mul(x[0], y[13]);
1554 accum.mul(x[1], y[12]);
1555 accum.mul(x[2], y[11]);
1556 accum.mul(x[3], y[10]);
1557 accum.mul(x[4], y[9]);
1558 accum.mul(x[5], y[8]);
1559 accum.mul(x[6], y[7]);
1560 accum.mul(x[7], y[6]);
1561 accum.mul(x[8], y[5]);
1562 accum.mul(x[9], y[4]);
1563 accum.mul(x[10], y[3]);
1564 accum.mul(x[11], y[2]);
1565 accum.mul(x[12], y[1]);
1566 accum.mul(x[13], y[0]);
1567 z[13] = accum.extract();
1568 accum.mul(x[0], y[14]);
1569 accum.mul(x[1], y[13]);
1570 accum.mul(x[2], y[12]);
1571 accum.mul(x[3], y[11]);
1572 accum.mul(x[4], y[10]);
1573 accum.mul(x[5], y[9]);
1574 accum.mul(x[6], y[8]);
1575 accum.mul(x[7], y[7]);
1576 accum.mul(x[8], y[6]);
1577 accum.mul(x[9], y[5]);
1578 accum.mul(x[10], y[4]);
1579 accum.mul(x[11], y[3]);
1580 accum.mul(x[12], y[2]);
1581 accum.mul(x[13], y[1]);
1582 accum.mul(x[14], y[0]);
1583 z[14] = accum.extract();
1584 accum.mul(x[0], y[15]);
1585 accum.mul(x[1], y[14]);
1586 accum.mul(x[2], y[13]);
1587 accum.mul(x[3], y[12]);
1588 accum.mul(x[4], y[11]);
1589 accum.mul(x[5], y[10]);
1590 accum.mul(x[6], y[9]);
1591 accum.mul(x[7], y[8]);
1592 accum.mul(x[8], y[7]);
1593 accum.mul(x[9], y[6]);
1594 accum.mul(x[10], y[5]);
1595 accum.mul(x[11], y[4]);
1596 accum.mul(x[12], y[3]);
1597 accum.mul(x[13], y[2]);
1598 accum.mul(x[14], y[1]);
1599 accum.mul(x[15], y[0]);
1600 z[15] = accum.extract();
1601 accum.mul(x[0], y[16]);
1602 accum.mul(x[1], y[15]);
1603 accum.mul(x[2], y[14]);
1604 accum.mul(x[3], y[13]);
1605 accum.mul(x[4], y[12]);
1606 accum.mul(x[5], y[11]);
1607 accum.mul(x[6], y[10]);
1608 accum.mul(x[7], y[9]);
1609 accum.mul(x[8], y[8]);
1610 accum.mul(x[9], y[7]);
1611 accum.mul(x[10], y[6]);
1612 accum.mul(x[11], y[5]);
1613 accum.mul(x[12], y[4]);
1614 accum.mul(x[13], y[3]);
1615 accum.mul(x[14], y[2]);
1616 accum.mul(x[15], y[1]);
1617 accum.mul(x[16], y[0]);
1618 z[16] = accum.extract();
1619 accum.mul(x[0], y[17]);
1620 accum.mul(x[1], y[16]);
1621 accum.mul(x[2], y[15]);
1622 accum.mul(x[3], y[14]);
1623 accum.mul(x[4], y[13]);
1624 accum.mul(x[5], y[12]);
1625 accum.mul(x[6], y[11]);
1626 accum.mul(x[7], y[10]);
1627 accum.mul(x[8], y[9]);
1628 accum.mul(x[9], y[8]);
1629 accum.mul(x[10], y[7]);
1630 accum.mul(x[11], y[6]);
1631 accum.mul(x[12], y[5]);
1632 accum.mul(x[13], y[4]);
1633 accum.mul(x[14], y[3]);
1634 accum.mul(x[15], y[2]);
1635 accum.mul(x[16], y[1]);
1636 accum.mul(x[17], y[0]);
1637 z[17] = accum.extract();
1638 accum.mul(x[0], y[18]);
1639 accum.mul(x[1], y[17]);
1640 accum.mul(x[2], y[16]);
1641 accum.mul(x[3], y[15]);
1642 accum.mul(x[4], y[14]);
1643 accum.mul(x[5], y[13]);
1644 accum.mul(x[6], y[12]);
1645 accum.mul(x[7], y[11]);
1646 accum.mul(x[8], y[10]);
1647 accum.mul(x[9], y[9]);
1648 accum.mul(x[10], y[8]);
1649 accum.mul(x[11], y[7]);
1650 accum.mul(x[12], y[6]);
1651 accum.mul(x[13], y[5]);
1652 accum.mul(x[14], y[4]);
1653 accum.mul(x[15], y[3]);
1654 accum.mul(x[16], y[2]);
1655 accum.mul(x[17], y[1]);
1656 accum.mul(x[18], y[0]);
1657 z[18] = accum.extract();
1658 accum.mul(x[0], y[19]);
1659 accum.mul(x[1], y[18]);
1660 accum.mul(x[2], y[17]);
1661 accum.mul(x[3], y[16]);
1662 accum.mul(x[4], y[15]);
1663 accum.mul(x[5], y[14]);
1664 accum.mul(x[6], y[13]);
1665 accum.mul(x[7], y[12]);
1666 accum.mul(x[8], y[11]);
1667 accum.mul(x[9], y[10]);
1668 accum.mul(x[10], y[9]);
1669 accum.mul(x[11], y[8]);
1670 accum.mul(x[12], y[7]);
1671 accum.mul(x[13], y[6]);
1672 accum.mul(x[14], y[5]);
1673 accum.mul(x[15], y[4]);
1674 accum.mul(x[16], y[3]);
1675 accum.mul(x[17], y[2]);
1676 accum.mul(x[18], y[1]);
1677 accum.mul(x[19], y[0]);
1678 z[19] = accum.extract();
1679 accum.mul(x[0], y[20]);
1680 accum.mul(x[1], y[19]);
1681 accum.mul(x[2], y[18]);
1682 accum.mul(x[3], y[17]);
1683 accum.mul(x[4], y[16]);
1684 accum.mul(x[5], y[15]);
1685 accum.mul(x[6], y[14]);
1686 accum.mul(x[7], y[13]);
1687 accum.mul(x[8], y[12]);
1688 accum.mul(x[9], y[11]);
1689 accum.mul(x[10], y[10]);
1690 accum.mul(x[11], y[9]);
1691 accum.mul(x[12], y[8]);
1692 accum.mul(x[13], y[7]);
1693 accum.mul(x[14], y[6]);
1694 accum.mul(x[15], y[5]);
1695 accum.mul(x[16], y[4]);
1696 accum.mul(x[17], y[3]);
1697 accum.mul(x[18], y[2]);
1698 accum.mul(x[19], y[1]);
1699 accum.mul(x[20], y[0]);
1700 z[20] = accum.extract();
1701 accum.mul(x[0], y[21]);
1702 accum.mul(x[1], y[20]);
1703 accum.mul(x[2], y[19]);
1704 accum.mul(x[3], y[18]);
1705 accum.mul(x[4], y[17]);
1706 accum.mul(x[5], y[16]);
1707 accum.mul(x[6], y[15]);
1708 accum.mul(x[7], y[14]);
1709 accum.mul(x[8], y[13]);
1710 accum.mul(x[9], y[12]);
1711 accum.mul(x[10], y[11]);
1712 accum.mul(x[11], y[10]);
1713 accum.mul(x[12], y[9]);
1714 accum.mul(x[13], y[8]);
1715 accum.mul(x[14], y[7]);
1716 accum.mul(x[15], y[6]);
1717 accum.mul(x[16], y[5]);
1718 accum.mul(x[17], y[4]);
1719 accum.mul(x[18], y[3]);
1720 accum.mul(x[19], y[2]);
1721 accum.mul(x[20], y[1]);
1722 accum.mul(x[21], y[0]);
1723 z[21] = accum.extract();
1724 accum.mul(x[0], y[22]);
1725 accum.mul(x[1], y[21]);
1726 accum.mul(x[2], y[20]);
1727 accum.mul(x[3], y[19]);
1728 accum.mul(x[4], y[18]);
1729 accum.mul(x[5], y[17]);
1730 accum.mul(x[6], y[16]);
1731 accum.mul(x[7], y[15]);
1732 accum.mul(x[8], y[14]);
1733 accum.mul(x[9], y[13]);
1734 accum.mul(x[10], y[12]);
1735 accum.mul(x[11], y[11]);
1736 accum.mul(x[12], y[10]);
1737 accum.mul(x[13], y[9]);
1738 accum.mul(x[14], y[8]);
1739 accum.mul(x[15], y[7]);
1740 accum.mul(x[16], y[6]);
1741 accum.mul(x[17], y[5]);
1742 accum.mul(x[18], y[4]);
1743 accum.mul(x[19], y[3]);
1744 accum.mul(x[20], y[2]);
1745 accum.mul(x[21], y[1]);
1746 accum.mul(x[22], y[0]);
1747 z[22] = accum.extract();
1748 accum.mul(x[0], y[23]);
1749 accum.mul(x[1], y[22]);
1750 accum.mul(x[2], y[21]);
1751 accum.mul(x[3], y[20]);
1752 accum.mul(x[4], y[19]);
1753 accum.mul(x[5], y[18]);
1754 accum.mul(x[6], y[17]);
1755 accum.mul(x[7], y[16]);
1756 accum.mul(x[8], y[15]);
1757 accum.mul(x[9], y[14]);
1758 accum.mul(x[10], y[13]);
1759 accum.mul(x[11], y[12]);
1760 accum.mul(x[12], y[11]);
1761 accum.mul(x[13], y[10]);
1762 accum.mul(x[14], y[9]);
1763 accum.mul(x[15], y[8]);
1764 accum.mul(x[16], y[7]);
1765 accum.mul(x[17], y[6]);
1766 accum.mul(x[18], y[5]);
1767 accum.mul(x[19], y[4]);
1768 accum.mul(x[20], y[3]);
1769 accum.mul(x[21], y[2]);
1770 accum.mul(x[22], y[1]);
1771 accum.mul(x[23], y[0]);
1772 z[23] = accum.extract();
1773 accum.mul(x[1], y[23]);
1774 accum.mul(x[2], y[22]);
1775 accum.mul(x[3], y[21]);
1776 accum.mul(x[4], y[20]);
1777 accum.mul(x[5], y[19]);
1778 accum.mul(x[6], y[18]);
1779 accum.mul(x[7], y[17]);
1780 accum.mul(x[8], y[16]);
1781 accum.mul(x[9], y[15]);
1782 accum.mul(x[10], y[14]);
1783 accum.mul(x[11], y[13]);
1784 accum.mul(x[12], y[12]);
1785 accum.mul(x[13], y[11]);
1786 accum.mul(x[14], y[10]);
1787 accum.mul(x[15], y[9]);
1788 accum.mul(x[16], y[8]);
1789 accum.mul(x[17], y[7]);
1790 accum.mul(x[18], y[6]);
1791 accum.mul(x[19], y[5]);
1792 accum.mul(x[20], y[4]);
1793 accum.mul(x[21], y[3]);
1794 accum.mul(x[22], y[2]);
1795 accum.mul(x[23], y[1]);
1796 z[24] = accum.extract();
1797 accum.mul(x[2], y[23]);
1798 accum.mul(x[3], y[22]);
1799 accum.mul(x[4], y[21]);
1800 accum.mul(x[5], y[20]);
1801 accum.mul(x[6], y[19]);
1802 accum.mul(x[7], y[18]);
1803 accum.mul(x[8], y[17]);
1804 accum.mul(x[9], y[16]);
1805 accum.mul(x[10], y[15]);
1806 accum.mul(x[11], y[14]);
1807 accum.mul(x[12], y[13]);
1808 accum.mul(x[13], y[12]);
1809 accum.mul(x[14], y[11]);
1810 accum.mul(x[15], y[10]);
1811 accum.mul(x[16], y[9]);
1812 accum.mul(x[17], y[8]);
1813 accum.mul(x[18], y[7]);
1814 accum.mul(x[19], y[6]);
1815 accum.mul(x[20], y[5]);
1816 accum.mul(x[21], y[4]);
1817 accum.mul(x[22], y[3]);
1818 accum.mul(x[23], y[2]);
1819 z[25] = accum.extract();
1820 accum.mul(x[3], y[23]);
1821 accum.mul(x[4], y[22]);
1822 accum.mul(x[5], y[21]);
1823 accum.mul(x[6], y[20]);
1824 accum.mul(x[7], y[19]);
1825 accum.mul(x[8], y[18]);
1826 accum.mul(x[9], y[17]);
1827 accum.mul(x[10], y[16]);
1828 accum.mul(x[11], y[15]);
1829 accum.mul(x[12], y[14]);
1830 accum.mul(x[13], y[13]);
1831 accum.mul(x[14], y[12]);
1832 accum.mul(x[15], y[11]);
1833 accum.mul(x[16], y[10]);
1834 accum.mul(x[17], y[9]);
1835 accum.mul(x[18], y[8]);
1836 accum.mul(x[19], y[7]);
1837 accum.mul(x[20], y[6]);
1838 accum.mul(x[21], y[5]);
1839 accum.mul(x[22], y[4]);
1840 accum.mul(x[23], y[3]);
1841 z[26] = accum.extract();
1842 accum.mul(x[4], y[23]);
1843 accum.mul(x[5], y[22]);
1844 accum.mul(x[6], y[21]);
1845 accum.mul(x[7], y[20]);
1846 accum.mul(x[8], y[19]);
1847 accum.mul(x[9], y[18]);
1848 accum.mul(x[10], y[17]);
1849 accum.mul(x[11], y[16]);
1850 accum.mul(x[12], y[15]);
1851 accum.mul(x[13], y[14]);
1852 accum.mul(x[14], y[13]);
1853 accum.mul(x[15], y[12]);
1854 accum.mul(x[16], y[11]);
1855 accum.mul(x[17], y[10]);
1856 accum.mul(x[18], y[9]);
1857 accum.mul(x[19], y[8]);
1858 accum.mul(x[20], y[7]);
1859 accum.mul(x[21], y[6]);
1860 accum.mul(x[22], y[5]);
1861 accum.mul(x[23], y[4]);
1862 z[27] = accum.extract();
1863 accum.mul(x[5], y[23]);
1864 accum.mul(x[6], y[22]);
1865 accum.mul(x[7], y[21]);
1866 accum.mul(x[8], y[20]);
1867 accum.mul(x[9], y[19]);
1868 accum.mul(x[10], y[18]);
1869 accum.mul(x[11], y[17]);
1870 accum.mul(x[12], y[16]);
1871 accum.mul(x[13], y[15]);
1872 accum.mul(x[14], y[14]);
1873 accum.mul(x[15], y[13]);
1874 accum.mul(x[16], y[12]);
1875 accum.mul(x[17], y[11]);
1876 accum.mul(x[18], y[10]);
1877 accum.mul(x[19], y[9]);
1878 accum.mul(x[20], y[8]);
1879 accum.mul(x[21], y[7]);
1880 accum.mul(x[22], y[6]);
1881 accum.mul(x[23], y[5]);
1882 z[28] = accum.extract();
1883 accum.mul(x[6], y[23]);
1884 accum.mul(x[7], y[22]);
1885 accum.mul(x[8], y[21]);
1886 accum.mul(x[9], y[20]);
1887 accum.mul(x[10], y[19]);
1888 accum.mul(x[11], y[18]);
1889 accum.mul(x[12], y[17]);
1890 accum.mul(x[13], y[16]);
1891 accum.mul(x[14], y[15]);
1892 accum.mul(x[15], y[14]);
1893 accum.mul(x[16], y[13]);
1894 accum.mul(x[17], y[12]);
1895 accum.mul(x[18], y[11]);
1896 accum.mul(x[19], y[10]);
1897 accum.mul(x[20], y[9]);
1898 accum.mul(x[21], y[8]);
1899 accum.mul(x[22], y[7]);
1900 accum.mul(x[23], y[6]);
1901 z[29] = accum.extract();
1902 accum.mul(x[7], y[23]);
1903 accum.mul(x[8], y[22]);
1904 accum.mul(x[9], y[21]);
1905 accum.mul(x[10], y[20]);
1906 accum.mul(x[11], y[19]);
1907 accum.mul(x[12], y[18]);
1908 accum.mul(x[13], y[17]);
1909 accum.mul(x[14], y[16]);
1910 accum.mul(x[15], y[15]);
1911 accum.mul(x[16], y[14]);
1912 accum.mul(x[17], y[13]);
1913 accum.mul(x[18], y[12]);
1914 accum.mul(x[19], y[11]);
1915 accum.mul(x[20], y[10]);
1916 accum.mul(x[21], y[9]);
1917 accum.mul(x[22], y[8]);
1918 accum.mul(x[23], y[7]);
1919 z[30] = accum.extract();
1920 accum.mul(x[8], y[23]);
1921 accum.mul(x[9], y[22]);
1922 accum.mul(x[10], y[21]);
1923 accum.mul(x[11], y[20]);
1924 accum.mul(x[12], y[19]);
1925 accum.mul(x[13], y[18]);
1926 accum.mul(x[14], y[17]);
1927 accum.mul(x[15], y[16]);
1928 accum.mul(x[16], y[15]);
1929 accum.mul(x[17], y[14]);
1930 accum.mul(x[18], y[13]);
1931 accum.mul(x[19], y[12]);
1932 accum.mul(x[20], y[11]);
1933 accum.mul(x[21], y[10]);
1934 accum.mul(x[22], y[9]);
1935 accum.mul(x[23], y[8]);
1936 z[31] = accum.extract();
1937 accum.mul(x[9], y[23]);
1938 accum.mul(x[10], y[22]);
1939 accum.mul(x[11], y[21]);
1940 accum.mul(x[12], y[20]);
1941 accum.mul(x[13], y[19]);
1942 accum.mul(x[14], y[18]);
1943 accum.mul(x[15], y[17]);
1944 accum.mul(x[16], y[16]);
1945 accum.mul(x[17], y[15]);
1946 accum.mul(x[18], y[14]);
1947 accum.mul(x[19], y[13]);
1948 accum.mul(x[20], y[12]);
1949 accum.mul(x[21], y[11]);
1950 accum.mul(x[22], y[10]);
1951 accum.mul(x[23], y[9]);
1952 z[32] = accum.extract();
1953 accum.mul(x[10], y[23]);
1954 accum.mul(x[11], y[22]);
1955 accum.mul(x[12], y[21]);
1956 accum.mul(x[13], y[20]);
1957 accum.mul(x[14], y[19]);
1958 accum.mul(x[15], y[18]);
1959 accum.mul(x[16], y[17]);
1960 accum.mul(x[17], y[16]);
1961 accum.mul(x[18], y[15]);
1962 accum.mul(x[19], y[14]);
1963 accum.mul(x[20], y[13]);
1964 accum.mul(x[21], y[12]);
1965 accum.mul(x[22], y[11]);
1966 accum.mul(x[23], y[10]);
1967 z[33] = accum.extract();
1968 accum.mul(x[11], y[23]);
1969 accum.mul(x[12], y[22]);
1970 accum.mul(x[13], y[21]);
1971 accum.mul(x[14], y[20]);
1972 accum.mul(x[15], y[19]);
1973 accum.mul(x[16], y[18]);
1974 accum.mul(x[17], y[17]);
1975 accum.mul(x[18], y[16]);
1976 accum.mul(x[19], y[15]);
1977 accum.mul(x[20], y[14]);
1978 accum.mul(x[21], y[13]);
1979 accum.mul(x[22], y[12]);
1980 accum.mul(x[23], y[11]);
1981 z[34] = accum.extract();
1982 accum.mul(x[12], y[23]);
1983 accum.mul(x[13], y[22]);
1984 accum.mul(x[14], y[21]);
1985 accum.mul(x[15], y[20]);
1986 accum.mul(x[16], y[19]);
1987 accum.mul(x[17], y[18]);
1988 accum.mul(x[18], y[17]);
1989 accum.mul(x[19], y[16]);
1990 accum.mul(x[20], y[15]);
1991 accum.mul(x[21], y[14]);
1992 accum.mul(x[22], y[13]);
1993 accum.mul(x[23], y[12]);
1994 z[35] = accum.extract();
1995 accum.mul(x[13], y[23]);
1996 accum.mul(x[14], y[22]);
1997 accum.mul(x[15], y[21]);
1998 accum.mul(x[16], y[20]);
1999 accum.mul(x[17], y[19]);
2000 accum.mul(x[18], y[18]);
2001 accum.mul(x[19], y[17]);
2002 accum.mul(x[20], y[16]);
2003 accum.mul(x[21], y[15]);
2004 accum.mul(x[22], y[14]);
2005 accum.mul(x[23], y[13]);
2006 z[36] = accum.extract();
2007 accum.mul(x[14], y[23]);
2008 accum.mul(x[15], y[22]);
2009 accum.mul(x[16], y[21]);
2010 accum.mul(x[17], y[20]);
2011 accum.mul(x[18], y[19]);
2012 accum.mul(x[19], y[18]);
2013 accum.mul(x[20], y[17]);
2014 accum.mul(x[21], y[16]);
2015 accum.mul(x[22], y[15]);
2016 accum.mul(x[23], y[14]);
2017 z[37] = accum.extract();
2018 accum.mul(x[15], y[23]);
2019 accum.mul(x[16], y[22]);
2020 accum.mul(x[17], y[21]);
2021 accum.mul(x[18], y[20]);
2022 accum.mul(x[19], y[19]);
2023 accum.mul(x[20], y[18]);
2024 accum.mul(x[21], y[17]);
2025 accum.mul(x[22], y[16]);
2026 accum.mul(x[23], y[15]);
2027 z[38] = accum.extract();
2028 accum.mul(x[16], y[23]);
2029 accum.mul(x[17], y[22]);
2030 accum.mul(x[18], y[21]);
2031 accum.mul(x[19], y[20]);
2032 accum.mul(x[20], y[19]);
2033 accum.mul(x[21], y[18]);
2034 accum.mul(x[22], y[17]);
2035 accum.mul(x[23], y[16]);
2036 z[39] = accum.extract();
2037 accum.mul(x[17], y[23]);
2038 accum.mul(x[18], y[22]);
2039 accum.mul(x[19], y[21]);
2040 accum.mul(x[20], y[20]);
2041 accum.mul(x[21], y[19]);
2042 accum.mul(x[22], y[18]);
2043 accum.mul(x[23], y[17]);
2044 z[40] = accum.extract();
2045 accum.mul(x[18], y[23]);
2046 accum.mul(x[19], y[22]);
2047 accum.mul(x[20], y[21]);
2048 accum.mul(x[21], y[20]);
2049 accum.mul(x[22], y[19]);
2050 accum.mul(x[23], y[18]);
2051 z[41] = accum.extract();
2052 accum.mul(x[19], y[23]);
2053 accum.mul(x[20], y[22]);
2054 accum.mul(x[21], y[21]);
2055 accum.mul(x[22], y[20]);
2056 accum.mul(x[23], y[19]);
2057 z[42] = accum.extract();
2058 accum.mul(x[20], y[23]);
2059 accum.mul(x[21], y[22]);
2060 accum.mul(x[22], y[21]);
2061 accum.mul(x[23], y[20]);
2062 z[43] = accum.extract();
2063 accum.mul(x[21], y[23]);
2064 accum.mul(x[22], y[22]);
2065 accum.mul(x[23], y[21]);
2066 z[44] = accum.extract();
2067 accum.mul(x[22], y[23]);
2068 accum.mul(x[23], y[22]);
2069 z[45] = accum.extract();
2070 accum.mul(x[23], y[23]);
2071 z[46] = accum.extract();
2072 z[47] = accum.extract();
2073}
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by bigint_mul().
◆ bigint_comba_mul4()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul4 | ( | word | z[8], |
| const word | x[4], | ||
| const word | y[4] ) |
Definition at line 42 of file mp_comba.cpp.
42 {
43 word3<word> accum;
44
45 accum.mul(x[0], y[0]);
46 z[0] = accum.extract();
47 accum.mul(x[0], y[1]);
48 accum.mul(x[1], y[0]);
49 z[1] = accum.extract();
50 accum.mul(x[0], y[2]);
51 accum.mul(x[1], y[1]);
52 accum.mul(x[2], y[0]);
53 z[2] = accum.extract();
54 accum.mul(x[0], y[3]);
55 accum.mul(x[1], y[2]);
56 accum.mul(x[2], y[1]);
57 accum.mul(x[3], y[0]);
58 z[3] = accum.extract();
59 accum.mul(x[1], y[3]);
60 accum.mul(x[2], y[2]);
61 accum.mul(x[3], y[1]);
62 z[4] = accum.extract();
63 accum.mul(x[2], y[3]);
64 accum.mul(x[3], y[2]);
65 z[5] = accum.extract();
66 accum.mul(x[3], y[3]);
67 z[6] = accum.extract();
68 z[7] = accum.extract();
69}
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by bigint_mul(), and comba_mul().
◆ bigint_comba_mul6()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul6 | ( | word | z[12], |
| const word | x[6], | ||
| const word | y[6] ) |
Definition at line 115 of file mp_comba.cpp.
115 {
116 word3<word> accum;
117
118 accum.mul(x[0], y[0]);
119 z[0] = accum.extract();
120 accum.mul(x[0], y[1]);
121 accum.mul(x[1], y[0]);
122 z[1] = accum.extract();
123 accum.mul(x[0], y[2]);
124 accum.mul(x[1], y[1]);
125 accum.mul(x[2], y[0]);
126 z[2] = accum.extract();
127 accum.mul(x[0], y[3]);
128 accum.mul(x[1], y[2]);
129 accum.mul(x[2], y[1]);
130 accum.mul(x[3], y[0]);
131 z[3] = accum.extract();
132 accum.mul(x[0], y[4]);
133 accum.mul(x[1], y[3]);
134 accum.mul(x[2], y[2]);
135 accum.mul(x[3], y[1]);
136 accum.mul(x[4], y[0]);
137 z[4] = accum.extract();
138 accum.mul(x[0], y[5]);
139 accum.mul(x[1], y[4]);
140 accum.mul(x[2], y[3]);
141 accum.mul(x[3], y[2]);
142 accum.mul(x[4], y[1]);
143 accum.mul(x[5], y[0]);
144 z[5] = accum.extract();
145 accum.mul(x[1], y[5]);
146 accum.mul(x[2], y[4]);
147 accum.mul(x[3], y[3]);
148 accum.mul(x[4], y[2]);
149 accum.mul(x[5], y[1]);
150 z[6] = accum.extract();
151 accum.mul(x[2], y[5]);
152 accum.mul(x[3], y[4]);
153 accum.mul(x[4], y[3]);
154 accum.mul(x[5], y[2]);
155 z[7] = accum.extract();
156 accum.mul(x[3], y[5]);
157 accum.mul(x[4], y[4]);
158 accum.mul(x[5], y[3]);
159 z[8] = accum.extract();
160 accum.mul(x[4], y[5]);
161 accum.mul(x[5], y[4]);
162 z[9] = accum.extract();
163 accum.mul(x[5], y[5]);
164 z[10] = accum.extract();
165 z[11] = accum.extract();
166}
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by bigint_mul(), and comba_mul().
◆ bigint_comba_mul7()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul7 | ( | word | z[14], |
| const word | x[7], | ||
| const word | y[7] ) |
Definition at line 221 of file mp_comba.cpp.
221 {
222 word3<word> accum;
223
224 accum.mul(x[0], y[0]);
225 z[0] = accum.extract();
226 accum.mul(x[0], y[1]);
227 accum.mul(x[1], y[0]);
228 z[1] = accum.extract();
229 accum.mul(x[0], y[2]);
230 accum.mul(x[1], y[1]);
231 accum.mul(x[2], y[0]);
232 z[2] = accum.extract();
233 accum.mul(x[0], y[3]);
234 accum.mul(x[1], y[2]);
235 accum.mul(x[2], y[1]);
236 accum.mul(x[3], y[0]);
237 z[3] = accum.extract();
238 accum.mul(x[0], y[4]);
239 accum.mul(x[1], y[3]);
240 accum.mul(x[2], y[2]);
241 accum.mul(x[3], y[1]);
242 accum.mul(x[4], y[0]);
243 z[4] = accum.extract();
244 accum.mul(x[0], y[5]);
245 accum.mul(x[1], y[4]);
246 accum.mul(x[2], y[3]);
247 accum.mul(x[3], y[2]);
248 accum.mul(x[4], y[1]);
249 accum.mul(x[5], y[0]);
250 z[5] = accum.extract();
251 accum.mul(x[0], y[6]);
252 accum.mul(x[1], y[5]);
253 accum.mul(x[2], y[4]);
254 accum.mul(x[3], y[3]);
255 accum.mul(x[4], y[2]);
256 accum.mul(x[5], y[1]);
257 accum.mul(x[6], y[0]);
258 z[6] = accum.extract();
259 accum.mul(x[1], y[6]);
260 accum.mul(x[2], y[5]);
261 accum.mul(x[3], y[4]);
262 accum.mul(x[4], y[3]);
263 accum.mul(x[5], y[2]);
264 accum.mul(x[6], y[1]);
265 z[7] = accum.extract();
266 accum.mul(x[2], y[6]);
267 accum.mul(x[3], y[5]);
268 accum.mul(x[4], y[4]);
269 accum.mul(x[5], y[3]);
270 accum.mul(x[6], y[2]);
271 z[8] = accum.extract();
272 accum.mul(x[3], y[6]);
273 accum.mul(x[4], y[5]);
274 accum.mul(x[5], y[4]);
275 accum.mul(x[6], y[3]);
276 z[9] = accum.extract();
277 accum.mul(x[4], y[6]);
278 accum.mul(x[5], y[5]);
279 accum.mul(x[6], y[4]);
280 z[10] = accum.extract();
281 accum.mul(x[5], y[6]);
282 accum.mul(x[6], y[5]);
283 z[11] = accum.extract();
284 accum.mul(x[6], y[6]);
285 z[12] = accum.extract();
286 z[13] = accum.extract();
287}
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by comba_mul().
◆ bigint_comba_mul8()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul8 | ( | word | z[16], |
| const word | x[8], | ||
| const word | y[8] ) |
Definition at line 352 of file mp_comba.cpp.
352 {
353 word3<word> accum;
354
355 accum.mul(x[0], y[0]);
356 z[0] = accum.extract();
357 accum.mul(x[0], y[1]);
358 accum.mul(x[1], y[0]);
359 z[1] = accum.extract();
360 accum.mul(x[0], y[2]);
361 accum.mul(x[1], y[1]);
362 accum.mul(x[2], y[0]);
363 z[2] = accum.extract();
364 accum.mul(x[0], y[3]);
365 accum.mul(x[1], y[2]);
366 accum.mul(x[2], y[1]);
367 accum.mul(x[3], y[0]);
368 z[3] = accum.extract();
369 accum.mul(x[0], y[4]);
370 accum.mul(x[1], y[3]);
371 accum.mul(x[2], y[2]);
372 accum.mul(x[3], y[1]);
373 accum.mul(x[4], y[0]);
374 z[4] = accum.extract();
375 accum.mul(x[0], y[5]);
376 accum.mul(x[1], y[4]);
377 accum.mul(x[2], y[3]);
378 accum.mul(x[3], y[2]);
379 accum.mul(x[4], y[1]);
380 accum.mul(x[5], y[0]);
381 z[5] = accum.extract();
382 accum.mul(x[0], y[6]);
383 accum.mul(x[1], y[5]);
384 accum.mul(x[2], y[4]);
385 accum.mul(x[3], y[3]);
386 accum.mul(x[4], y[2]);
387 accum.mul(x[5], y[1]);
388 accum.mul(x[6], y[0]);
389 z[6] = accum.extract();
390 accum.mul(x[0], y[7]);
391 accum.mul(x[1], y[6]);
392 accum.mul(x[2], y[5]);
393 accum.mul(x[3], y[4]);
394 accum.mul(x[4], y[3]);
395 accum.mul(x[5], y[2]);
396 accum.mul(x[6], y[1]);
397 accum.mul(x[7], y[0]);
398 z[7] = accum.extract();
399 accum.mul(x[1], y[7]);
400 accum.mul(x[2], y[6]);
401 accum.mul(x[3], y[5]);
402 accum.mul(x[4], y[4]);
403 accum.mul(x[5], y[3]);
404 accum.mul(x[6], y[2]);
405 accum.mul(x[7], y[1]);
406 z[8] = accum.extract();
407 accum.mul(x[2], y[7]);
408 accum.mul(x[3], y[6]);
409 accum.mul(x[4], y[5]);
410 accum.mul(x[5], y[4]);
411 accum.mul(x[6], y[3]);
412 accum.mul(x[7], y[2]);
413 z[9] = accum.extract();
414 accum.mul(x[3], y[7]);
415 accum.mul(x[4], y[6]);
416 accum.mul(x[5], y[5]);
417 accum.mul(x[6], y[4]);
418 accum.mul(x[7], y[3]);
419 z[10] = accum.extract();
420 accum.mul(x[4], y[7]);
421 accum.mul(x[5], y[6]);
422 accum.mul(x[6], y[5]);
423 accum.mul(x[7], y[4]);
424 z[11] = accum.extract();
425 accum.mul(x[5], y[7]);
426 accum.mul(x[6], y[6]);
427 accum.mul(x[7], y[5]);
428 z[12] = accum.extract();
429 accum.mul(x[6], y[7]);
430 accum.mul(x[7], y[6]);
431 z[13] = accum.extract();
432 accum.mul(x[7], y[7]);
433 z[14] = accum.extract();
434 z[15] = accum.extract();
435}
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by bigint_mul(), and comba_mul().
◆ bigint_comba_mul9()
| BOTAN_FUZZER_API void Botan::bigint_comba_mul9 | ( | word | z[18], |
| const word | x[9], | ||
| const word | y[9] ) |
Definition at line 511 of file mp_comba.cpp.
511 {
512 word3<word> accum;
513
514 accum.mul(x[0], y[0]);
515 z[0] = accum.extract();
516 accum.mul(x[0], y[1]);
517 accum.mul(x[1], y[0]);
518 z[1] = accum.extract();
519 accum.mul(x[0], y[2]);
520 accum.mul(x[1], y[1]);
521 accum.mul(x[2], y[0]);
522 z[2] = accum.extract();
523 accum.mul(x[0], y[3]);
524 accum.mul(x[1], y[2]);
525 accum.mul(x[2], y[1]);
526 accum.mul(x[3], y[0]);
527 z[3] = accum.extract();
528 accum.mul(x[0], y[4]);
529 accum.mul(x[1], y[3]);
530 accum.mul(x[2], y[2]);
531 accum.mul(x[3], y[1]);
532 accum.mul(x[4], y[0]);
533 z[4] = accum.extract();
534 accum.mul(x[0], y[5]);
535 accum.mul(x[1], y[4]);
536 accum.mul(x[2], y[3]);
537 accum.mul(x[3], y[2]);
538 accum.mul(x[4], y[1]);
539 accum.mul(x[5], y[0]);
540 z[5] = accum.extract();
541 accum.mul(x[0], y[6]);
542 accum.mul(x[1], y[5]);
543 accum.mul(x[2], y[4]);
544 accum.mul(x[3], y[3]);
545 accum.mul(x[4], y[2]);
546 accum.mul(x[5], y[1]);
547 accum.mul(x[6], y[0]);
548 z[6] = accum.extract();
549 accum.mul(x[0], y[7]);
550 accum.mul(x[1], y[6]);
551 accum.mul(x[2], y[5]);
552 accum.mul(x[3], y[4]);
553 accum.mul(x[4], y[3]);
554 accum.mul(x[5], y[2]);
555 accum.mul(x[6], y[1]);
556 accum.mul(x[7], y[0]);
557 z[7] = accum.extract();
558 accum.mul(x[0], y[8]);
559 accum.mul(x[1], y[7]);
560 accum.mul(x[2], y[6]);
561 accum.mul(x[3], y[5]);
562 accum.mul(x[4], y[4]);
563 accum.mul(x[5], y[3]);
564 accum.mul(x[6], y[2]);
565 accum.mul(x[7], y[1]);
566 accum.mul(x[8], y[0]);
567 z[8] = accum.extract();
568 accum.mul(x[1], y[8]);
569 accum.mul(x[2], y[7]);
570 accum.mul(x[3], y[6]);
571 accum.mul(x[4], y[5]);
572 accum.mul(x[5], y[4]);
573 accum.mul(x[6], y[3]);
574 accum.mul(x[7], y[2]);
575 accum.mul(x[8], y[1]);
576 z[9] = accum.extract();
577 accum.mul(x[2], y[8]);
578 accum.mul(x[3], y[7]);
579 accum.mul(x[4], y[6]);
580 accum.mul(x[5], y[5]);
581 accum.mul(x[6], y[4]);
582 accum.mul(x[7], y[3]);
583 accum.mul(x[8], y[2]);
584 z[10] = accum.extract();
585 accum.mul(x[3], y[8]);
586 accum.mul(x[4], y[7]);
587 accum.mul(x[5], y[6]);
588 accum.mul(x[6], y[5]);
589 accum.mul(x[7], y[4]);
590 accum.mul(x[8], y[3]);
591 z[11] = accum.extract();
592 accum.mul(x[4], y[8]);
593 accum.mul(x[5], y[7]);
594 accum.mul(x[6], y[6]);
595 accum.mul(x[7], y[5]);
596 accum.mul(x[8], y[4]);
597 z[12] = accum.extract();
598 accum.mul(x[5], y[8]);
599 accum.mul(x[6], y[7]);
600 accum.mul(x[7], y[6]);
601 accum.mul(x[8], y[5]);
602 z[13] = accum.extract();
603 accum.mul(x[6], y[8]);
604 accum.mul(x[7], y[7]);
605 accum.mul(x[8], y[6]);
606 z[14] = accum.extract();
607 accum.mul(x[7], y[8]);
608 accum.mul(x[8], y[7]);
609 z[15] = accum.extract();
610 accum.mul(x[8], y[8]);
611 z[16] = accum.extract();
612 z[17] = accum.extract();
613}
References Botan::word3< W >::extract(), and Botan::word3< W >::mul().
Referenced by bigint_mul(), and comba_mul().
◆ bigint_comba_sqr16()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr16 | ( | word | z[32], |
| const word | x[16] ) |
Definition at line 618 of file mp_comba.cpp.
618 {
619 word3<word> accum;
620
621 accum.mul(x[0], x[0]);
622 z[0] = accum.extract();
623 accum.mul_x2(x[0], x[1]);
624 z[1] = accum.extract();
625 accum.mul_x2(x[0], x[2]);
626 accum.mul(x[1], x[1]);
627 z[2] = accum.extract();
628 accum.mul_x2(x[0], x[3]);
629 accum.mul_x2(x[1], x[2]);
630 z[3] = accum.extract();
631 accum.mul_x2(x[0], x[4]);
632 accum.mul_x2(x[1], x[3]);
633 accum.mul(x[2], x[2]);
634 z[4] = accum.extract();
635 accum.mul_x2(x[0], x[5]);
636 accum.mul_x2(x[1], x[4]);
637 accum.mul_x2(x[2], x[3]);
638 z[5] = accum.extract();
639 accum.mul_x2(x[0], x[6]);
640 accum.mul_x2(x[1], x[5]);
641 accum.mul_x2(x[2], x[4]);
642 accum.mul(x[3], x[3]);
643 z[6] = accum.extract();
644 accum.mul_x2(x[0], x[7]);
645 accum.mul_x2(x[1], x[6]);
646 accum.mul_x2(x[2], x[5]);
647 accum.mul_x2(x[3], x[4]);
648 z[7] = accum.extract();
649 accum.mul_x2(x[0], x[8]);
650 accum.mul_x2(x[1], x[7]);
651 accum.mul_x2(x[2], x[6]);
652 accum.mul_x2(x[3], x[5]);
653 accum.mul(x[4], x[4]);
654 z[8] = accum.extract();
655 accum.mul_x2(x[0], x[9]);
656 accum.mul_x2(x[1], x[8]);
657 accum.mul_x2(x[2], x[7]);
658 accum.mul_x2(x[3], x[6]);
659 accum.mul_x2(x[4], x[5]);
660 z[9] = accum.extract();
661 accum.mul_x2(x[0], x[10]);
662 accum.mul_x2(x[1], x[9]);
663 accum.mul_x2(x[2], x[8]);
664 accum.mul_x2(x[3], x[7]);
665 accum.mul_x2(x[4], x[6]);
666 accum.mul(x[5], x[5]);
667 z[10] = accum.extract();
668 accum.mul_x2(x[0], x[11]);
669 accum.mul_x2(x[1], x[10]);
670 accum.mul_x2(x[2], x[9]);
671 accum.mul_x2(x[3], x[8]);
672 accum.mul_x2(x[4], x[7]);
673 accum.mul_x2(x[5], x[6]);
674 z[11] = accum.extract();
675 accum.mul_x2(x[0], x[12]);
676 accum.mul_x2(x[1], x[11]);
677 accum.mul_x2(x[2], x[10]);
678 accum.mul_x2(x[3], x[9]);
679 accum.mul_x2(x[4], x[8]);
680 accum.mul_x2(x[5], x[7]);
681 accum.mul(x[6], x[6]);
682 z[12] = accum.extract();
683 accum.mul_x2(x[0], x[13]);
684 accum.mul_x2(x[1], x[12]);
685 accum.mul_x2(x[2], x[11]);
686 accum.mul_x2(x[3], x[10]);
687 accum.mul_x2(x[4], x[9]);
688 accum.mul_x2(x[5], x[8]);
689 accum.mul_x2(x[6], x[7]);
690 z[13] = accum.extract();
691 accum.mul_x2(x[0], x[14]);
692 accum.mul_x2(x[1], x[13]);
693 accum.mul_x2(x[2], x[12]);
694 accum.mul_x2(x[3], x[11]);
695 accum.mul_x2(x[4], x[10]);
696 accum.mul_x2(x[5], x[9]);
697 accum.mul_x2(x[6], x[8]);
698 accum.mul(x[7], x[7]);
699 z[14] = accum.extract();
700 accum.mul_x2(x[0], x[15]);
701 accum.mul_x2(x[1], x[14]);
702 accum.mul_x2(x[2], x[13]);
703 accum.mul_x2(x[3], x[12]);
704 accum.mul_x2(x[4], x[11]);
705 accum.mul_x2(x[5], x[10]);
706 accum.mul_x2(x[6], x[9]);
707 accum.mul_x2(x[7], x[8]);
708 z[15] = accum.extract();
709 accum.mul_x2(x[1], x[15]);
710 accum.mul_x2(x[2], x[14]);
711 accum.mul_x2(x[3], x[13]);
712 accum.mul_x2(x[4], x[12]);
713 accum.mul_x2(x[5], x[11]);
714 accum.mul_x2(x[6], x[10]);
715 accum.mul_x2(x[7], x[9]);
716 accum.mul(x[8], x[8]);
717 z[16] = accum.extract();
718 accum.mul_x2(x[2], x[15]);
719 accum.mul_x2(x[3], x[14]);
720 accum.mul_x2(x[4], x[13]);
721 accum.mul_x2(x[5], x[12]);
722 accum.mul_x2(x[6], x[11]);
723 accum.mul_x2(x[7], x[10]);
724 accum.mul_x2(x[8], x[9]);
725 z[17] = accum.extract();
726 accum.mul_x2(x[3], x[15]);
727 accum.mul_x2(x[4], x[14]);
728 accum.mul_x2(x[5], x[13]);
729 accum.mul_x2(x[6], x[12]);
730 accum.mul_x2(x[7], x[11]);
731 accum.mul_x2(x[8], x[10]);
732 accum.mul(x[9], x[9]);
733 z[18] = accum.extract();
734 accum.mul_x2(x[4], x[15]);
735 accum.mul_x2(x[5], x[14]);
736 accum.mul_x2(x[6], x[13]);
737 accum.mul_x2(x[7], x[12]);
738 accum.mul_x2(x[8], x[11]);
739 accum.mul_x2(x[9], x[10]);
740 z[19] = accum.extract();
741 accum.mul_x2(x[5], x[15]);
742 accum.mul_x2(x[6], x[14]);
743 accum.mul_x2(x[7], x[13]);
744 accum.mul_x2(x[8], x[12]);
745 accum.mul_x2(x[9], x[11]);
746 accum.mul(x[10], x[10]);
747 z[20] = accum.extract();
748 accum.mul_x2(x[6], x[15]);
749 accum.mul_x2(x[7], x[14]);
750 accum.mul_x2(x[8], x[13]);
751 accum.mul_x2(x[9], x[12]);
752 accum.mul_x2(x[10], x[11]);
753 z[21] = accum.extract();
754 accum.mul_x2(x[7], x[15]);
755 accum.mul_x2(x[8], x[14]);
756 accum.mul_x2(x[9], x[13]);
757 accum.mul_x2(x[10], x[12]);
758 accum.mul(x[11], x[11]);
759 z[22] = accum.extract();
760 accum.mul_x2(x[8], x[15]);
761 accum.mul_x2(x[9], x[14]);
762 accum.mul_x2(x[10], x[13]);
763 accum.mul_x2(x[11], x[12]);
764 z[23] = accum.extract();
765 accum.mul_x2(x[9], x[15]);
766 accum.mul_x2(x[10], x[14]);
767 accum.mul_x2(x[11], x[13]);
768 accum.mul(x[12], x[12]);
769 z[24] = accum.extract();
770 accum.mul_x2(x[10], x[15]);
771 accum.mul_x2(x[11], x[14]);
772 accum.mul_x2(x[12], x[13]);
773 z[25] = accum.extract();
774 accum.mul_x2(x[11], x[15]);
775 accum.mul_x2(x[12], x[14]);
776 accum.mul(x[13], x[13]);
777 z[26] = accum.extract();
778 accum.mul_x2(x[12], x[15]);
779 accum.mul_x2(x[13], x[14]);
780 z[27] = accum.extract();
781 accum.mul_x2(x[13], x[15]);
782 accum.mul(x[14], x[14]);
783 z[28] = accum.extract();
784 accum.mul_x2(x[14], x[15]);
785 z[29] = accum.extract();
786 accum.mul(x[15], x[15]);
787 z[30] = accum.extract();
788 z[31] = accum.extract();
789}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by bigint_sqr(), and comba_sqr().
◆ bigint_comba_sqr24()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr24 | ( | word | z[48], |
| const word | x[24] ) |
Definition at line 1090 of file mp_comba.cpp.
1090 {
1091 word3<word> accum;
1092
1093 accum.mul(x[0], x[0]);
1094 z[0] = accum.extract();
1095 accum.mul_x2(x[0], x[1]);
1096 z[1] = accum.extract();
1097 accum.mul_x2(x[0], x[2]);
1098 accum.mul(x[1], x[1]);
1099 z[2] = accum.extract();
1100 accum.mul_x2(x[0], x[3]);
1101 accum.mul_x2(x[1], x[2]);
1102 z[3] = accum.extract();
1103 accum.mul_x2(x[0], x[4]);
1104 accum.mul_x2(x[1], x[3]);
1105 accum.mul(x[2], x[2]);
1106 z[4] = accum.extract();
1107 accum.mul_x2(x[0], x[5]);
1108 accum.mul_x2(x[1], x[4]);
1109 accum.mul_x2(x[2], x[3]);
1110 z[5] = accum.extract();
1111 accum.mul_x2(x[0], x[6]);
1112 accum.mul_x2(x[1], x[5]);
1113 accum.mul_x2(x[2], x[4]);
1114 accum.mul(x[3], x[3]);
1115 z[6] = accum.extract();
1116 accum.mul_x2(x[0], x[7]);
1117 accum.mul_x2(x[1], x[6]);
1118 accum.mul_x2(x[2], x[5]);
1119 accum.mul_x2(x[3], x[4]);
1120 z[7] = accum.extract();
1121 accum.mul_x2(x[0], x[8]);
1122 accum.mul_x2(x[1], x[7]);
1123 accum.mul_x2(x[2], x[6]);
1124 accum.mul_x2(x[3], x[5]);
1125 accum.mul(x[4], x[4]);
1126 z[8] = accum.extract();
1127 accum.mul_x2(x[0], x[9]);
1128 accum.mul_x2(x[1], x[8]);
1129 accum.mul_x2(x[2], x[7]);
1130 accum.mul_x2(x[3], x[6]);
1131 accum.mul_x2(x[4], x[5]);
1132 z[9] = accum.extract();
1133 accum.mul_x2(x[0], x[10]);
1134 accum.mul_x2(x[1], x[9]);
1135 accum.mul_x2(x[2], x[8]);
1136 accum.mul_x2(x[3], x[7]);
1137 accum.mul_x2(x[4], x[6]);
1138 accum.mul(x[5], x[5]);
1139 z[10] = accum.extract();
1140 accum.mul_x2(x[0], x[11]);
1141 accum.mul_x2(x[1], x[10]);
1142 accum.mul_x2(x[2], x[9]);
1143 accum.mul_x2(x[3], x[8]);
1144 accum.mul_x2(x[4], x[7]);
1145 accum.mul_x2(x[5], x[6]);
1146 z[11] = accum.extract();
1147 accum.mul_x2(x[0], x[12]);
1148 accum.mul_x2(x[1], x[11]);
1149 accum.mul_x2(x[2], x[10]);
1150 accum.mul_x2(x[3], x[9]);
1151 accum.mul_x2(x[4], x[8]);
1152 accum.mul_x2(x[5], x[7]);
1153 accum.mul(x[6], x[6]);
1154 z[12] = accum.extract();
1155 accum.mul_x2(x[0], x[13]);
1156 accum.mul_x2(x[1], x[12]);
1157 accum.mul_x2(x[2], x[11]);
1158 accum.mul_x2(x[3], x[10]);
1159 accum.mul_x2(x[4], x[9]);
1160 accum.mul_x2(x[5], x[8]);
1161 accum.mul_x2(x[6], x[7]);
1162 z[13] = accum.extract();
1163 accum.mul_x2(x[0], x[14]);
1164 accum.mul_x2(x[1], x[13]);
1165 accum.mul_x2(x[2], x[12]);
1166 accum.mul_x2(x[3], x[11]);
1167 accum.mul_x2(x[4], x[10]);
1168 accum.mul_x2(x[5], x[9]);
1169 accum.mul_x2(x[6], x[8]);
1170 accum.mul(x[7], x[7]);
1171 z[14] = accum.extract();
1172 accum.mul_x2(x[0], x[15]);
1173 accum.mul_x2(x[1], x[14]);
1174 accum.mul_x2(x[2], x[13]);
1175 accum.mul_x2(x[3], x[12]);
1176 accum.mul_x2(x[4], x[11]);
1177 accum.mul_x2(x[5], x[10]);
1178 accum.mul_x2(x[6], x[9]);
1179 accum.mul_x2(x[7], x[8]);
1180 z[15] = accum.extract();
1181 accum.mul_x2(x[0], x[16]);
1182 accum.mul_x2(x[1], x[15]);
1183 accum.mul_x2(x[2], x[14]);
1184 accum.mul_x2(x[3], x[13]);
1185 accum.mul_x2(x[4], x[12]);
1186 accum.mul_x2(x[5], x[11]);
1187 accum.mul_x2(x[6], x[10]);
1188 accum.mul_x2(x[7], x[9]);
1189 accum.mul(x[8], x[8]);
1190 z[16] = accum.extract();
1191 accum.mul_x2(x[0], x[17]);
1192 accum.mul_x2(x[1], x[16]);
1193 accum.mul_x2(x[2], x[15]);
1194 accum.mul_x2(x[3], x[14]);
1195 accum.mul_x2(x[4], x[13]);
1196 accum.mul_x2(x[5], x[12]);
1197 accum.mul_x2(x[6], x[11]);
1198 accum.mul_x2(x[7], x[10]);
1199 accum.mul_x2(x[8], x[9]);
1200 z[17] = accum.extract();
1201 accum.mul_x2(x[0], x[18]);
1202 accum.mul_x2(x[1], x[17]);
1203 accum.mul_x2(x[2], x[16]);
1204 accum.mul_x2(x[3], x[15]);
1205 accum.mul_x2(x[4], x[14]);
1206 accum.mul_x2(x[5], x[13]);
1207 accum.mul_x2(x[6], x[12]);
1208 accum.mul_x2(x[7], x[11]);
1209 accum.mul_x2(x[8], x[10]);
1210 accum.mul(x[9], x[9]);
1211 z[18] = accum.extract();
1212 accum.mul_x2(x[0], x[19]);
1213 accum.mul_x2(x[1], x[18]);
1214 accum.mul_x2(x[2], x[17]);
1215 accum.mul_x2(x[3], x[16]);
1216 accum.mul_x2(x[4], x[15]);
1217 accum.mul_x2(x[5], x[14]);
1218 accum.mul_x2(x[6], x[13]);
1219 accum.mul_x2(x[7], x[12]);
1220 accum.mul_x2(x[8], x[11]);
1221 accum.mul_x2(x[9], x[10]);
1222 z[19] = accum.extract();
1223 accum.mul_x2(x[0], x[20]);
1224 accum.mul_x2(x[1], x[19]);
1225 accum.mul_x2(x[2], x[18]);
1226 accum.mul_x2(x[3], x[17]);
1227 accum.mul_x2(x[4], x[16]);
1228 accum.mul_x2(x[5], x[15]);
1229 accum.mul_x2(x[6], x[14]);
1230 accum.mul_x2(x[7], x[13]);
1231 accum.mul_x2(x[8], x[12]);
1232 accum.mul_x2(x[9], x[11]);
1233 accum.mul(x[10], x[10]);
1234 z[20] = accum.extract();
1235 accum.mul_x2(x[0], x[21]);
1236 accum.mul_x2(x[1], x[20]);
1237 accum.mul_x2(x[2], x[19]);
1238 accum.mul_x2(x[3], x[18]);
1239 accum.mul_x2(x[4], x[17]);
1240 accum.mul_x2(x[5], x[16]);
1241 accum.mul_x2(x[6], x[15]);
1242 accum.mul_x2(x[7], x[14]);
1243 accum.mul_x2(x[8], x[13]);
1244 accum.mul_x2(x[9], x[12]);
1245 accum.mul_x2(x[10], x[11]);
1246 z[21] = accum.extract();
1247 accum.mul_x2(x[0], x[22]);
1248 accum.mul_x2(x[1], x[21]);
1249 accum.mul_x2(x[2], x[20]);
1250 accum.mul_x2(x[3], x[19]);
1251 accum.mul_x2(x[4], x[18]);
1252 accum.mul_x2(x[5], x[17]);
1253 accum.mul_x2(x[6], x[16]);
1254 accum.mul_x2(x[7], x[15]);
1255 accum.mul_x2(x[8], x[14]);
1256 accum.mul_x2(x[9], x[13]);
1257 accum.mul_x2(x[10], x[12]);
1258 accum.mul(x[11], x[11]);
1259 z[22] = accum.extract();
1260 accum.mul_x2(x[0], x[23]);
1261 accum.mul_x2(x[1], x[22]);
1262 accum.mul_x2(x[2], x[21]);
1263 accum.mul_x2(x[3], x[20]);
1264 accum.mul_x2(x[4], x[19]);
1265 accum.mul_x2(x[5], x[18]);
1266 accum.mul_x2(x[6], x[17]);
1267 accum.mul_x2(x[7], x[16]);
1268 accum.mul_x2(x[8], x[15]);
1269 accum.mul_x2(x[9], x[14]);
1270 accum.mul_x2(x[10], x[13]);
1271 accum.mul_x2(x[11], x[12]);
1272 z[23] = accum.extract();
1273 accum.mul_x2(x[1], x[23]);
1274 accum.mul_x2(x[2], x[22]);
1275 accum.mul_x2(x[3], x[21]);
1276 accum.mul_x2(x[4], x[20]);
1277 accum.mul_x2(x[5], x[19]);
1278 accum.mul_x2(x[6], x[18]);
1279 accum.mul_x2(x[7], x[17]);
1280 accum.mul_x2(x[8], x[16]);
1281 accum.mul_x2(x[9], x[15]);
1282 accum.mul_x2(x[10], x[14]);
1283 accum.mul_x2(x[11], x[13]);
1284 accum.mul(x[12], x[12]);
1285 z[24] = accum.extract();
1286 accum.mul_x2(x[2], x[23]);
1287 accum.mul_x2(x[3], x[22]);
1288 accum.mul_x2(x[4], x[21]);
1289 accum.mul_x2(x[5], x[20]);
1290 accum.mul_x2(x[6], x[19]);
1291 accum.mul_x2(x[7], x[18]);
1292 accum.mul_x2(x[8], x[17]);
1293 accum.mul_x2(x[9], x[16]);
1294 accum.mul_x2(x[10], x[15]);
1295 accum.mul_x2(x[11], x[14]);
1296 accum.mul_x2(x[12], x[13]);
1297 z[25] = accum.extract();
1298 accum.mul_x2(x[3], x[23]);
1299 accum.mul_x2(x[4], x[22]);
1300 accum.mul_x2(x[5], x[21]);
1301 accum.mul_x2(x[6], x[20]);
1302 accum.mul_x2(x[7], x[19]);
1303 accum.mul_x2(x[8], x[18]);
1304 accum.mul_x2(x[9], x[17]);
1305 accum.mul_x2(x[10], x[16]);
1306 accum.mul_x2(x[11], x[15]);
1307 accum.mul_x2(x[12], x[14]);
1308 accum.mul(x[13], x[13]);
1309 z[26] = accum.extract();
1310 accum.mul_x2(x[4], x[23]);
1311 accum.mul_x2(x[5], x[22]);
1312 accum.mul_x2(x[6], x[21]);
1313 accum.mul_x2(x[7], x[20]);
1314 accum.mul_x2(x[8], x[19]);
1315 accum.mul_x2(x[9], x[18]);
1316 accum.mul_x2(x[10], x[17]);
1317 accum.mul_x2(x[11], x[16]);
1318 accum.mul_x2(x[12], x[15]);
1319 accum.mul_x2(x[13], x[14]);
1320 z[27] = accum.extract();
1321 accum.mul_x2(x[5], x[23]);
1322 accum.mul_x2(x[6], x[22]);
1323 accum.mul_x2(x[7], x[21]);
1324 accum.mul_x2(x[8], x[20]);
1325 accum.mul_x2(x[9], x[19]);
1326 accum.mul_x2(x[10], x[18]);
1327 accum.mul_x2(x[11], x[17]);
1328 accum.mul_x2(x[12], x[16]);
1329 accum.mul_x2(x[13], x[15]);
1330 accum.mul(x[14], x[14]);
1331 z[28] = accum.extract();
1332 accum.mul_x2(x[6], x[23]);
1333 accum.mul_x2(x[7], x[22]);
1334 accum.mul_x2(x[8], x[21]);
1335 accum.mul_x2(x[9], x[20]);
1336 accum.mul_x2(x[10], x[19]);
1337 accum.mul_x2(x[11], x[18]);
1338 accum.mul_x2(x[12], x[17]);
1339 accum.mul_x2(x[13], x[16]);
1340 accum.mul_x2(x[14], x[15]);
1341 z[29] = accum.extract();
1342 accum.mul_x2(x[7], x[23]);
1343 accum.mul_x2(x[8], x[22]);
1344 accum.mul_x2(x[9], x[21]);
1345 accum.mul_x2(x[10], x[20]);
1346 accum.mul_x2(x[11], x[19]);
1347 accum.mul_x2(x[12], x[18]);
1348 accum.mul_x2(x[13], x[17]);
1349 accum.mul_x2(x[14], x[16]);
1350 accum.mul(x[15], x[15]);
1351 z[30] = accum.extract();
1352 accum.mul_x2(x[8], x[23]);
1353 accum.mul_x2(x[9], x[22]);
1354 accum.mul_x2(x[10], x[21]);
1355 accum.mul_x2(x[11], x[20]);
1356 accum.mul_x2(x[12], x[19]);
1357 accum.mul_x2(x[13], x[18]);
1358 accum.mul_x2(x[14], x[17]);
1359 accum.mul_x2(x[15], x[16]);
1360 z[31] = accum.extract();
1361 accum.mul_x2(x[9], x[23]);
1362 accum.mul_x2(x[10], x[22]);
1363 accum.mul_x2(x[11], x[21]);
1364 accum.mul_x2(x[12], x[20]);
1365 accum.mul_x2(x[13], x[19]);
1366 accum.mul_x2(x[14], x[18]);
1367 accum.mul_x2(x[15], x[17]);
1368 accum.mul(x[16], x[16]);
1369 z[32] = accum.extract();
1370 accum.mul_x2(x[10], x[23]);
1371 accum.mul_x2(x[11], x[22]);
1372 accum.mul_x2(x[12], x[21]);
1373 accum.mul_x2(x[13], x[20]);
1374 accum.mul_x2(x[14], x[19]);
1375 accum.mul_x2(x[15], x[18]);
1376 accum.mul_x2(x[16], x[17]);
1377 z[33] = accum.extract();
1378 accum.mul_x2(x[11], x[23]);
1379 accum.mul_x2(x[12], x[22]);
1380 accum.mul_x2(x[13], x[21]);
1381 accum.mul_x2(x[14], x[20]);
1382 accum.mul_x2(x[15], x[19]);
1383 accum.mul_x2(x[16], x[18]);
1384 accum.mul(x[17], x[17]);
1385 z[34] = accum.extract();
1386 accum.mul_x2(x[12], x[23]);
1387 accum.mul_x2(x[13], x[22]);
1388 accum.mul_x2(x[14], x[21]);
1389 accum.mul_x2(x[15], x[20]);
1390 accum.mul_x2(x[16], x[19]);
1391 accum.mul_x2(x[17], x[18]);
1392 z[35] = accum.extract();
1393 accum.mul_x2(x[13], x[23]);
1394 accum.mul_x2(x[14], x[22]);
1395 accum.mul_x2(x[15], x[21]);
1396 accum.mul_x2(x[16], x[20]);
1397 accum.mul_x2(x[17], x[19]);
1398 accum.mul(x[18], x[18]);
1399 z[36] = accum.extract();
1400 accum.mul_x2(x[14], x[23]);
1401 accum.mul_x2(x[15], x[22]);
1402 accum.mul_x2(x[16], x[21]);
1403 accum.mul_x2(x[17], x[20]);
1404 accum.mul_x2(x[18], x[19]);
1405 z[37] = accum.extract();
1406 accum.mul_x2(x[15], x[23]);
1407 accum.mul_x2(x[16], x[22]);
1408 accum.mul_x2(x[17], x[21]);
1409 accum.mul_x2(x[18], x[20]);
1410 accum.mul(x[19], x[19]);
1411 z[38] = accum.extract();
1412 accum.mul_x2(x[16], x[23]);
1413 accum.mul_x2(x[17], x[22]);
1414 accum.mul_x2(x[18], x[21]);
1415 accum.mul_x2(x[19], x[20]);
1416 z[39] = accum.extract();
1417 accum.mul_x2(x[17], x[23]);
1418 accum.mul_x2(x[18], x[22]);
1419 accum.mul_x2(x[19], x[21]);
1420 accum.mul(x[20], x[20]);
1421 z[40] = accum.extract();
1422 accum.mul_x2(x[18], x[23]);
1423 accum.mul_x2(x[19], x[22]);
1424 accum.mul_x2(x[20], x[21]);
1425 z[41] = accum.extract();
1426 accum.mul_x2(x[19], x[23]);
1427 accum.mul_x2(x[20], x[22]);
1428 accum.mul(x[21], x[21]);
1429 z[42] = accum.extract();
1430 accum.mul_x2(x[20], x[23]);
1431 accum.mul_x2(x[21], x[22]);
1432 z[43] = accum.extract();
1433 accum.mul_x2(x[21], x[23]);
1434 accum.mul(x[22], x[22]);
1435 z[44] = accum.extract();
1436 accum.mul_x2(x[22], x[23]);
1437 z[45] = accum.extract();
1438 accum.mul(x[23], x[23]);
1439 z[46] = accum.extract();
1440 z[47] = accum.extract();
1441}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by bigint_sqr().
◆ bigint_comba_sqr4()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr4 | ( | word | z[8], |
| const word | x[4] ) |
Definition at line 16 of file mp_comba.cpp.
16 {
17 word3<word> accum;
18
19 accum.mul(x[0], x[0]);
20 z[0] = accum.extract();
21 accum.mul_x2(x[0], x[1]);
22 z[1] = accum.extract();
23 accum.mul_x2(x[0], x[2]);
24 accum.mul(x[1], x[1]);
25 z[2] = accum.extract();
26 accum.mul_x2(x[0], x[3]);
27 accum.mul_x2(x[1], x[2]);
28 z[3] = accum.extract();
29 accum.mul_x2(x[1], x[3]);
30 accum.mul(x[2], x[2]);
31 z[4] = accum.extract();
32 accum.mul_x2(x[2], x[3]);
33 z[5] = accum.extract();
34 accum.mul(x[3], x[3]);
35 z[6] = accum.extract();
36 z[7] = accum.extract();
37}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by bigint_sqr(), and comba_sqr().
◆ bigint_comba_sqr6()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr6 | ( | word | z[12], |
| const word | x[6] ) |
Definition at line 74 of file mp_comba.cpp.
74 {
75 word3<word> accum;
76
77 accum.mul(x[0], x[0]);
78 z[0] = accum.extract();
79 accum.mul_x2(x[0], x[1]);
80 z[1] = accum.extract();
81 accum.mul_x2(x[0], x[2]);
82 accum.mul(x[1], x[1]);
83 z[2] = accum.extract();
84 accum.mul_x2(x[0], x[3]);
85 accum.mul_x2(x[1], x[2]);
86 z[3] = accum.extract();
87 accum.mul_x2(x[0], x[4]);
88 accum.mul_x2(x[1], x[3]);
89 accum.mul(x[2], x[2]);
90 z[4] = accum.extract();
91 accum.mul_x2(x[0], x[5]);
92 accum.mul_x2(x[1], x[4]);
93 accum.mul_x2(x[2], x[3]);
94 z[5] = accum.extract();
95 accum.mul_x2(x[1], x[5]);
96 accum.mul_x2(x[2], x[4]);
97 accum.mul(x[3], x[3]);
98 z[6] = accum.extract();
99 accum.mul_x2(x[2], x[5]);
100 accum.mul_x2(x[3], x[4]);
101 z[7] = accum.extract();
102 accum.mul_x2(x[3], x[5]);
103 accum.mul(x[4], x[4]);
104 z[8] = accum.extract();
105 accum.mul_x2(x[4], x[5]);
106 z[9] = accum.extract();
107 accum.mul(x[5], x[5]);
108 z[10] = accum.extract();
109 z[11] = accum.extract();
110}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by bigint_sqr(), and comba_sqr().
◆ bigint_comba_sqr7()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr7 | ( | word | z[14], |
| const word | x[7] ) |
Definition at line 171 of file mp_comba.cpp.
171 {
172 word3<word> accum;
173
174 accum.mul(x[0], x[0]);
175 z[0] = accum.extract();
176 accum.mul_x2(x[0], x[1]);
177 z[1] = accum.extract();
178 accum.mul_x2(x[0], x[2]);
179 accum.mul(x[1], x[1]);
180 z[2] = accum.extract();
181 accum.mul_x2(x[0], x[3]);
182 accum.mul_x2(x[1], x[2]);
183 z[3] = accum.extract();
184 accum.mul_x2(x[0], x[4]);
185 accum.mul_x2(x[1], x[3]);
186 accum.mul(x[2], x[2]);
187 z[4] = accum.extract();
188 accum.mul_x2(x[0], x[5]);
189 accum.mul_x2(x[1], x[4]);
190 accum.mul_x2(x[2], x[3]);
191 z[5] = accum.extract();
192 accum.mul_x2(x[0], x[6]);
193 accum.mul_x2(x[1], x[5]);
194 accum.mul_x2(x[2], x[4]);
195 accum.mul(x[3], x[3]);
196 z[6] = accum.extract();
197 accum.mul_x2(x[1], x[6]);
198 accum.mul_x2(x[2], x[5]);
199 accum.mul_x2(x[3], x[4]);
200 z[7] = accum.extract();
201 accum.mul_x2(x[2], x[6]);
202 accum.mul_x2(x[3], x[5]);
203 accum.mul(x[4], x[4]);
204 z[8] = accum.extract();
205 accum.mul_x2(x[3], x[6]);
206 accum.mul_x2(x[4], x[5]);
207 z[9] = accum.extract();
208 accum.mul_x2(x[4], x[6]);
209 accum.mul(x[5], x[5]);
210 z[10] = accum.extract();
211 accum.mul_x2(x[5], x[6]);
212 z[11] = accum.extract();
213 accum.mul(x[6], x[6]);
214 z[12] = accum.extract();
215 z[13] = accum.extract();
216}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by comba_sqr().
◆ bigint_comba_sqr8()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr8 | ( | word | z[16], |
| const word | x[8] ) |
Definition at line 292 of file mp_comba.cpp.
292 {
293 word3<word> accum;
294
295 accum.mul(x[0], x[0]);
296 z[0] = accum.extract();
297 accum.mul_x2(x[0], x[1]);
298 z[1] = accum.extract();
299 accum.mul_x2(x[0], x[2]);
300 accum.mul(x[1], x[1]);
301 z[2] = accum.extract();
302 accum.mul_x2(x[0], x[3]);
303 accum.mul_x2(x[1], x[2]);
304 z[3] = accum.extract();
305 accum.mul_x2(x[0], x[4]);
306 accum.mul_x2(x[1], x[3]);
307 accum.mul(x[2], x[2]);
308 z[4] = accum.extract();
309 accum.mul_x2(x[0], x[5]);
310 accum.mul_x2(x[1], x[4]);
311 accum.mul_x2(x[2], x[3]);
312 z[5] = accum.extract();
313 accum.mul_x2(x[0], x[6]);
314 accum.mul_x2(x[1], x[5]);
315 accum.mul_x2(x[2], x[4]);
316 accum.mul(x[3], x[3]);
317 z[6] = accum.extract();
318 accum.mul_x2(x[0], x[7]);
319 accum.mul_x2(x[1], x[6]);
320 accum.mul_x2(x[2], x[5]);
321 accum.mul_x2(x[3], x[4]);
322 z[7] = accum.extract();
323 accum.mul_x2(x[1], x[7]);
324 accum.mul_x2(x[2], x[6]);
325 accum.mul_x2(x[3], x[5]);
326 accum.mul(x[4], x[4]);
327 z[8] = accum.extract();
328 accum.mul_x2(x[2], x[7]);
329 accum.mul_x2(x[3], x[6]);
330 accum.mul_x2(x[4], x[5]);
331 z[9] = accum.extract();
332 accum.mul_x2(x[3], x[7]);
333 accum.mul_x2(x[4], x[6]);
334 accum.mul(x[5], x[5]);
335 z[10] = accum.extract();
336 accum.mul_x2(x[4], x[7]);
337 accum.mul_x2(x[5], x[6]);
338 z[11] = accum.extract();
339 accum.mul_x2(x[5], x[7]);
340 accum.mul(x[6], x[6]);
341 z[12] = accum.extract();
342 accum.mul_x2(x[6], x[7]);
343 z[13] = accum.extract();
344 accum.mul(x[7], x[7]);
345 z[14] = accum.extract();
346 z[15] = accum.extract();
347}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by bigint_sqr(), and comba_sqr().
◆ bigint_comba_sqr9()
| BOTAN_FUZZER_API void Botan::bigint_comba_sqr9 | ( | word | z[18], |
| const word | x[9] ) |
Definition at line 440 of file mp_comba.cpp.
440 {
441 word3<word> accum;
442
443 accum.mul(x[0], x[0]);
444 z[0] = accum.extract();
445 accum.mul_x2(x[0], x[1]);
446 z[1] = accum.extract();
447 accum.mul_x2(x[0], x[2]);
448 accum.mul(x[1], x[1]);
449 z[2] = accum.extract();
450 accum.mul_x2(x[0], x[3]);
451 accum.mul_x2(x[1], x[2]);
452 z[3] = accum.extract();
453 accum.mul_x2(x[0], x[4]);
454 accum.mul_x2(x[1], x[3]);
455 accum.mul(x[2], x[2]);
456 z[4] = accum.extract();
457 accum.mul_x2(x[0], x[5]);
458 accum.mul_x2(x[1], x[4]);
459 accum.mul_x2(x[2], x[3]);
460 z[5] = accum.extract();
461 accum.mul_x2(x[0], x[6]);
462 accum.mul_x2(x[1], x[5]);
463 accum.mul_x2(x[2], x[4]);
464 accum.mul(x[3], x[3]);
465 z[6] = accum.extract();
466 accum.mul_x2(x[0], x[7]);
467 accum.mul_x2(x[1], x[6]);
468 accum.mul_x2(x[2], x[5]);
469 accum.mul_x2(x[3], x[4]);
470 z[7] = accum.extract();
471 accum.mul_x2(x[0], x[8]);
472 accum.mul_x2(x[1], x[7]);
473 accum.mul_x2(x[2], x[6]);
474 accum.mul_x2(x[3], x[5]);
475 accum.mul(x[4], x[4]);
476 z[8] = accum.extract();
477 accum.mul_x2(x[1], x[8]);
478 accum.mul_x2(x[2], x[7]);
479 accum.mul_x2(x[3], x[6]);
480 accum.mul_x2(x[4], x[5]);
481 z[9] = accum.extract();
482 accum.mul_x2(x[2], x[8]);
483 accum.mul_x2(x[3], x[7]);
484 accum.mul_x2(x[4], x[6]);
485 accum.mul(x[5], x[5]);
486 z[10] = accum.extract();
487 accum.mul_x2(x[3], x[8]);
488 accum.mul_x2(x[4], x[7]);
489 accum.mul_x2(x[5], x[6]);
490 z[11] = accum.extract();
491 accum.mul_x2(x[4], x[8]);
492 accum.mul_x2(x[5], x[7]);
493 accum.mul(x[6], x[6]);
494 z[12] = accum.extract();
495 accum.mul_x2(x[5], x[8]);
496 accum.mul_x2(x[6], x[7]);
497 z[13] = accum.extract();
498 accum.mul_x2(x[6], x[8]);
499 accum.mul(x[7], x[7]);
500 z[14] = accum.extract();
501 accum.mul_x2(x[7], x[8]);
502 z[15] = accum.extract();
503 accum.mul(x[8], x[8]);
504 z[16] = accum.extract();
505 z[17] = accum.extract();
506}
References Botan::word3< W >::extract(), Botan::word3< W >::mul(), and Botan::word3< W >::mul_x2().
Referenced by bigint_sqr(), and comba_sqr().
◆ bigint_ct_is_eq()
template<WordType W>
|
inlineconstexpr |
Definition at line 672 of file mp_core.h.
672 {
673 const size_t common_elems = std::min(x_size, y_size);
674
675 W diff = 0;
676
677 for(size_t i = 0; i != common_elems; i++) {
678 diff |= (x[i] ^ y[i]);
679 }
680
681 // If any bits were set in high part of x/y, then they are not equal
682 if(x_size < y_size) {
683 for(size_t i = x_size; i != y_size; i++) {
684 diff |= y[i];
685 }
686 } else if(y_size < x_size) {
687 for(size_t i = y_size; i != x_size; i++) {
688 diff |= x[i];
689 }
690 }
691
692 return CT::Mask<W>::is_zero(diff);
693}
References Botan::CT::Mask< T >::is_zero().
Referenced by Botan::BigInt::is_equal().
◆ bigint_ct_is_lt()
template<WordType W>
|
inlineconstexpr |
Compare x and y Return ~0 if x[0:x_size] < y[0:y_size] or 0 otherwise If lt_or_equal is true, returns ~0 also for x == y
Definition at line 639 of file mp_core.h.
640 {
641 const size_t common_elems = std::min(x_size, y_size);
642
644
645 for(size_t i = 0; i != common_elems; i++) {
648 is_lt = eq.select_mask(is_lt, lt);
649 }
650
651 if(x_size < y_size) {
652 W mask = 0;
653 for(size_t i = x_size; i != y_size; i++) {
654 mask |= y[i];
655 }
656 // If any bits were set in high part of y, then is_lt should be forced true
657 is_lt |= CT::Mask<W>::expand(mask);
658 } else if(y_size < x_size) {
659 W mask = 0;
660 for(size_t i = y_size; i != x_size; i++) {
661 mask |= x[i];
662 }
663
664 // If any bits were set in high part of x, then is_lt should be false
665 is_lt &= CT::Mask<W>::is_zero(mask);
666 }
667
668 return is_lt;
669}
References Botan::CT::Mask< T >::expand(), Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_zero().
Referenced by bigint_mod_sub(), bigint_mod_sub_n(), Botan::BigInt::is_less_than(), and Botan::PCurve::PrimeOrderCurveImpl< C >::mul2_vartime_x_mod_order_eq().
◆ bigint_divop_vartime()
template<WordType W>
|
inlineconstexpr |
Compute ((n1<<bits) + n0) / d
Definition at line 778 of file mp_core.h.
778 {
779 if(d == 0) {
781 }
782
783 if constexpr(WordInfo<W>::dword_is_native) {
784 typename WordInfo<W>::dword n = n1;
785 n <<= WordInfo<W>::bits;
786 n |= n0;
787 return static_cast<W>(n / d);
788 } else {
789 W high = n1 % d;
790 W quotient = 0;
791
792 for(size_t i = 0; i != WordInfo<W>::bits; ++i) {
793 const W high_top_bit = high >> (WordInfo<W>::bits - 1);
794
795 high <<= 1;
796 high |= (n0 >> (WordInfo<W>::bits - 1 - i)) & 1;
797 quotient <<= 1;
798
799 if(high_top_bit || high >= d) {
800 high -= d;
801 quotient |= 1;
802 }
803 }
804
805 return quotient;
806 }
807}
Referenced by bigint_modop_vartime(), and vartime_divide().
◆ bigint_linmul2()
template<WordType W>
|
inlinenodiscardconstexpr |
Definition at line 552 of file mp_core.h.
552 {
553 const size_t blocks = x_size - (x_size % 8);
554
555 W carry = 0;
556
557 for(size_t i = 0; i != blocks; i += 8) {
559 }
560
561 for(size_t i = blocks; i != x_size; ++i) {
562 x[i] = word_madd2(x[i], y, &carry);
563 }
564
566}
References carry(), word8_linmul2(), and word_madd2().
Referenced by Botan::BigInt::mul(), and Botan::BigInt::operator*=().
◆ bigint_linmul3()
template<WordType W>
|
inlineconstexpr |
Definition at line 569 of file mp_core.h.
569 {
570 const size_t blocks = x_size - (x_size % 8);
571
572 W carry = 0;
573
574 for(size_t i = 0; i != blocks; i += 8) {
576 }
577
578 for(size_t i = blocks; i != x_size; ++i) {
579 z[i] = word_madd2(x[i], y, &carry);
580 }
581
582 z[x_size] = carry;
583}
constexpr auto word8_linmul3(W z[8], const W x[8], W y, W carry) -> W
Definition mp_asmi.h:437
References carry(), word8_linmul3(), and word_madd2().
Referenced by bigint_mul(), bigint_sqr(), Botan::BigInt::mul(), operator*(), and operator*().
◆ bigint_mod_sub()
template<WordType W>
|
inlineconstexpr |
Set t to t-s modulo mod
- Parameters
-
t first integer s second integer mod the modulus mod_sw size of t, s, and mod ws workspace of size mod_sw
Definition at line 739 of file mp_core.h.
739 {
740 // is t < s or not?
742
743 // ws = p - s
745
746 // Compute either (t - s) or (t + (p - s)) depending on mask
748
749 if(!std::is_constant_evaluated()) {
750 BOTAN_DEBUG_ASSERT(borrow == 0 && carry == 0);
751 }
752
753 BOTAN_UNUSED(carry, borrow);
754}
constexpr auto bigint_sub3(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:341
constexpr auto bigint_cnd_addsub(CT::Mask< W > mask, W x[], const W y[], const W z[], size_t size) -> W
Definition mp_core.h:162
constexpr auto bigint_ct_is_lt(const W x[], size_t x_size, const W y[], size_t y_size, bool lt_or_equal=false) -> CT::Mask< W >
Definition mp_core.h:639
References bigint_cnd_addsub(), bigint_ct_is_lt(), bigint_sub3(), BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, and carry().
Referenced by Botan::BigInt::mod_sub().
◆ bigint_mod_sub_n()
template<size_t N, WordType W>
|
inlineconstexpr |
Definition at line 757 of file mp_core.h.
757 {
758 // is t < s or not?
760
761 // ws = p - s
763
764 // Compute either (t - s) or (t + (p - s)) depending on mask
766
767 if(!std::is_constant_evaluated()) {
768 BOTAN_DEBUG_ASSERT(borrow == 0 && carry == 0);
769 }
770
771 BOTAN_UNUSED(carry, borrow);
772}
References bigint_cnd_addsub(), bigint_ct_is_lt(), bigint_sub3(), BOTAN_DEBUG_ASSERT, BOTAN_UNUSED, and carry().
Referenced by Botan::BigInt::mod_sub().
◆ bigint_modop_vartime()
template<WordType W>
|
inlineconstexpr |
Compute ((n1<<bits) + n0) % d
Definition at line 813 of file mp_core.h.
813 {
814 if(d == 0) {
816 }
817
818 W z = bigint_divop_vartime(n1, n0, d);
819 W carry = 0;
820 z = word_madd2(z, d, &carry);
821 return (n0 - z);
822}
References bigint_divop_vartime(), carry(), and word_madd2().
Referenced by operator%(), and Botan::BigInt::operator%=().
◆ bigint_monty_maybe_sub() [1/2]
template<WordType W>
|
inlineconstexpr |
Conditional subtraction for Montgomery reduction
This function assumes that (x0 || x) is less than 2*p
Computes z[0:N] = (x0 || x[0:N]) - p[0:N]
If z would be positive, returns z[0:N] Otherwise returns original input x
Definition at line 374 of file mp_core.h.
374 {
375 W borrow = 0;
376
377 const size_t blocks = N - (N % 8);
378
379 for(size_t i = 0; i != blocks; i += 8) {
380 borrow = word8_sub3(z + i, x + i, p + i, borrow);
381 }
382
383 for(size_t i = blocks; i != N; ++i) {
384 z[i] = word_sub(x[i], p[i], &borrow);
385 }
386
387 borrow = (x0 - borrow) > x0;
388
389 CT::conditional_assign_mem(borrow, z, x, N);
390}
References Botan::CT::conditional_assign_mem(), word8_sub3(), and word_sub().
Referenced by bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), and redc_crandall().
◆ bigint_monty_maybe_sub() [2/2]
template<size_t N, WordType W>
|
inlineconstexpr |
Conditional subtraction for Montgomery reduction
This function assumes that (x0 || x) is less than 2*p
Computes z[0:N] = (x0 || x[0:N]) - p[0:N]
If z would be positive, returns z[0:N] Otherwise returns original input x
Definition at line 403 of file mp_core.h.
403 {
404 W borrow = 0;
405
406 if constexpr(N == 4) {
407 borrow = word4_sub3(z, x, y, borrow);
408 } else if constexpr(N == 8) {
409 borrow = word8_sub3(z, x, y, borrow);
410 } else {
411 const constexpr size_t blocks = N - (N % 8);
412 for(size_t i = 0; i != blocks; i += 8) {
413 borrow = word8_sub3(z + i, x + i, y + i, borrow);
414 }
415
416 for(size_t i = blocks; i != N; ++i) {
417 z[i] = word_sub(x[i], y[i], &borrow);
418 }
419 }
420
421 borrow = (x0 - borrow) > x0;
422
423 CT::conditional_assign_mem(borrow, z, x, N);
424}
constexpr auto word4_sub3(W z[4], const W x[4], const W y[4], W carry) -> W
Definition mp_asmi.h:389
References Botan::CT::conditional_assign_mem(), word4_sub3(), word8_sub3(), and word_sub().
◆ bigint_monty_redc()
|
inline |
Montgomery Reduction
- Parameters
-
z integer to reduce, of size exactly 2*p_size. Output is in the first p_size words, higher words are set to zero. p modulus p_size size of p p_dash Montgomery value ws array of at least p_size words ws_size size of ws in words
Definition at line 1047 of file mp_core.h.
1047 {
1048 const size_t z_size = 2 * p_size;
1049
1051
1052 if(p_size == 4) {
1053 bigint_monty_redc_4(z, p, p_dash, ws);
1054 } else if(p_size == 6) {
1055 bigint_monty_redc_6(z, p, p_dash, ws);
1056 } else if(p_size == 8) {
1057 bigint_monty_redc_8(z, p, p_dash, ws);
1058 } else if(p_size == 16) {
1059 bigint_monty_redc_16(z, p, p_dash, ws);
1060 } else if(p_size == 24) {
1061 bigint_monty_redc_24(z, p, p_dash, ws);
1062 } else if(p_size == 32) {
1063 bigint_monty_redc_32(z, p, p_dash, ws);
1064 } else {
1065 bigint_monty_redc_generic(z, z_size, p, p_size, p_dash, ws);
1066 }
1067}
BOTAN_FUZZER_API void bigint_monty_redc_24(word z[48], const word p[24], word p_dash, word ws[])
Definition mp_monty_n.cpp:516
BOTAN_FUZZER_API void bigint_monty_redc_4(word z[8], const word p[4], word p_dash, word ws[])
Definition mp_monty_n.cpp:14
BOTAN_FUZZER_API void bigint_monty_redc_generic(word z[], size_t z_size, const word p[], size_t p_size, word p_dash, word ws[])
Definition mp_monty.cpp:31
BOTAN_FUZZER_API void bigint_monty_redc_32(word z[64], const word p[32], word p_dash, word ws[])
Definition mp_monty_n.cpp:1171
BOTAN_FUZZER_API void bigint_monty_redc_16(word z[32], const word p[16], word p_dash, word ws[])
Definition mp_monty_n.cpp:205
BOTAN_FUZZER_API void bigint_monty_redc_8(word z[16], const word p[8], word p_dash, word ws[])
Definition mp_monty_n.cpp:110
References bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), and BOTAN_ARG_CHECK.
Referenced by Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::redc(), Botan::Montgomery_Params::sqr(), and Botan::Montgomery_Params::square_this().
◆ bigint_monty_redc_16()
| void Botan::bigint_monty_redc_16 | ( | word | z[32], |
| const word | p[16], | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 205 of file mp_monty_n.cpp.
205 {
206 word3<word> accum;
207 accum.add(z[0]);
208 ws[0] = accum.monty_step(p[0], p_dash);
209 accum.mul(ws[0], p[1]);
210 accum.add(z[1]);
211 ws[1] = accum.monty_step(p[0], p_dash);
212 accum.mul(ws[0], p[2]);
213 accum.mul(ws[1], p[1]);
214 accum.add(z[2]);
215 ws[2] = accum.monty_step(p[0], p_dash);
216 accum.mul(ws[0], p[3]);
217 accum.mul(ws[1], p[2]);
218 accum.mul(ws[2], p[1]);
219 accum.add(z[3]);
220 ws[3] = accum.monty_step(p[0], p_dash);
221 accum.mul(ws[0], p[4]);
222 accum.mul(ws[1], p[3]);
223 accum.mul(ws[2], p[2]);
224 accum.mul(ws[3], p[1]);
225 accum.add(z[4]);
226 ws[4] = accum.monty_step(p[0], p_dash);
227 accum.mul(ws[0], p[5]);
228 accum.mul(ws[1], p[4]);
229 accum.mul(ws[2], p[3]);
230 accum.mul(ws[3], p[2]);
231 accum.mul(ws[4], p[1]);
232 accum.add(z[5]);
233 ws[5] = accum.monty_step(p[0], p_dash);
234 accum.mul(ws[0], p[6]);
235 accum.mul(ws[1], p[5]);
236 accum.mul(ws[2], p[4]);
237 accum.mul(ws[3], p[3]);
238 accum.mul(ws[4], p[2]);
239 accum.mul(ws[5], p[1]);
240 accum.add(z[6]);
241 ws[6] = accum.monty_step(p[0], p_dash);
242 accum.mul(ws[0], p[7]);
243 accum.mul(ws[1], p[6]);
244 accum.mul(ws[2], p[5]);
245 accum.mul(ws[3], p[4]);
246 accum.mul(ws[4], p[3]);
247 accum.mul(ws[5], p[2]);
248 accum.mul(ws[6], p[1]);
249 accum.add(z[7]);
250 ws[7] = accum.monty_step(p[0], p_dash);
251 accum.mul(ws[0], p[8]);
252 accum.mul(ws[1], p[7]);
253 accum.mul(ws[2], p[6]);
254 accum.mul(ws[3], p[5]);
255 accum.mul(ws[4], p[4]);
256 accum.mul(ws[5], p[3]);
257 accum.mul(ws[6], p[2]);
258 accum.mul(ws[7], p[1]);
259 accum.add(z[8]);
260 ws[8] = accum.monty_step(p[0], p_dash);
261 accum.mul(ws[0], p[9]);
262 accum.mul(ws[1], p[8]);
263 accum.mul(ws[2], p[7]);
264 accum.mul(ws[3], p[6]);
265 accum.mul(ws[4], p[5]);
266 accum.mul(ws[5], p[4]);
267 accum.mul(ws[6], p[3]);
268 accum.mul(ws[7], p[2]);
269 accum.mul(ws[8], p[1]);
270 accum.add(z[9]);
271 ws[9] = accum.monty_step(p[0], p_dash);
272 accum.mul(ws[0], p[10]);
273 accum.mul(ws[1], p[9]);
274 accum.mul(ws[2], p[8]);
275 accum.mul(ws[3], p[7]);
276 accum.mul(ws[4], p[6]);
277 accum.mul(ws[5], p[5]);
278 accum.mul(ws[6], p[4]);
279 accum.mul(ws[7], p[3]);
280 accum.mul(ws[8], p[2]);
281 accum.mul(ws[9], p[1]);
282 accum.add(z[10]);
283 ws[10] = accum.monty_step(p[0], p_dash);
284 accum.mul(ws[0], p[11]);
285 accum.mul(ws[1], p[10]);
286 accum.mul(ws[2], p[9]);
287 accum.mul(ws[3], p[8]);
288 accum.mul(ws[4], p[7]);
289 accum.mul(ws[5], p[6]);
290 accum.mul(ws[6], p[5]);
291 accum.mul(ws[7], p[4]);
292 accum.mul(ws[8], p[3]);
293 accum.mul(ws[9], p[2]);
294 accum.mul(ws[10], p[1]);
295 accum.add(z[11]);
296 ws[11] = accum.monty_step(p[0], p_dash);
297 accum.mul(ws[0], p[12]);
298 accum.mul(ws[1], p[11]);
299 accum.mul(ws[2], p[10]);
300 accum.mul(ws[3], p[9]);
301 accum.mul(ws[4], p[8]);
302 accum.mul(ws[5], p[7]);
303 accum.mul(ws[6], p[6]);
304 accum.mul(ws[7], p[5]);
305 accum.mul(ws[8], p[4]);
306 accum.mul(ws[9], p[3]);
307 accum.mul(ws[10], p[2]);
308 accum.mul(ws[11], p[1]);
309 accum.add(z[12]);
310 ws[12] = accum.monty_step(p[0], p_dash);
311 accum.mul(ws[0], p[13]);
312 accum.mul(ws[1], p[12]);
313 accum.mul(ws[2], p[11]);
314 accum.mul(ws[3], p[10]);
315 accum.mul(ws[4], p[9]);
316 accum.mul(ws[5], p[8]);
317 accum.mul(ws[6], p[7]);
318 accum.mul(ws[7], p[6]);
319 accum.mul(ws[8], p[5]);
320 accum.mul(ws[9], p[4]);
321 accum.mul(ws[10], p[3]);
322 accum.mul(ws[11], p[2]);
323 accum.mul(ws[12], p[1]);
324 accum.add(z[13]);
325 ws[13] = accum.monty_step(p[0], p_dash);
326 accum.mul(ws[0], p[14]);
327 accum.mul(ws[1], p[13]);
328 accum.mul(ws[2], p[12]);
329 accum.mul(ws[3], p[11]);
330 accum.mul(ws[4], p[10]);
331 accum.mul(ws[5], p[9]);
332 accum.mul(ws[6], p[8]);
333 accum.mul(ws[7], p[7]);
334 accum.mul(ws[8], p[6]);
335 accum.mul(ws[9], p[5]);
336 accum.mul(ws[10], p[4]);
337 accum.mul(ws[11], p[3]);
338 accum.mul(ws[12], p[2]);
339 accum.mul(ws[13], p[1]);
340 accum.add(z[14]);
341 ws[14] = accum.monty_step(p[0], p_dash);
342 accum.mul(ws[0], p[15]);
343 accum.mul(ws[1], p[14]);
344 accum.mul(ws[2], p[13]);
345 accum.mul(ws[3], p[12]);
346 accum.mul(ws[4], p[11]);
347 accum.mul(ws[5], p[10]);
348 accum.mul(ws[6], p[9]);
349 accum.mul(ws[7], p[8]);
350 accum.mul(ws[8], p[7]);
351 accum.mul(ws[9], p[6]);
352 accum.mul(ws[10], p[5]);
353 accum.mul(ws[11], p[4]);
354 accum.mul(ws[12], p[3]);
355 accum.mul(ws[13], p[2]);
356 accum.mul(ws[14], p[1]);
357 accum.add(z[15]);
358 ws[15] = accum.monty_step(p[0], p_dash);
359 accum.mul(ws[1], p[15]);
360 accum.mul(ws[2], p[14]);
361 accum.mul(ws[3], p[13]);
362 accum.mul(ws[4], p[12]);
363 accum.mul(ws[5], p[11]);
364 accum.mul(ws[6], p[10]);
365 accum.mul(ws[7], p[9]);
366 accum.mul(ws[8], p[8]);
367 accum.mul(ws[9], p[7]);
368 accum.mul(ws[10], p[6]);
369 accum.mul(ws[11], p[5]);
370 accum.mul(ws[12], p[4]);
371 accum.mul(ws[13], p[3]);
372 accum.mul(ws[14], p[2]);
373 accum.mul(ws[15], p[1]);
374 accum.add(z[16]);
375 ws[0] = accum.extract();
376 accum.mul(ws[2], p[15]);
377 accum.mul(ws[3], p[14]);
378 accum.mul(ws[4], p[13]);
379 accum.mul(ws[5], p[12]);
380 accum.mul(ws[6], p[11]);
381 accum.mul(ws[7], p[10]);
382 accum.mul(ws[8], p[9]);
383 accum.mul(ws[9], p[8]);
384 accum.mul(ws[10], p[7]);
385 accum.mul(ws[11], p[6]);
386 accum.mul(ws[12], p[5]);
387 accum.mul(ws[13], p[4]);
388 accum.mul(ws[14], p[3]);
389 accum.mul(ws[15], p[2]);
390 accum.add(z[17]);
391 ws[1] = accum.extract();
392 accum.mul(ws[3], p[15]);
393 accum.mul(ws[4], p[14]);
394 accum.mul(ws[5], p[13]);
395 accum.mul(ws[6], p[12]);
396 accum.mul(ws[7], p[11]);
397 accum.mul(ws[8], p[10]);
398 accum.mul(ws[9], p[9]);
399 accum.mul(ws[10], p[8]);
400 accum.mul(ws[11], p[7]);
401 accum.mul(ws[12], p[6]);
402 accum.mul(ws[13], p[5]);
403 accum.mul(ws[14], p[4]);
404 accum.mul(ws[15], p[3]);
405 accum.add(z[18]);
406 ws[2] = accum.extract();
407 accum.mul(ws[4], p[15]);
408 accum.mul(ws[5], p[14]);
409 accum.mul(ws[6], p[13]);
410 accum.mul(ws[7], p[12]);
411 accum.mul(ws[8], p[11]);
412 accum.mul(ws[9], p[10]);
413 accum.mul(ws[10], p[9]);
414 accum.mul(ws[11], p[8]);
415 accum.mul(ws[12], p[7]);
416 accum.mul(ws[13], p[6]);
417 accum.mul(ws[14], p[5]);
418 accum.mul(ws[15], p[4]);
419 accum.add(z[19]);
420 ws[3] = accum.extract();
421 accum.mul(ws[5], p[15]);
422 accum.mul(ws[6], p[14]);
423 accum.mul(ws[7], p[13]);
424 accum.mul(ws[8], p[12]);
425 accum.mul(ws[9], p[11]);
426 accum.mul(ws[10], p[10]);
427 accum.mul(ws[11], p[9]);
428 accum.mul(ws[12], p[8]);
429 accum.mul(ws[13], p[7]);
430 accum.mul(ws[14], p[6]);
431 accum.mul(ws[15], p[5]);
432 accum.add(z[20]);
433 ws[4] = accum.extract();
434 accum.mul(ws[6], p[15]);
435 accum.mul(ws[7], p[14]);
436 accum.mul(ws[8], p[13]);
437 accum.mul(ws[9], p[12]);
438 accum.mul(ws[10], p[11]);
439 accum.mul(ws[11], p[10]);
440 accum.mul(ws[12], p[9]);
441 accum.mul(ws[13], p[8]);
442 accum.mul(ws[14], p[7]);
443 accum.mul(ws[15], p[6]);
444 accum.add(z[21]);
445 ws[5] = accum.extract();
446 accum.mul(ws[7], p[15]);
447 accum.mul(ws[8], p[14]);
448 accum.mul(ws[9], p[13]);
449 accum.mul(ws[10], p[12]);
450 accum.mul(ws[11], p[11]);
451 accum.mul(ws[12], p[10]);
452 accum.mul(ws[13], p[9]);
453 accum.mul(ws[14], p[8]);
454 accum.mul(ws[15], p[7]);
455 accum.add(z[22]);
456 ws[6] = accum.extract();
457 accum.mul(ws[8], p[15]);
458 accum.mul(ws[9], p[14]);
459 accum.mul(ws[10], p[13]);
460 accum.mul(ws[11], p[12]);
461 accum.mul(ws[12], p[11]);
462 accum.mul(ws[13], p[10]);
463 accum.mul(ws[14], p[9]);
464 accum.mul(ws[15], p[8]);
465 accum.add(z[23]);
466 ws[7] = accum.extract();
467 accum.mul(ws[9], p[15]);
468 accum.mul(ws[10], p[14]);
469 accum.mul(ws[11], p[13]);
470 accum.mul(ws[12], p[12]);
471 accum.mul(ws[13], p[11]);
472 accum.mul(ws[14], p[10]);
473 accum.mul(ws[15], p[9]);
474 accum.add(z[24]);
475 ws[8] = accum.extract();
476 accum.mul(ws[10], p[15]);
477 accum.mul(ws[11], p[14]);
478 accum.mul(ws[12], p[13]);
479 accum.mul(ws[13], p[12]);
480 accum.mul(ws[14], p[11]);
481 accum.mul(ws[15], p[10]);
482 accum.add(z[25]);
483 ws[9] = accum.extract();
484 accum.mul(ws[11], p[15]);
485 accum.mul(ws[12], p[14]);
486 accum.mul(ws[13], p[13]);
487 accum.mul(ws[14], p[12]);
488 accum.mul(ws[15], p[11]);
489 accum.add(z[26]);
490 ws[10] = accum.extract();
491 accum.mul(ws[12], p[15]);
492 accum.mul(ws[13], p[14]);
493 accum.mul(ws[14], p[13]);
494 accum.mul(ws[15], p[12]);
495 accum.add(z[27]);
496 ws[11] = accum.extract();
497 accum.mul(ws[13], p[15]);
498 accum.mul(ws[14], p[14]);
499 accum.mul(ws[15], p[13]);
500 accum.add(z[28]);
501 ws[12] = accum.extract();
502 accum.mul(ws[14], p[15]);
503 accum.mul(ws[15], p[14]);
504 accum.add(z[29]);
505 ws[13] = accum.extract();
506 accum.mul(ws[15], p[15]);
507 accum.add(z[30]);
508 ws[14] = accum.extract();
509 accum.add(z[31]);
510 ws[15] = accum.extract();
511 word w1 = accum.extract();
512 bigint_monty_maybe_sub<16>(z, w1, ws, p);
513 clear_mem(z + 16, 16);
514}
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_monty_redc_24()
| void Botan::bigint_monty_redc_24 | ( | word | z[48], |
| const word | p[24], | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 516 of file mp_monty_n.cpp.
516 {
517 word3<word> accum;
518 accum.add(z[0]);
519 ws[0] = accum.monty_step(p[0], p_dash);
520 accum.mul(ws[0], p[1]);
521 accum.add(z[1]);
522 ws[1] = accum.monty_step(p[0], p_dash);
523 accum.mul(ws[0], p[2]);
524 accum.mul(ws[1], p[1]);
525 accum.add(z[2]);
526 ws[2] = accum.monty_step(p[0], p_dash);
527 accum.mul(ws[0], p[3]);
528 accum.mul(ws[1], p[2]);
529 accum.mul(ws[2], p[1]);
530 accum.add(z[3]);
531 ws[3] = accum.monty_step(p[0], p_dash);
532 accum.mul(ws[0], p[4]);
533 accum.mul(ws[1], p[3]);
534 accum.mul(ws[2], p[2]);
535 accum.mul(ws[3], p[1]);
536 accum.add(z[4]);
537 ws[4] = accum.monty_step(p[0], p_dash);
538 accum.mul(ws[0], p[5]);
539 accum.mul(ws[1], p[4]);
540 accum.mul(ws[2], p[3]);
541 accum.mul(ws[3], p[2]);
542 accum.mul(ws[4], p[1]);
543 accum.add(z[5]);
544 ws[5] = accum.monty_step(p[0], p_dash);
545 accum.mul(ws[0], p[6]);
546 accum.mul(ws[1], p[5]);
547 accum.mul(ws[2], p[4]);
548 accum.mul(ws[3], p[3]);
549 accum.mul(ws[4], p[2]);
550 accum.mul(ws[5], p[1]);
551 accum.add(z[6]);
552 ws[6] = accum.monty_step(p[0], p_dash);
553 accum.mul(ws[0], p[7]);
554 accum.mul(ws[1], p[6]);
555 accum.mul(ws[2], p[5]);
556 accum.mul(ws[3], p[4]);
557 accum.mul(ws[4], p[3]);
558 accum.mul(ws[5], p[2]);
559 accum.mul(ws[6], p[1]);
560 accum.add(z[7]);
561 ws[7] = accum.monty_step(p[0], p_dash);
562 accum.mul(ws[0], p[8]);
563 accum.mul(ws[1], p[7]);
564 accum.mul(ws[2], p[6]);
565 accum.mul(ws[3], p[5]);
566 accum.mul(ws[4], p[4]);
567 accum.mul(ws[5], p[3]);
568 accum.mul(ws[6], p[2]);
569 accum.mul(ws[7], p[1]);
570 accum.add(z[8]);
571 ws[8] = accum.monty_step(p[0], p_dash);
572 accum.mul(ws[0], p[9]);
573 accum.mul(ws[1], p[8]);
574 accum.mul(ws[2], p[7]);
575 accum.mul(ws[3], p[6]);
576 accum.mul(ws[4], p[5]);
577 accum.mul(ws[5], p[4]);
578 accum.mul(ws[6], p[3]);
579 accum.mul(ws[7], p[2]);
580 accum.mul(ws[8], p[1]);
581 accum.add(z[9]);
582 ws[9] = accum.monty_step(p[0], p_dash);
583 accum.mul(ws[0], p[10]);
584 accum.mul(ws[1], p[9]);
585 accum.mul(ws[2], p[8]);
586 accum.mul(ws[3], p[7]);
587 accum.mul(ws[4], p[6]);
588 accum.mul(ws[5], p[5]);
589 accum.mul(ws[6], p[4]);
590 accum.mul(ws[7], p[3]);
591 accum.mul(ws[8], p[2]);
592 accum.mul(ws[9], p[1]);
593 accum.add(z[10]);
594 ws[10] = accum.monty_step(p[0], p_dash);
595 accum.mul(ws[0], p[11]);
596 accum.mul(ws[1], p[10]);
597 accum.mul(ws[2], p[9]);
598 accum.mul(ws[3], p[8]);
599 accum.mul(ws[4], p[7]);
600 accum.mul(ws[5], p[6]);
601 accum.mul(ws[6], p[5]);
602 accum.mul(ws[7], p[4]);
603 accum.mul(ws[8], p[3]);
604 accum.mul(ws[9], p[2]);
605 accum.mul(ws[10], p[1]);
606 accum.add(z[11]);
607 ws[11] = accum.monty_step(p[0], p_dash);
608 accum.mul(ws[0], p[12]);
609 accum.mul(ws[1], p[11]);
610 accum.mul(ws[2], p[10]);
611 accum.mul(ws[3], p[9]);
612 accum.mul(ws[4], p[8]);
613 accum.mul(ws[5], p[7]);
614 accum.mul(ws[6], p[6]);
615 accum.mul(ws[7], p[5]);
616 accum.mul(ws[8], p[4]);
617 accum.mul(ws[9], p[3]);
618 accum.mul(ws[10], p[2]);
619 accum.mul(ws[11], p[1]);
620 accum.add(z[12]);
621 ws[12] = accum.monty_step(p[0], p_dash);
622 accum.mul(ws[0], p[13]);
623 accum.mul(ws[1], p[12]);
624 accum.mul(ws[2], p[11]);
625 accum.mul(ws[3], p[10]);
626 accum.mul(ws[4], p[9]);
627 accum.mul(ws[5], p[8]);
628 accum.mul(ws[6], p[7]);
629 accum.mul(ws[7], p[6]);
630 accum.mul(ws[8], p[5]);
631 accum.mul(ws[9], p[4]);
632 accum.mul(ws[10], p[3]);
633 accum.mul(ws[11], p[2]);
634 accum.mul(ws[12], p[1]);
635 accum.add(z[13]);
636 ws[13] = accum.monty_step(p[0], p_dash);
637 accum.mul(ws[0], p[14]);
638 accum.mul(ws[1], p[13]);
639 accum.mul(ws[2], p[12]);
640 accum.mul(ws[3], p[11]);
641 accum.mul(ws[4], p[10]);
642 accum.mul(ws[5], p[9]);
643 accum.mul(ws[6], p[8]);
644 accum.mul(ws[7], p[7]);
645 accum.mul(ws[8], p[6]);
646 accum.mul(ws[9], p[5]);
647 accum.mul(ws[10], p[4]);
648 accum.mul(ws[11], p[3]);
649 accum.mul(ws[12], p[2]);
650 accum.mul(ws[13], p[1]);
651 accum.add(z[14]);
652 ws[14] = accum.monty_step(p[0], p_dash);
653 accum.mul(ws[0], p[15]);
654 accum.mul(ws[1], p[14]);
655 accum.mul(ws[2], p[13]);
656 accum.mul(ws[3], p[12]);
657 accum.mul(ws[4], p[11]);
658 accum.mul(ws[5], p[10]);
659 accum.mul(ws[6], p[9]);
660 accum.mul(ws[7], p[8]);
661 accum.mul(ws[8], p[7]);
662 accum.mul(ws[9], p[6]);
663 accum.mul(ws[10], p[5]);
664 accum.mul(ws[11], p[4]);
665 accum.mul(ws[12], p[3]);
666 accum.mul(ws[13], p[2]);
667 accum.mul(ws[14], p[1]);
668 accum.add(z[15]);
669 ws[15] = accum.monty_step(p[0], p_dash);
670 accum.mul(ws[0], p[16]);
671 accum.mul(ws[1], p[15]);
672 accum.mul(ws[2], p[14]);
673 accum.mul(ws[3], p[13]);
674 accum.mul(ws[4], p[12]);
675 accum.mul(ws[5], p[11]);
676 accum.mul(ws[6], p[10]);
677 accum.mul(ws[7], p[9]);
678 accum.mul(ws[8], p[8]);
679 accum.mul(ws[9], p[7]);
680 accum.mul(ws[10], p[6]);
681 accum.mul(ws[11], p[5]);
682 accum.mul(ws[12], p[4]);
683 accum.mul(ws[13], p[3]);
684 accum.mul(ws[14], p[2]);
685 accum.mul(ws[15], p[1]);
686 accum.add(z[16]);
687 ws[16] = accum.monty_step(p[0], p_dash);
688 accum.mul(ws[0], p[17]);
689 accum.mul(ws[1], p[16]);
690 accum.mul(ws[2], p[15]);
691 accum.mul(ws[3], p[14]);
692 accum.mul(ws[4], p[13]);
693 accum.mul(ws[5], p[12]);
694 accum.mul(ws[6], p[11]);
695 accum.mul(ws[7], p[10]);
696 accum.mul(ws[8], p[9]);
697 accum.mul(ws[9], p[8]);
698 accum.mul(ws[10], p[7]);
699 accum.mul(ws[11], p[6]);
700 accum.mul(ws[12], p[5]);
701 accum.mul(ws[13], p[4]);
702 accum.mul(ws[14], p[3]);
703 accum.mul(ws[15], p[2]);
704 accum.mul(ws[16], p[1]);
705 accum.add(z[17]);
706 ws[17] = accum.monty_step(p[0], p_dash);
707 accum.mul(ws[0], p[18]);
708 accum.mul(ws[1], p[17]);
709 accum.mul(ws[2], p[16]);
710 accum.mul(ws[3], p[15]);
711 accum.mul(ws[4], p[14]);
712 accum.mul(ws[5], p[13]);
713 accum.mul(ws[6], p[12]);
714 accum.mul(ws[7], p[11]);
715 accum.mul(ws[8], p[10]);
716 accum.mul(ws[9], p[9]);
717 accum.mul(ws[10], p[8]);
718 accum.mul(ws[11], p[7]);
719 accum.mul(ws[12], p[6]);
720 accum.mul(ws[13], p[5]);
721 accum.mul(ws[14], p[4]);
722 accum.mul(ws[15], p[3]);
723 accum.mul(ws[16], p[2]);
724 accum.mul(ws[17], p[1]);
725 accum.add(z[18]);
726 ws[18] = accum.monty_step(p[0], p_dash);
727 accum.mul(ws[0], p[19]);
728 accum.mul(ws[1], p[18]);
729 accum.mul(ws[2], p[17]);
730 accum.mul(ws[3], p[16]);
731 accum.mul(ws[4], p[15]);
732 accum.mul(ws[5], p[14]);
733 accum.mul(ws[6], p[13]);
734 accum.mul(ws[7], p[12]);
735 accum.mul(ws[8], p[11]);
736 accum.mul(ws[9], p[10]);
737 accum.mul(ws[10], p[9]);
738 accum.mul(ws[11], p[8]);
739 accum.mul(ws[12], p[7]);
740 accum.mul(ws[13], p[6]);
741 accum.mul(ws[14], p[5]);
742 accum.mul(ws[15], p[4]);
743 accum.mul(ws[16], p[3]);
744 accum.mul(ws[17], p[2]);
745 accum.mul(ws[18], p[1]);
746 accum.add(z[19]);
747 ws[19] = accum.monty_step(p[0], p_dash);
748 accum.mul(ws[0], p[20]);
749 accum.mul(ws[1], p[19]);
750 accum.mul(ws[2], p[18]);
751 accum.mul(ws[3], p[17]);
752 accum.mul(ws[4], p[16]);
753 accum.mul(ws[5], p[15]);
754 accum.mul(ws[6], p[14]);
755 accum.mul(ws[7], p[13]);
756 accum.mul(ws[8], p[12]);
757 accum.mul(ws[9], p[11]);
758 accum.mul(ws[10], p[10]);
759 accum.mul(ws[11], p[9]);
760 accum.mul(ws[12], p[8]);
761 accum.mul(ws[13], p[7]);
762 accum.mul(ws[14], p[6]);
763 accum.mul(ws[15], p[5]);
764 accum.mul(ws[16], p[4]);
765 accum.mul(ws[17], p[3]);
766 accum.mul(ws[18], p[2]);
767 accum.mul(ws[19], p[1]);
768 accum.add(z[20]);
769 ws[20] = accum.monty_step(p[0], p_dash);
770 accum.mul(ws[0], p[21]);
771 accum.mul(ws[1], p[20]);
772 accum.mul(ws[2], p[19]);
773 accum.mul(ws[3], p[18]);
774 accum.mul(ws[4], p[17]);
775 accum.mul(ws[5], p[16]);
776 accum.mul(ws[6], p[15]);
777 accum.mul(ws[7], p[14]);
778 accum.mul(ws[8], p[13]);
779 accum.mul(ws[9], p[12]);
780 accum.mul(ws[10], p[11]);
781 accum.mul(ws[11], p[10]);
782 accum.mul(ws[12], p[9]);
783 accum.mul(ws[13], p[8]);
784 accum.mul(ws[14], p[7]);
785 accum.mul(ws[15], p[6]);
786 accum.mul(ws[16], p[5]);
787 accum.mul(ws[17], p[4]);
788 accum.mul(ws[18], p[3]);
789 accum.mul(ws[19], p[2]);
790 accum.mul(ws[20], p[1]);
791 accum.add(z[21]);
792 ws[21] = accum.monty_step(p[0], p_dash);
793 accum.mul(ws[0], p[22]);
794 accum.mul(ws[1], p[21]);
795 accum.mul(ws[2], p[20]);
796 accum.mul(ws[3], p[19]);
797 accum.mul(ws[4], p[18]);
798 accum.mul(ws[5], p[17]);
799 accum.mul(ws[6], p[16]);
800 accum.mul(ws[7], p[15]);
801 accum.mul(ws[8], p[14]);
802 accum.mul(ws[9], p[13]);
803 accum.mul(ws[10], p[12]);
804 accum.mul(ws[11], p[11]);
805 accum.mul(ws[12], p[10]);
806 accum.mul(ws[13], p[9]);
807 accum.mul(ws[14], p[8]);
808 accum.mul(ws[15], p[7]);
809 accum.mul(ws[16], p[6]);
810 accum.mul(ws[17], p[5]);
811 accum.mul(ws[18], p[4]);
812 accum.mul(ws[19], p[3]);
813 accum.mul(ws[20], p[2]);
814 accum.mul(ws[21], p[1]);
815 accum.add(z[22]);
816 ws[22] = accum.monty_step(p[0], p_dash);
817 accum.mul(ws[0], p[23]);
818 accum.mul(ws[1], p[22]);
819 accum.mul(ws[2], p[21]);
820 accum.mul(ws[3], p[20]);
821 accum.mul(ws[4], p[19]);
822 accum.mul(ws[5], p[18]);
823 accum.mul(ws[6], p[17]);
824 accum.mul(ws[7], p[16]);
825 accum.mul(ws[8], p[15]);
826 accum.mul(ws[9], p[14]);
827 accum.mul(ws[10], p[13]);
828 accum.mul(ws[11], p[12]);
829 accum.mul(ws[12], p[11]);
830 accum.mul(ws[13], p[10]);
831 accum.mul(ws[14], p[9]);
832 accum.mul(ws[15], p[8]);
833 accum.mul(ws[16], p[7]);
834 accum.mul(ws[17], p[6]);
835 accum.mul(ws[18], p[5]);
836 accum.mul(ws[19], p[4]);
837 accum.mul(ws[20], p[3]);
838 accum.mul(ws[21], p[2]);
839 accum.mul(ws[22], p[1]);
840 accum.add(z[23]);
841 ws[23] = accum.monty_step(p[0], p_dash);
842 accum.mul(ws[1], p[23]);
843 accum.mul(ws[2], p[22]);
844 accum.mul(ws[3], p[21]);
845 accum.mul(ws[4], p[20]);
846 accum.mul(ws[5], p[19]);
847 accum.mul(ws[6], p[18]);
848 accum.mul(ws[7], p[17]);
849 accum.mul(ws[8], p[16]);
850 accum.mul(ws[9], p[15]);
851 accum.mul(ws[10], p[14]);
852 accum.mul(ws[11], p[13]);
853 accum.mul(ws[12], p[12]);
854 accum.mul(ws[13], p[11]);
855 accum.mul(ws[14], p[10]);
856 accum.mul(ws[15], p[9]);
857 accum.mul(ws[16], p[8]);
858 accum.mul(ws[17], p[7]);
859 accum.mul(ws[18], p[6]);
860 accum.mul(ws[19], p[5]);
861 accum.mul(ws[20], p[4]);
862 accum.mul(ws[21], p[3]);
863 accum.mul(ws[22], p[2]);
864 accum.mul(ws[23], p[1]);
865 accum.add(z[24]);
866 ws[0] = accum.extract();
867 accum.mul(ws[2], p[23]);
868 accum.mul(ws[3], p[22]);
869 accum.mul(ws[4], p[21]);
870 accum.mul(ws[5], p[20]);
871 accum.mul(ws[6], p[19]);
872 accum.mul(ws[7], p[18]);
873 accum.mul(ws[8], p[17]);
874 accum.mul(ws[9], p[16]);
875 accum.mul(ws[10], p[15]);
876 accum.mul(ws[11], p[14]);
877 accum.mul(ws[12], p[13]);
878 accum.mul(ws[13], p[12]);
879 accum.mul(ws[14], p[11]);
880 accum.mul(ws[15], p[10]);
881 accum.mul(ws[16], p[9]);
882 accum.mul(ws[17], p[8]);
883 accum.mul(ws[18], p[7]);
884 accum.mul(ws[19], p[6]);
885 accum.mul(ws[20], p[5]);
886 accum.mul(ws[21], p[4]);
887 accum.mul(ws[22], p[3]);
888 accum.mul(ws[23], p[2]);
889 accum.add(z[25]);
890 ws[1] = accum.extract();
891 accum.mul(ws[3], p[23]);
892 accum.mul(ws[4], p[22]);
893 accum.mul(ws[5], p[21]);
894 accum.mul(ws[6], p[20]);
895 accum.mul(ws[7], p[19]);
896 accum.mul(ws[8], p[18]);
897 accum.mul(ws[9], p[17]);
898 accum.mul(ws[10], p[16]);
899 accum.mul(ws[11], p[15]);
900 accum.mul(ws[12], p[14]);
901 accum.mul(ws[13], p[13]);
902 accum.mul(ws[14], p[12]);
903 accum.mul(ws[15], p[11]);
904 accum.mul(ws[16], p[10]);
905 accum.mul(ws[17], p[9]);
906 accum.mul(ws[18], p[8]);
907 accum.mul(ws[19], p[7]);
908 accum.mul(ws[20], p[6]);
909 accum.mul(ws[21], p[5]);
910 accum.mul(ws[22], p[4]);
911 accum.mul(ws[23], p[3]);
912 accum.add(z[26]);
913 ws[2] = accum.extract();
914 accum.mul(ws[4], p[23]);
915 accum.mul(ws[5], p[22]);
916 accum.mul(ws[6], p[21]);
917 accum.mul(ws[7], p[20]);
918 accum.mul(ws[8], p[19]);
919 accum.mul(ws[9], p[18]);
920 accum.mul(ws[10], p[17]);
921 accum.mul(ws[11], p[16]);
922 accum.mul(ws[12], p[15]);
923 accum.mul(ws[13], p[14]);
924 accum.mul(ws[14], p[13]);
925 accum.mul(ws[15], p[12]);
926 accum.mul(ws[16], p[11]);
927 accum.mul(ws[17], p[10]);
928 accum.mul(ws[18], p[9]);
929 accum.mul(ws[19], p[8]);
930 accum.mul(ws[20], p[7]);
931 accum.mul(ws[21], p[6]);
932 accum.mul(ws[22], p[5]);
933 accum.mul(ws[23], p[4]);
934 accum.add(z[27]);
935 ws[3] = accum.extract();
936 accum.mul(ws[5], p[23]);
937 accum.mul(ws[6], p[22]);
938 accum.mul(ws[7], p[21]);
939 accum.mul(ws[8], p[20]);
940 accum.mul(ws[9], p[19]);
941 accum.mul(ws[10], p[18]);
942 accum.mul(ws[11], p[17]);
943 accum.mul(ws[12], p[16]);
944 accum.mul(ws[13], p[15]);
945 accum.mul(ws[14], p[14]);
946 accum.mul(ws[15], p[13]);
947 accum.mul(ws[16], p[12]);
948 accum.mul(ws[17], p[11]);
949 accum.mul(ws[18], p[10]);
950 accum.mul(ws[19], p[9]);
951 accum.mul(ws[20], p[8]);
952 accum.mul(ws[21], p[7]);
953 accum.mul(ws[22], p[6]);
954 accum.mul(ws[23], p[5]);
955 accum.add(z[28]);
956 ws[4] = accum.extract();
957 accum.mul(ws[6], p[23]);
958 accum.mul(ws[7], p[22]);
959 accum.mul(ws[8], p[21]);
960 accum.mul(ws[9], p[20]);
961 accum.mul(ws[10], p[19]);
962 accum.mul(ws[11], p[18]);
963 accum.mul(ws[12], p[17]);
964 accum.mul(ws[13], p[16]);
965 accum.mul(ws[14], p[15]);
966 accum.mul(ws[15], p[14]);
967 accum.mul(ws[16], p[13]);
968 accum.mul(ws[17], p[12]);
969 accum.mul(ws[18], p[11]);
970 accum.mul(ws[19], p[10]);
971 accum.mul(ws[20], p[9]);
972 accum.mul(ws[21], p[8]);
973 accum.mul(ws[22], p[7]);
974 accum.mul(ws[23], p[6]);
975 accum.add(z[29]);
976 ws[5] = accum.extract();
977 accum.mul(ws[7], p[23]);
978 accum.mul(ws[8], p[22]);
979 accum.mul(ws[9], p[21]);
980 accum.mul(ws[10], p[20]);
981 accum.mul(ws[11], p[19]);
982 accum.mul(ws[12], p[18]);
983 accum.mul(ws[13], p[17]);
984 accum.mul(ws[14], p[16]);
985 accum.mul(ws[15], p[15]);
986 accum.mul(ws[16], p[14]);
987 accum.mul(ws[17], p[13]);
988 accum.mul(ws[18], p[12]);
989 accum.mul(ws[19], p[11]);
990 accum.mul(ws[20], p[10]);
991 accum.mul(ws[21], p[9]);
992 accum.mul(ws[22], p[8]);
993 accum.mul(ws[23], p[7]);
994 accum.add(z[30]);
995 ws[6] = accum.extract();
996 accum.mul(ws[8], p[23]);
997 accum.mul(ws[9], p[22]);
998 accum.mul(ws[10], p[21]);
999 accum.mul(ws[11], p[20]);
1000 accum.mul(ws[12], p[19]);
1001 accum.mul(ws[13], p[18]);
1002 accum.mul(ws[14], p[17]);
1003 accum.mul(ws[15], p[16]);
1004 accum.mul(ws[16], p[15]);
1005 accum.mul(ws[17], p[14]);
1006 accum.mul(ws[18], p[13]);
1007 accum.mul(ws[19], p[12]);
1008 accum.mul(ws[20], p[11]);
1009 accum.mul(ws[21], p[10]);
1010 accum.mul(ws[22], p[9]);
1011 accum.mul(ws[23], p[8]);
1012 accum.add(z[31]);
1013 ws[7] = accum.extract();
1014 accum.mul(ws[9], p[23]);
1015 accum.mul(ws[10], p[22]);
1016 accum.mul(ws[11], p[21]);
1017 accum.mul(ws[12], p[20]);
1018 accum.mul(ws[13], p[19]);
1019 accum.mul(ws[14], p[18]);
1020 accum.mul(ws[15], p[17]);
1021 accum.mul(ws[16], p[16]);
1022 accum.mul(ws[17], p[15]);
1023 accum.mul(ws[18], p[14]);
1024 accum.mul(ws[19], p[13]);
1025 accum.mul(ws[20], p[12]);
1026 accum.mul(ws[21], p[11]);
1027 accum.mul(ws[22], p[10]);
1028 accum.mul(ws[23], p[9]);
1029 accum.add(z[32]);
1030 ws[8] = accum.extract();
1031 accum.mul(ws[10], p[23]);
1032 accum.mul(ws[11], p[22]);
1033 accum.mul(ws[12], p[21]);
1034 accum.mul(ws[13], p[20]);
1035 accum.mul(ws[14], p[19]);
1036 accum.mul(ws[15], p[18]);
1037 accum.mul(ws[16], p[17]);
1038 accum.mul(ws[17], p[16]);
1039 accum.mul(ws[18], p[15]);
1040 accum.mul(ws[19], p[14]);
1041 accum.mul(ws[20], p[13]);
1042 accum.mul(ws[21], p[12]);
1043 accum.mul(ws[22], p[11]);
1044 accum.mul(ws[23], p[10]);
1045 accum.add(z[33]);
1046 ws[9] = accum.extract();
1047 accum.mul(ws[11], p[23]);
1048 accum.mul(ws[12], p[22]);
1049 accum.mul(ws[13], p[21]);
1050 accum.mul(ws[14], p[20]);
1051 accum.mul(ws[15], p[19]);
1052 accum.mul(ws[16], p[18]);
1053 accum.mul(ws[17], p[17]);
1054 accum.mul(ws[18], p[16]);
1055 accum.mul(ws[19], p[15]);
1056 accum.mul(ws[20], p[14]);
1057 accum.mul(ws[21], p[13]);
1058 accum.mul(ws[22], p[12]);
1059 accum.mul(ws[23], p[11]);
1060 accum.add(z[34]);
1061 ws[10] = accum.extract();
1062 accum.mul(ws[12], p[23]);
1063 accum.mul(ws[13], p[22]);
1064 accum.mul(ws[14], p[21]);
1065 accum.mul(ws[15], p[20]);
1066 accum.mul(ws[16], p[19]);
1067 accum.mul(ws[17], p[18]);
1068 accum.mul(ws[18], p[17]);
1069 accum.mul(ws[19], p[16]);
1070 accum.mul(ws[20], p[15]);
1071 accum.mul(ws[21], p[14]);
1072 accum.mul(ws[22], p[13]);
1073 accum.mul(ws[23], p[12]);
1074 accum.add(z[35]);
1075 ws[11] = accum.extract();
1076 accum.mul(ws[13], p[23]);
1077 accum.mul(ws[14], p[22]);
1078 accum.mul(ws[15], p[21]);
1079 accum.mul(ws[16], p[20]);
1080 accum.mul(ws[17], p[19]);
1081 accum.mul(ws[18], p[18]);
1082 accum.mul(ws[19], p[17]);
1083 accum.mul(ws[20], p[16]);
1084 accum.mul(ws[21], p[15]);
1085 accum.mul(ws[22], p[14]);
1086 accum.mul(ws[23], p[13]);
1087 accum.add(z[36]);
1088 ws[12] = accum.extract();
1089 accum.mul(ws[14], p[23]);
1090 accum.mul(ws[15], p[22]);
1091 accum.mul(ws[16], p[21]);
1092 accum.mul(ws[17], p[20]);
1093 accum.mul(ws[18], p[19]);
1094 accum.mul(ws[19], p[18]);
1095 accum.mul(ws[20], p[17]);
1096 accum.mul(ws[21], p[16]);
1097 accum.mul(ws[22], p[15]);
1098 accum.mul(ws[23], p[14]);
1099 accum.add(z[37]);
1100 ws[13] = accum.extract();
1101 accum.mul(ws[15], p[23]);
1102 accum.mul(ws[16], p[22]);
1103 accum.mul(ws[17], p[21]);
1104 accum.mul(ws[18], p[20]);
1105 accum.mul(ws[19], p[19]);
1106 accum.mul(ws[20], p[18]);
1107 accum.mul(ws[21], p[17]);
1108 accum.mul(ws[22], p[16]);
1109 accum.mul(ws[23], p[15]);
1110 accum.add(z[38]);
1111 ws[14] = accum.extract();
1112 accum.mul(ws[16], p[23]);
1113 accum.mul(ws[17], p[22]);
1114 accum.mul(ws[18], p[21]);
1115 accum.mul(ws[19], p[20]);
1116 accum.mul(ws[20], p[19]);
1117 accum.mul(ws[21], p[18]);
1118 accum.mul(ws[22], p[17]);
1119 accum.mul(ws[23], p[16]);
1120 accum.add(z[39]);
1121 ws[15] = accum.extract();
1122 accum.mul(ws[17], p[23]);
1123 accum.mul(ws[18], p[22]);
1124 accum.mul(ws[19], p[21]);
1125 accum.mul(ws[20], p[20]);
1126 accum.mul(ws[21], p[19]);
1127 accum.mul(ws[22], p[18]);
1128 accum.mul(ws[23], p[17]);
1129 accum.add(z[40]);
1130 ws[16] = accum.extract();
1131 accum.mul(ws[18], p[23]);
1132 accum.mul(ws[19], p[22]);
1133 accum.mul(ws[20], p[21]);
1134 accum.mul(ws[21], p[20]);
1135 accum.mul(ws[22], p[19]);
1136 accum.mul(ws[23], p[18]);
1137 accum.add(z[41]);
1138 ws[17] = accum.extract();
1139 accum.mul(ws[19], p[23]);
1140 accum.mul(ws[20], p[22]);
1141 accum.mul(ws[21], p[21]);
1142 accum.mul(ws[22], p[20]);
1143 accum.mul(ws[23], p[19]);
1144 accum.add(z[42]);
1145 ws[18] = accum.extract();
1146 accum.mul(ws[20], p[23]);
1147 accum.mul(ws[21], p[22]);
1148 accum.mul(ws[22], p[21]);
1149 accum.mul(ws[23], p[20]);
1150 accum.add(z[43]);
1151 ws[19] = accum.extract();
1152 accum.mul(ws[21], p[23]);
1153 accum.mul(ws[22], p[22]);
1154 accum.mul(ws[23], p[21]);
1155 accum.add(z[44]);
1156 ws[20] = accum.extract();
1157 accum.mul(ws[22], p[23]);
1158 accum.mul(ws[23], p[22]);
1159 accum.add(z[45]);
1160 ws[21] = accum.extract();
1161 accum.mul(ws[23], p[23]);
1162 accum.add(z[46]);
1163 ws[22] = accum.extract();
1164 accum.add(z[47]);
1165 ws[23] = accum.extract();
1166 word w1 = accum.extract();
1167 bigint_monty_maybe_sub<24>(z, w1, ws, p);
1168 clear_mem(z + 24, 24);
1169}
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_monty_redc_32()
| void Botan::bigint_monty_redc_32 | ( | word | z[64], |
| const word | p[32], | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 1171 of file mp_monty_n.cpp.
1171 {
1172 word3<word> accum;
1173 accum.add(z[0]);
1174 ws[0] = accum.monty_step(p[0], p_dash);
1175 accum.mul(ws[0], p[1]);
1176 accum.add(z[1]);
1177 ws[1] = accum.monty_step(p[0], p_dash);
1178 accum.mul(ws[0], p[2]);
1179 accum.mul(ws[1], p[1]);
1180 accum.add(z[2]);
1181 ws[2] = accum.monty_step(p[0], p_dash);
1182 accum.mul(ws[0], p[3]);
1183 accum.mul(ws[1], p[2]);
1184 accum.mul(ws[2], p[1]);
1185 accum.add(z[3]);
1186 ws[3] = accum.monty_step(p[0], p_dash);
1187 accum.mul(ws[0], p[4]);
1188 accum.mul(ws[1], p[3]);
1189 accum.mul(ws[2], p[2]);
1190 accum.mul(ws[3], p[1]);
1191 accum.add(z[4]);
1192 ws[4] = accum.monty_step(p[0], p_dash);
1193 accum.mul(ws[0], p[5]);
1194 accum.mul(ws[1], p[4]);
1195 accum.mul(ws[2], p[3]);
1196 accum.mul(ws[3], p[2]);
1197 accum.mul(ws[4], p[1]);
1198 accum.add(z[5]);
1199 ws[5] = accum.monty_step(p[0], p_dash);
1200 accum.mul(ws[0], p[6]);
1201 accum.mul(ws[1], p[5]);
1202 accum.mul(ws[2], p[4]);
1203 accum.mul(ws[3], p[3]);
1204 accum.mul(ws[4], p[2]);
1205 accum.mul(ws[5], p[1]);
1206 accum.add(z[6]);
1207 ws[6] = accum.monty_step(p[0], p_dash);
1208 accum.mul(ws[0], p[7]);
1209 accum.mul(ws[1], p[6]);
1210 accum.mul(ws[2], p[5]);
1211 accum.mul(ws[3], p[4]);
1212 accum.mul(ws[4], p[3]);
1213 accum.mul(ws[5], p[2]);
1214 accum.mul(ws[6], p[1]);
1215 accum.add(z[7]);
1216 ws[7] = accum.monty_step(p[0], p_dash);
1217 accum.mul(ws[0], p[8]);
1218 accum.mul(ws[1], p[7]);
1219 accum.mul(ws[2], p[6]);
1220 accum.mul(ws[3], p[5]);
1221 accum.mul(ws[4], p[4]);
1222 accum.mul(ws[5], p[3]);
1223 accum.mul(ws[6], p[2]);
1224 accum.mul(ws[7], p[1]);
1225 accum.add(z[8]);
1226 ws[8] = accum.monty_step(p[0], p_dash);
1227 accum.mul(ws[0], p[9]);
1228 accum.mul(ws[1], p[8]);
1229 accum.mul(ws[2], p[7]);
1230 accum.mul(ws[3], p[6]);
1231 accum.mul(ws[4], p[5]);
1232 accum.mul(ws[5], p[4]);
1233 accum.mul(ws[6], p[3]);
1234 accum.mul(ws[7], p[2]);
1235 accum.mul(ws[8], p[1]);
1236 accum.add(z[9]);
1237 ws[9] = accum.monty_step(p[0], p_dash);
1238 accum.mul(ws[0], p[10]);
1239 accum.mul(ws[1], p[9]);
1240 accum.mul(ws[2], p[8]);
1241 accum.mul(ws[3], p[7]);
1242 accum.mul(ws[4], p[6]);
1243 accum.mul(ws[5], p[5]);
1244 accum.mul(ws[6], p[4]);
1245 accum.mul(ws[7], p[3]);
1246 accum.mul(ws[8], p[2]);
1247 accum.mul(ws[9], p[1]);
1248 accum.add(z[10]);
1249 ws[10] = accum.monty_step(p[0], p_dash);
1250 accum.mul(ws[0], p[11]);
1251 accum.mul(ws[1], p[10]);
1252 accum.mul(ws[2], p[9]);
1253 accum.mul(ws[3], p[8]);
1254 accum.mul(ws[4], p[7]);
1255 accum.mul(ws[5], p[6]);
1256 accum.mul(ws[6], p[5]);
1257 accum.mul(ws[7], p[4]);
1258 accum.mul(ws[8], p[3]);
1259 accum.mul(ws[9], p[2]);
1260 accum.mul(ws[10], p[1]);
1261 accum.add(z[11]);
1262 ws[11] = accum.monty_step(p[0], p_dash);
1263 accum.mul(ws[0], p[12]);
1264 accum.mul(ws[1], p[11]);
1265 accum.mul(ws[2], p[10]);
1266 accum.mul(ws[3], p[9]);
1267 accum.mul(ws[4], p[8]);
1268 accum.mul(ws[5], p[7]);
1269 accum.mul(ws[6], p[6]);
1270 accum.mul(ws[7], p[5]);
1271 accum.mul(ws[8], p[4]);
1272 accum.mul(ws[9], p[3]);
1273 accum.mul(ws[10], p[2]);
1274 accum.mul(ws[11], p[1]);
1275 accum.add(z[12]);
1276 ws[12] = accum.monty_step(p[0], p_dash);
1277 accum.mul(ws[0], p[13]);
1278 accum.mul(ws[1], p[12]);
1279 accum.mul(ws[2], p[11]);
1280 accum.mul(ws[3], p[10]);
1281 accum.mul(ws[4], p[9]);
1282 accum.mul(ws[5], p[8]);
1283 accum.mul(ws[6], p[7]);
1284 accum.mul(ws[7], p[6]);
1285 accum.mul(ws[8], p[5]);
1286 accum.mul(ws[9], p[4]);
1287 accum.mul(ws[10], p[3]);
1288 accum.mul(ws[11], p[2]);
1289 accum.mul(ws[12], p[1]);
1290 accum.add(z[13]);
1291 ws[13] = accum.monty_step(p[0], p_dash);
1292 accum.mul(ws[0], p[14]);
1293 accum.mul(ws[1], p[13]);
1294 accum.mul(ws[2], p[12]);
1295 accum.mul(ws[3], p[11]);
1296 accum.mul(ws[4], p[10]);
1297 accum.mul(ws[5], p[9]);
1298 accum.mul(ws[6], p[8]);
1299 accum.mul(ws[7], p[7]);
1300 accum.mul(ws[8], p[6]);
1301 accum.mul(ws[9], p[5]);
1302 accum.mul(ws[10], p[4]);
1303 accum.mul(ws[11], p[3]);
1304 accum.mul(ws[12], p[2]);
1305 accum.mul(ws[13], p[1]);
1306 accum.add(z[14]);
1307 ws[14] = accum.monty_step(p[0], p_dash);
1308 accum.mul(ws[0], p[15]);
1309 accum.mul(ws[1], p[14]);
1310 accum.mul(ws[2], p[13]);
1311 accum.mul(ws[3], p[12]);
1312 accum.mul(ws[4], p[11]);
1313 accum.mul(ws[5], p[10]);
1314 accum.mul(ws[6], p[9]);
1315 accum.mul(ws[7], p[8]);
1316 accum.mul(ws[8], p[7]);
1317 accum.mul(ws[9], p[6]);
1318 accum.mul(ws[10], p[5]);
1319 accum.mul(ws[11], p[4]);
1320 accum.mul(ws[12], p[3]);
1321 accum.mul(ws[13], p[2]);
1322 accum.mul(ws[14], p[1]);
1323 accum.add(z[15]);
1324 ws[15] = accum.monty_step(p[0], p_dash);
1325 accum.mul(ws[0], p[16]);
1326 accum.mul(ws[1], p[15]);
1327 accum.mul(ws[2], p[14]);
1328 accum.mul(ws[3], p[13]);
1329 accum.mul(ws[4], p[12]);
1330 accum.mul(ws[5], p[11]);
1331 accum.mul(ws[6], p[10]);
1332 accum.mul(ws[7], p[9]);
1333 accum.mul(ws[8], p[8]);
1334 accum.mul(ws[9], p[7]);
1335 accum.mul(ws[10], p[6]);
1336 accum.mul(ws[11], p[5]);
1337 accum.mul(ws[12], p[4]);
1338 accum.mul(ws[13], p[3]);
1339 accum.mul(ws[14], p[2]);
1340 accum.mul(ws[15], p[1]);
1341 accum.add(z[16]);
1342 ws[16] = accum.monty_step(p[0], p_dash);
1343 accum.mul(ws[0], p[17]);
1344 accum.mul(ws[1], p[16]);
1345 accum.mul(ws[2], p[15]);
1346 accum.mul(ws[3], p[14]);
1347 accum.mul(ws[4], p[13]);
1348 accum.mul(ws[5], p[12]);
1349 accum.mul(ws[6], p[11]);
1350 accum.mul(ws[7], p[10]);
1351 accum.mul(ws[8], p[9]);
1352 accum.mul(ws[9], p[8]);
1353 accum.mul(ws[10], p[7]);
1354 accum.mul(ws[11], p[6]);
1355 accum.mul(ws[12], p[5]);
1356 accum.mul(ws[13], p[4]);
1357 accum.mul(ws[14], p[3]);
1358 accum.mul(ws[15], p[2]);
1359 accum.mul(ws[16], p[1]);
1360 accum.add(z[17]);
1361 ws[17] = accum.monty_step(p[0], p_dash);
1362 accum.mul(ws[0], p[18]);
1363 accum.mul(ws[1], p[17]);
1364 accum.mul(ws[2], p[16]);
1365 accum.mul(ws[3], p[15]);
1366 accum.mul(ws[4], p[14]);
1367 accum.mul(ws[5], p[13]);
1368 accum.mul(ws[6], p[12]);
1369 accum.mul(ws[7], p[11]);
1370 accum.mul(ws[8], p[10]);
1371 accum.mul(ws[9], p[9]);
1372 accum.mul(ws[10], p[8]);
1373 accum.mul(ws[11], p[7]);
1374 accum.mul(ws[12], p[6]);
1375 accum.mul(ws[13], p[5]);
1376 accum.mul(ws[14], p[4]);
1377 accum.mul(ws[15], p[3]);
1378 accum.mul(ws[16], p[2]);
1379 accum.mul(ws[17], p[1]);
1380 accum.add(z[18]);
1381 ws[18] = accum.monty_step(p[0], p_dash);
1382 accum.mul(ws[0], p[19]);
1383 accum.mul(ws[1], p[18]);
1384 accum.mul(ws[2], p[17]);
1385 accum.mul(ws[3], p[16]);
1386 accum.mul(ws[4], p[15]);
1387 accum.mul(ws[5], p[14]);
1388 accum.mul(ws[6], p[13]);
1389 accum.mul(ws[7], p[12]);
1390 accum.mul(ws[8], p[11]);
1391 accum.mul(ws[9], p[10]);
1392 accum.mul(ws[10], p[9]);
1393 accum.mul(ws[11], p[8]);
1394 accum.mul(ws[12], p[7]);
1395 accum.mul(ws[13], p[6]);
1396 accum.mul(ws[14], p[5]);
1397 accum.mul(ws[15], p[4]);
1398 accum.mul(ws[16], p[3]);
1399 accum.mul(ws[17], p[2]);
1400 accum.mul(ws[18], p[1]);
1401 accum.add(z[19]);
1402 ws[19] = accum.monty_step(p[0], p_dash);
1403 accum.mul(ws[0], p[20]);
1404 accum.mul(ws[1], p[19]);
1405 accum.mul(ws[2], p[18]);
1406 accum.mul(ws[3], p[17]);
1407 accum.mul(ws[4], p[16]);
1408 accum.mul(ws[5], p[15]);
1409 accum.mul(ws[6], p[14]);
1410 accum.mul(ws[7], p[13]);
1411 accum.mul(ws[8], p[12]);
1412 accum.mul(ws[9], p[11]);
1413 accum.mul(ws[10], p[10]);
1414 accum.mul(ws[11], p[9]);
1415 accum.mul(ws[12], p[8]);
1416 accum.mul(ws[13], p[7]);
1417 accum.mul(ws[14], p[6]);
1418 accum.mul(ws[15], p[5]);
1419 accum.mul(ws[16], p[4]);
1420 accum.mul(ws[17], p[3]);
1421 accum.mul(ws[18], p[2]);
1422 accum.mul(ws[19], p[1]);
1423 accum.add(z[20]);
1424 ws[20] = accum.monty_step(p[0], p_dash);
1425 accum.mul(ws[0], p[21]);
1426 accum.mul(ws[1], p[20]);
1427 accum.mul(ws[2], p[19]);
1428 accum.mul(ws[3], p[18]);
1429 accum.mul(ws[4], p[17]);
1430 accum.mul(ws[5], p[16]);
1431 accum.mul(ws[6], p[15]);
1432 accum.mul(ws[7], p[14]);
1433 accum.mul(ws[8], p[13]);
1434 accum.mul(ws[9], p[12]);
1435 accum.mul(ws[10], p[11]);
1436 accum.mul(ws[11], p[10]);
1437 accum.mul(ws[12], p[9]);
1438 accum.mul(ws[13], p[8]);
1439 accum.mul(ws[14], p[7]);
1440 accum.mul(ws[15], p[6]);
1441 accum.mul(ws[16], p[5]);
1442 accum.mul(ws[17], p[4]);
1443 accum.mul(ws[18], p[3]);
1444 accum.mul(ws[19], p[2]);
1445 accum.mul(ws[20], p[1]);
1446 accum.add(z[21]);
1447 ws[21] = accum.monty_step(p[0], p_dash);
1448 accum.mul(ws[0], p[22]);
1449 accum.mul(ws[1], p[21]);
1450 accum.mul(ws[2], p[20]);
1451 accum.mul(ws[3], p[19]);
1452 accum.mul(ws[4], p[18]);
1453 accum.mul(ws[5], p[17]);
1454 accum.mul(ws[6], p[16]);
1455 accum.mul(ws[7], p[15]);
1456 accum.mul(ws[8], p[14]);
1457 accum.mul(ws[9], p[13]);
1458 accum.mul(ws[10], p[12]);
1459 accum.mul(ws[11], p[11]);
1460 accum.mul(ws[12], p[10]);
1461 accum.mul(ws[13], p[9]);
1462 accum.mul(ws[14], p[8]);
1463 accum.mul(ws[15], p[7]);
1464 accum.mul(ws[16], p[6]);
1465 accum.mul(ws[17], p[5]);
1466 accum.mul(ws[18], p[4]);
1467 accum.mul(ws[19], p[3]);
1468 accum.mul(ws[20], p[2]);
1469 accum.mul(ws[21], p[1]);
1470 accum.add(z[22]);
1471 ws[22] = accum.monty_step(p[0], p_dash);
1472 accum.mul(ws[0], p[23]);
1473 accum.mul(ws[1], p[22]);
1474 accum.mul(ws[2], p[21]);
1475 accum.mul(ws[3], p[20]);
1476 accum.mul(ws[4], p[19]);
1477 accum.mul(ws[5], p[18]);
1478 accum.mul(ws[6], p[17]);
1479 accum.mul(ws[7], p[16]);
1480 accum.mul(ws[8], p[15]);
1481 accum.mul(ws[9], p[14]);
1482 accum.mul(ws[10], p[13]);
1483 accum.mul(ws[11], p[12]);
1484 accum.mul(ws[12], p[11]);
1485 accum.mul(ws[13], p[10]);
1486 accum.mul(ws[14], p[9]);
1487 accum.mul(ws[15], p[8]);
1488 accum.mul(ws[16], p[7]);
1489 accum.mul(ws[17], p[6]);
1490 accum.mul(ws[18], p[5]);
1491 accum.mul(ws[19], p[4]);
1492 accum.mul(ws[20], p[3]);
1493 accum.mul(ws[21], p[2]);
1494 accum.mul(ws[22], p[1]);
1495 accum.add(z[23]);
1496 ws[23] = accum.monty_step(p[0], p_dash);
1497 accum.mul(ws[0], p[24]);
1498 accum.mul(ws[1], p[23]);
1499 accum.mul(ws[2], p[22]);
1500 accum.mul(ws[3], p[21]);
1501 accum.mul(ws[4], p[20]);
1502 accum.mul(ws[5], p[19]);
1503 accum.mul(ws[6], p[18]);
1504 accum.mul(ws[7], p[17]);
1505 accum.mul(ws[8], p[16]);
1506 accum.mul(ws[9], p[15]);
1507 accum.mul(ws[10], p[14]);
1508 accum.mul(ws[11], p[13]);
1509 accum.mul(ws[12], p[12]);
1510 accum.mul(ws[13], p[11]);
1511 accum.mul(ws[14], p[10]);
1512 accum.mul(ws[15], p[9]);
1513 accum.mul(ws[16], p[8]);
1514 accum.mul(ws[17], p[7]);
1515 accum.mul(ws[18], p[6]);
1516 accum.mul(ws[19], p[5]);
1517 accum.mul(ws[20], p[4]);
1518 accum.mul(ws[21], p[3]);
1519 accum.mul(ws[22], p[2]);
1520 accum.mul(ws[23], p[1]);
1521 accum.add(z[24]);
1522 ws[24] = accum.monty_step(p[0], p_dash);
1523 accum.mul(ws[0], p[25]);
1524 accum.mul(ws[1], p[24]);
1525 accum.mul(ws[2], p[23]);
1526 accum.mul(ws[3], p[22]);
1527 accum.mul(ws[4], p[21]);
1528 accum.mul(ws[5], p[20]);
1529 accum.mul(ws[6], p[19]);
1530 accum.mul(ws[7], p[18]);
1531 accum.mul(ws[8], p[17]);
1532 accum.mul(ws[9], p[16]);
1533 accum.mul(ws[10], p[15]);
1534 accum.mul(ws[11], p[14]);
1535 accum.mul(ws[12], p[13]);
1536 accum.mul(ws[13], p[12]);
1537 accum.mul(ws[14], p[11]);
1538 accum.mul(ws[15], p[10]);
1539 accum.mul(ws[16], p[9]);
1540 accum.mul(ws[17], p[8]);
1541 accum.mul(ws[18], p[7]);
1542 accum.mul(ws[19], p[6]);
1543 accum.mul(ws[20], p[5]);
1544 accum.mul(ws[21], p[4]);
1545 accum.mul(ws[22], p[3]);
1546 accum.mul(ws[23], p[2]);
1547 accum.mul(ws[24], p[1]);
1548 accum.add(z[25]);
1549 ws[25] = accum.monty_step(p[0], p_dash);
1550 accum.mul(ws[0], p[26]);
1551 accum.mul(ws[1], p[25]);
1552 accum.mul(ws[2], p[24]);
1553 accum.mul(ws[3], p[23]);
1554 accum.mul(ws[4], p[22]);
1555 accum.mul(ws[5], p[21]);
1556 accum.mul(ws[6], p[20]);
1557 accum.mul(ws[7], p[19]);
1558 accum.mul(ws[8], p[18]);
1559 accum.mul(ws[9], p[17]);
1560 accum.mul(ws[10], p[16]);
1561 accum.mul(ws[11], p[15]);
1562 accum.mul(ws[12], p[14]);
1563 accum.mul(ws[13], p[13]);
1564 accum.mul(ws[14], p[12]);
1565 accum.mul(ws[15], p[11]);
1566 accum.mul(ws[16], p[10]);
1567 accum.mul(ws[17], p[9]);
1568 accum.mul(ws[18], p[8]);
1569 accum.mul(ws[19], p[7]);
1570 accum.mul(ws[20], p[6]);
1571 accum.mul(ws[21], p[5]);
1572 accum.mul(ws[22], p[4]);
1573 accum.mul(ws[23], p[3]);
1574 accum.mul(ws[24], p[2]);
1575 accum.mul(ws[25], p[1]);
1576 accum.add(z[26]);
1577 ws[26] = accum.monty_step(p[0], p_dash);
1578 accum.mul(ws[0], p[27]);
1579 accum.mul(ws[1], p[26]);
1580 accum.mul(ws[2], p[25]);
1581 accum.mul(ws[3], p[24]);
1582 accum.mul(ws[4], p[23]);
1583 accum.mul(ws[5], p[22]);
1584 accum.mul(ws[6], p[21]);
1585 accum.mul(ws[7], p[20]);
1586 accum.mul(ws[8], p[19]);
1587 accum.mul(ws[9], p[18]);
1588 accum.mul(ws[10], p[17]);
1589 accum.mul(ws[11], p[16]);
1590 accum.mul(ws[12], p[15]);
1591 accum.mul(ws[13], p[14]);
1592 accum.mul(ws[14], p[13]);
1593 accum.mul(ws[15], p[12]);
1594 accum.mul(ws[16], p[11]);
1595 accum.mul(ws[17], p[10]);
1596 accum.mul(ws[18], p[9]);
1597 accum.mul(ws[19], p[8]);
1598 accum.mul(ws[20], p[7]);
1599 accum.mul(ws[21], p[6]);
1600 accum.mul(ws[22], p[5]);
1601 accum.mul(ws[23], p[4]);
1602 accum.mul(ws[24], p[3]);
1603 accum.mul(ws[25], p[2]);
1604 accum.mul(ws[26], p[1]);
1605 accum.add(z[27]);
1606 ws[27] = accum.monty_step(p[0], p_dash);
1607 accum.mul(ws[0], p[28]);
1608 accum.mul(ws[1], p[27]);
1609 accum.mul(ws[2], p[26]);
1610 accum.mul(ws[3], p[25]);
1611 accum.mul(ws[4], p[24]);
1612 accum.mul(ws[5], p[23]);
1613 accum.mul(ws[6], p[22]);
1614 accum.mul(ws[7], p[21]);
1615 accum.mul(ws[8], p[20]);
1616 accum.mul(ws[9], p[19]);
1617 accum.mul(ws[10], p[18]);
1618 accum.mul(ws[11], p[17]);
1619 accum.mul(ws[12], p[16]);
1620 accum.mul(ws[13], p[15]);
1621 accum.mul(ws[14], p[14]);
1622 accum.mul(ws[15], p[13]);
1623 accum.mul(ws[16], p[12]);
1624 accum.mul(ws[17], p[11]);
1625 accum.mul(ws[18], p[10]);
1626 accum.mul(ws[19], p[9]);
1627 accum.mul(ws[20], p[8]);
1628 accum.mul(ws[21], p[7]);
1629 accum.mul(ws[22], p[6]);
1630 accum.mul(ws[23], p[5]);
1631 accum.mul(ws[24], p[4]);
1632 accum.mul(ws[25], p[3]);
1633 accum.mul(ws[26], p[2]);
1634 accum.mul(ws[27], p[1]);
1635 accum.add(z[28]);
1636 ws[28] = accum.monty_step(p[0], p_dash);
1637 accum.mul(ws[0], p[29]);
1638 accum.mul(ws[1], p[28]);
1639 accum.mul(ws[2], p[27]);
1640 accum.mul(ws[3], p[26]);
1641 accum.mul(ws[4], p[25]);
1642 accum.mul(ws[5], p[24]);
1643 accum.mul(ws[6], p[23]);
1644 accum.mul(ws[7], p[22]);
1645 accum.mul(ws[8], p[21]);
1646 accum.mul(ws[9], p[20]);
1647 accum.mul(ws[10], p[19]);
1648 accum.mul(ws[11], p[18]);
1649 accum.mul(ws[12], p[17]);
1650 accum.mul(ws[13], p[16]);
1651 accum.mul(ws[14], p[15]);
1652 accum.mul(ws[15], p[14]);
1653 accum.mul(ws[16], p[13]);
1654 accum.mul(ws[17], p[12]);
1655 accum.mul(ws[18], p[11]);
1656 accum.mul(ws[19], p[10]);
1657 accum.mul(ws[20], p[9]);
1658 accum.mul(ws[21], p[8]);
1659 accum.mul(ws[22], p[7]);
1660 accum.mul(ws[23], p[6]);
1661 accum.mul(ws[24], p[5]);
1662 accum.mul(ws[25], p[4]);
1663 accum.mul(ws[26], p[3]);
1664 accum.mul(ws[27], p[2]);
1665 accum.mul(ws[28], p[1]);
1666 accum.add(z[29]);
1667 ws[29] = accum.monty_step(p[0], p_dash);
1668 accum.mul(ws[0], p[30]);
1669 accum.mul(ws[1], p[29]);
1670 accum.mul(ws[2], p[28]);
1671 accum.mul(ws[3], p[27]);
1672 accum.mul(ws[4], p[26]);
1673 accum.mul(ws[5], p[25]);
1674 accum.mul(ws[6], p[24]);
1675 accum.mul(ws[7], p[23]);
1676 accum.mul(ws[8], p[22]);
1677 accum.mul(ws[9], p[21]);
1678 accum.mul(ws[10], p[20]);
1679 accum.mul(ws[11], p[19]);
1680 accum.mul(ws[12], p[18]);
1681 accum.mul(ws[13], p[17]);
1682 accum.mul(ws[14], p[16]);
1683 accum.mul(ws[15], p[15]);
1684 accum.mul(ws[16], p[14]);
1685 accum.mul(ws[17], p[13]);
1686 accum.mul(ws[18], p[12]);
1687 accum.mul(ws[19], p[11]);
1688 accum.mul(ws[20], p[10]);
1689 accum.mul(ws[21], p[9]);
1690 accum.mul(ws[22], p[8]);
1691 accum.mul(ws[23], p[7]);
1692 accum.mul(ws[24], p[6]);
1693 accum.mul(ws[25], p[5]);
1694 accum.mul(ws[26], p[4]);
1695 accum.mul(ws[27], p[3]);
1696 accum.mul(ws[28], p[2]);
1697 accum.mul(ws[29], p[1]);
1698 accum.add(z[30]);
1699 ws[30] = accum.monty_step(p[0], p_dash);
1700 accum.mul(ws[0], p[31]);
1701 accum.mul(ws[1], p[30]);
1702 accum.mul(ws[2], p[29]);
1703 accum.mul(ws[3], p[28]);
1704 accum.mul(ws[4], p[27]);
1705 accum.mul(ws[5], p[26]);
1706 accum.mul(ws[6], p[25]);
1707 accum.mul(ws[7], p[24]);
1708 accum.mul(ws[8], p[23]);
1709 accum.mul(ws[9], p[22]);
1710 accum.mul(ws[10], p[21]);
1711 accum.mul(ws[11], p[20]);
1712 accum.mul(ws[12], p[19]);
1713 accum.mul(ws[13], p[18]);
1714 accum.mul(ws[14], p[17]);
1715 accum.mul(ws[15], p[16]);
1716 accum.mul(ws[16], p[15]);
1717 accum.mul(ws[17], p[14]);
1718 accum.mul(ws[18], p[13]);
1719 accum.mul(ws[19], p[12]);
1720 accum.mul(ws[20], p[11]);
1721 accum.mul(ws[21], p[10]);
1722 accum.mul(ws[22], p[9]);
1723 accum.mul(ws[23], p[8]);
1724 accum.mul(ws[24], p[7]);
1725 accum.mul(ws[25], p[6]);
1726 accum.mul(ws[26], p[5]);
1727 accum.mul(ws[27], p[4]);
1728 accum.mul(ws[28], p[3]);
1729 accum.mul(ws[29], p[2]);
1730 accum.mul(ws[30], p[1]);
1731 accum.add(z[31]);
1732 ws[31] = accum.monty_step(p[0], p_dash);
1733 accum.mul(ws[1], p[31]);
1734 accum.mul(ws[2], p[30]);
1735 accum.mul(ws[3], p[29]);
1736 accum.mul(ws[4], p[28]);
1737 accum.mul(ws[5], p[27]);
1738 accum.mul(ws[6], p[26]);
1739 accum.mul(ws[7], p[25]);
1740 accum.mul(ws[8], p[24]);
1741 accum.mul(ws[9], p[23]);
1742 accum.mul(ws[10], p[22]);
1743 accum.mul(ws[11], p[21]);
1744 accum.mul(ws[12], p[20]);
1745 accum.mul(ws[13], p[19]);
1746 accum.mul(ws[14], p[18]);
1747 accum.mul(ws[15], p[17]);
1748 accum.mul(ws[16], p[16]);
1749 accum.mul(ws[17], p[15]);
1750 accum.mul(ws[18], p[14]);
1751 accum.mul(ws[19], p[13]);
1752 accum.mul(ws[20], p[12]);
1753 accum.mul(ws[21], p[11]);
1754 accum.mul(ws[22], p[10]);
1755 accum.mul(ws[23], p[9]);
1756 accum.mul(ws[24], p[8]);
1757 accum.mul(ws[25], p[7]);
1758 accum.mul(ws[26], p[6]);
1759 accum.mul(ws[27], p[5]);
1760 accum.mul(ws[28], p[4]);
1761 accum.mul(ws[29], p[3]);
1762 accum.mul(ws[30], p[2]);
1763 accum.mul(ws[31], p[1]);
1764 accum.add(z[32]);
1765 ws[0] = accum.extract();
1766 accum.mul(ws[2], p[31]);
1767 accum.mul(ws[3], p[30]);
1768 accum.mul(ws[4], p[29]);
1769 accum.mul(ws[5], p[28]);
1770 accum.mul(ws[6], p[27]);
1771 accum.mul(ws[7], p[26]);
1772 accum.mul(ws[8], p[25]);
1773 accum.mul(ws[9], p[24]);
1774 accum.mul(ws[10], p[23]);
1775 accum.mul(ws[11], p[22]);
1776 accum.mul(ws[12], p[21]);
1777 accum.mul(ws[13], p[20]);
1778 accum.mul(ws[14], p[19]);
1779 accum.mul(ws[15], p[18]);
1780 accum.mul(ws[16], p[17]);
1781 accum.mul(ws[17], p[16]);
1782 accum.mul(ws[18], p[15]);
1783 accum.mul(ws[19], p[14]);
1784 accum.mul(ws[20], p[13]);
1785 accum.mul(ws[21], p[12]);
1786 accum.mul(ws[22], p[11]);
1787 accum.mul(ws[23], p[10]);
1788 accum.mul(ws[24], p[9]);
1789 accum.mul(ws[25], p[8]);
1790 accum.mul(ws[26], p[7]);
1791 accum.mul(ws[27], p[6]);
1792 accum.mul(ws[28], p[5]);
1793 accum.mul(ws[29], p[4]);
1794 accum.mul(ws[30], p[3]);
1795 accum.mul(ws[31], p[2]);
1796 accum.add(z[33]);
1797 ws[1] = accum.extract();
1798 accum.mul(ws[3], p[31]);
1799 accum.mul(ws[4], p[30]);
1800 accum.mul(ws[5], p[29]);
1801 accum.mul(ws[6], p[28]);
1802 accum.mul(ws[7], p[27]);
1803 accum.mul(ws[8], p[26]);
1804 accum.mul(ws[9], p[25]);
1805 accum.mul(ws[10], p[24]);
1806 accum.mul(ws[11], p[23]);
1807 accum.mul(ws[12], p[22]);
1808 accum.mul(ws[13], p[21]);
1809 accum.mul(ws[14], p[20]);
1810 accum.mul(ws[15], p[19]);
1811 accum.mul(ws[16], p[18]);
1812 accum.mul(ws[17], p[17]);
1813 accum.mul(ws[18], p[16]);
1814 accum.mul(ws[19], p[15]);
1815 accum.mul(ws[20], p[14]);
1816 accum.mul(ws[21], p[13]);
1817 accum.mul(ws[22], p[12]);
1818 accum.mul(ws[23], p[11]);
1819 accum.mul(ws[24], p[10]);
1820 accum.mul(ws[25], p[9]);
1821 accum.mul(ws[26], p[8]);
1822 accum.mul(ws[27], p[7]);
1823 accum.mul(ws[28], p[6]);
1824 accum.mul(ws[29], p[5]);
1825 accum.mul(ws[30], p[4]);
1826 accum.mul(ws[31], p[3]);
1827 accum.add(z[34]);
1828 ws[2] = accum.extract();
1829 accum.mul(ws[4], p[31]);
1830 accum.mul(ws[5], p[30]);
1831 accum.mul(ws[6], p[29]);
1832 accum.mul(ws[7], p[28]);
1833 accum.mul(ws[8], p[27]);
1834 accum.mul(ws[9], p[26]);
1835 accum.mul(ws[10], p[25]);
1836 accum.mul(ws[11], p[24]);
1837 accum.mul(ws[12], p[23]);
1838 accum.mul(ws[13], p[22]);
1839 accum.mul(ws[14], p[21]);
1840 accum.mul(ws[15], p[20]);
1841 accum.mul(ws[16], p[19]);
1842 accum.mul(ws[17], p[18]);
1843 accum.mul(ws[18], p[17]);
1844 accum.mul(ws[19], p[16]);
1845 accum.mul(ws[20], p[15]);
1846 accum.mul(ws[21], p[14]);
1847 accum.mul(ws[22], p[13]);
1848 accum.mul(ws[23], p[12]);
1849 accum.mul(ws[24], p[11]);
1850 accum.mul(ws[25], p[10]);
1851 accum.mul(ws[26], p[9]);
1852 accum.mul(ws[27], p[8]);
1853 accum.mul(ws[28], p[7]);
1854 accum.mul(ws[29], p[6]);
1855 accum.mul(ws[30], p[5]);
1856 accum.mul(ws[31], p[4]);
1857 accum.add(z[35]);
1858 ws[3] = accum.extract();
1859 accum.mul(ws[5], p[31]);
1860 accum.mul(ws[6], p[30]);
1861 accum.mul(ws[7], p[29]);
1862 accum.mul(ws[8], p[28]);
1863 accum.mul(ws[9], p[27]);
1864 accum.mul(ws[10], p[26]);
1865 accum.mul(ws[11], p[25]);
1866 accum.mul(ws[12], p[24]);
1867 accum.mul(ws[13], p[23]);
1868 accum.mul(ws[14], p[22]);
1869 accum.mul(ws[15], p[21]);
1870 accum.mul(ws[16], p[20]);
1871 accum.mul(ws[17], p[19]);
1872 accum.mul(ws[18], p[18]);
1873 accum.mul(ws[19], p[17]);
1874 accum.mul(ws[20], p[16]);
1875 accum.mul(ws[21], p[15]);
1876 accum.mul(ws[22], p[14]);
1877 accum.mul(ws[23], p[13]);
1878 accum.mul(ws[24], p[12]);
1879 accum.mul(ws[25], p[11]);
1880 accum.mul(ws[26], p[10]);
1881 accum.mul(ws[27], p[9]);
1882 accum.mul(ws[28], p[8]);
1883 accum.mul(ws[29], p[7]);
1884 accum.mul(ws[30], p[6]);
1885 accum.mul(ws[31], p[5]);
1886 accum.add(z[36]);
1887 ws[4] = accum.extract();
1888 accum.mul(ws[6], p[31]);
1889 accum.mul(ws[7], p[30]);
1890 accum.mul(ws[8], p[29]);
1891 accum.mul(ws[9], p[28]);
1892 accum.mul(ws[10], p[27]);
1893 accum.mul(ws[11], p[26]);
1894 accum.mul(ws[12], p[25]);
1895 accum.mul(ws[13], p[24]);
1896 accum.mul(ws[14], p[23]);
1897 accum.mul(ws[15], p[22]);
1898 accum.mul(ws[16], p[21]);
1899 accum.mul(ws[17], p[20]);
1900 accum.mul(ws[18], p[19]);
1901 accum.mul(ws[19], p[18]);
1902 accum.mul(ws[20], p[17]);
1903 accum.mul(ws[21], p[16]);
1904 accum.mul(ws[22], p[15]);
1905 accum.mul(ws[23], p[14]);
1906 accum.mul(ws[24], p[13]);
1907 accum.mul(ws[25], p[12]);
1908 accum.mul(ws[26], p[11]);
1909 accum.mul(ws[27], p[10]);
1910 accum.mul(ws[28], p[9]);
1911 accum.mul(ws[29], p[8]);
1912 accum.mul(ws[30], p[7]);
1913 accum.mul(ws[31], p[6]);
1914 accum.add(z[37]);
1915 ws[5] = accum.extract();
1916 accum.mul(ws[7], p[31]);
1917 accum.mul(ws[8], p[30]);
1918 accum.mul(ws[9], p[29]);
1919 accum.mul(ws[10], p[28]);
1920 accum.mul(ws[11], p[27]);
1921 accum.mul(ws[12], p[26]);
1922 accum.mul(ws[13], p[25]);
1923 accum.mul(ws[14], p[24]);
1924 accum.mul(ws[15], p[23]);
1925 accum.mul(ws[16], p[22]);
1926 accum.mul(ws[17], p[21]);
1927 accum.mul(ws[18], p[20]);
1928 accum.mul(ws[19], p[19]);
1929 accum.mul(ws[20], p[18]);
1930 accum.mul(ws[21], p[17]);
1931 accum.mul(ws[22], p[16]);
1932 accum.mul(ws[23], p[15]);
1933 accum.mul(ws[24], p[14]);
1934 accum.mul(ws[25], p[13]);
1935 accum.mul(ws[26], p[12]);
1936 accum.mul(ws[27], p[11]);
1937 accum.mul(ws[28], p[10]);
1938 accum.mul(ws[29], p[9]);
1939 accum.mul(ws[30], p[8]);
1940 accum.mul(ws[31], p[7]);
1941 accum.add(z[38]);
1942 ws[6] = accum.extract();
1943 accum.mul(ws[8], p[31]);
1944 accum.mul(ws[9], p[30]);
1945 accum.mul(ws[10], p[29]);
1946 accum.mul(ws[11], p[28]);
1947 accum.mul(ws[12], p[27]);
1948 accum.mul(ws[13], p[26]);
1949 accum.mul(ws[14], p[25]);
1950 accum.mul(ws[15], p[24]);
1951 accum.mul(ws[16], p[23]);
1952 accum.mul(ws[17], p[22]);
1953 accum.mul(ws[18], p[21]);
1954 accum.mul(ws[19], p[20]);
1955 accum.mul(ws[20], p[19]);
1956 accum.mul(ws[21], p[18]);
1957 accum.mul(ws[22], p[17]);
1958 accum.mul(ws[23], p[16]);
1959 accum.mul(ws[24], p[15]);
1960 accum.mul(ws[25], p[14]);
1961 accum.mul(ws[26], p[13]);
1962 accum.mul(ws[27], p[12]);
1963 accum.mul(ws[28], p[11]);
1964 accum.mul(ws[29], p[10]);
1965 accum.mul(ws[30], p[9]);
1966 accum.mul(ws[31], p[8]);
1967 accum.add(z[39]);
1968 ws[7] = accum.extract();
1969 accum.mul(ws[9], p[31]);
1970 accum.mul(ws[10], p[30]);
1971 accum.mul(ws[11], p[29]);
1972 accum.mul(ws[12], p[28]);
1973 accum.mul(ws[13], p[27]);
1974 accum.mul(ws[14], p[26]);
1975 accum.mul(ws[15], p[25]);
1976 accum.mul(ws[16], p[24]);
1977 accum.mul(ws[17], p[23]);
1978 accum.mul(ws[18], p[22]);
1979 accum.mul(ws[19], p[21]);
1980 accum.mul(ws[20], p[20]);
1981 accum.mul(ws[21], p[19]);
1982 accum.mul(ws[22], p[18]);
1983 accum.mul(ws[23], p[17]);
1984 accum.mul(ws[24], p[16]);
1985 accum.mul(ws[25], p[15]);
1986 accum.mul(ws[26], p[14]);
1987 accum.mul(ws[27], p[13]);
1988 accum.mul(ws[28], p[12]);
1989 accum.mul(ws[29], p[11]);
1990 accum.mul(ws[30], p[10]);
1991 accum.mul(ws[31], p[9]);
1992 accum.add(z[40]);
1993 ws[8] = accum.extract();
1994 accum.mul(ws[10], p[31]);
1995 accum.mul(ws[11], p[30]);
1996 accum.mul(ws[12], p[29]);
1997 accum.mul(ws[13], p[28]);
1998 accum.mul(ws[14], p[27]);
1999 accum.mul(ws[15], p[26]);
2000 accum.mul(ws[16], p[25]);
2001 accum.mul(ws[17], p[24]);
2002 accum.mul(ws[18], p[23]);
2003 accum.mul(ws[19], p[22]);
2004 accum.mul(ws[20], p[21]);
2005 accum.mul(ws[21], p[20]);
2006 accum.mul(ws[22], p[19]);
2007 accum.mul(ws[23], p[18]);
2008 accum.mul(ws[24], p[17]);
2009 accum.mul(ws[25], p[16]);
2010 accum.mul(ws[26], p[15]);
2011 accum.mul(ws[27], p[14]);
2012 accum.mul(ws[28], p[13]);
2013 accum.mul(ws[29], p[12]);
2014 accum.mul(ws[30], p[11]);
2015 accum.mul(ws[31], p[10]);
2016 accum.add(z[41]);
2017 ws[9] = accum.extract();
2018 accum.mul(ws[11], p[31]);
2019 accum.mul(ws[12], p[30]);
2020 accum.mul(ws[13], p[29]);
2021 accum.mul(ws[14], p[28]);
2022 accum.mul(ws[15], p[27]);
2023 accum.mul(ws[16], p[26]);
2024 accum.mul(ws[17], p[25]);
2025 accum.mul(ws[18], p[24]);
2026 accum.mul(ws[19], p[23]);
2027 accum.mul(ws[20], p[22]);
2028 accum.mul(ws[21], p[21]);
2029 accum.mul(ws[22], p[20]);
2030 accum.mul(ws[23], p[19]);
2031 accum.mul(ws[24], p[18]);
2032 accum.mul(ws[25], p[17]);
2033 accum.mul(ws[26], p[16]);
2034 accum.mul(ws[27], p[15]);
2035 accum.mul(ws[28], p[14]);
2036 accum.mul(ws[29], p[13]);
2037 accum.mul(ws[30], p[12]);
2038 accum.mul(ws[31], p[11]);
2039 accum.add(z[42]);
2040 ws[10] = accum.extract();
2041 accum.mul(ws[12], p[31]);
2042 accum.mul(ws[13], p[30]);
2043 accum.mul(ws[14], p[29]);
2044 accum.mul(ws[15], p[28]);
2045 accum.mul(ws[16], p[27]);
2046 accum.mul(ws[17], p[26]);
2047 accum.mul(ws[18], p[25]);
2048 accum.mul(ws[19], p[24]);
2049 accum.mul(ws[20], p[23]);
2050 accum.mul(ws[21], p[22]);
2051 accum.mul(ws[22], p[21]);
2052 accum.mul(ws[23], p[20]);
2053 accum.mul(ws[24], p[19]);
2054 accum.mul(ws[25], p[18]);
2055 accum.mul(ws[26], p[17]);
2056 accum.mul(ws[27], p[16]);
2057 accum.mul(ws[28], p[15]);
2058 accum.mul(ws[29], p[14]);
2059 accum.mul(ws[30], p[13]);
2060 accum.mul(ws[31], p[12]);
2061 accum.add(z[43]);
2062 ws[11] = accum.extract();
2063 accum.mul(ws[13], p[31]);
2064 accum.mul(ws[14], p[30]);
2065 accum.mul(ws[15], p[29]);
2066 accum.mul(ws[16], p[28]);
2067 accum.mul(ws[17], p[27]);
2068 accum.mul(ws[18], p[26]);
2069 accum.mul(ws[19], p[25]);
2070 accum.mul(ws[20], p[24]);
2071 accum.mul(ws[21], p[23]);
2072 accum.mul(ws[22], p[22]);
2073 accum.mul(ws[23], p[21]);
2074 accum.mul(ws[24], p[20]);
2075 accum.mul(ws[25], p[19]);
2076 accum.mul(ws[26], p[18]);
2077 accum.mul(ws[27], p[17]);
2078 accum.mul(ws[28], p[16]);
2079 accum.mul(ws[29], p[15]);
2080 accum.mul(ws[30], p[14]);
2081 accum.mul(ws[31], p[13]);
2082 accum.add(z[44]);
2083 ws[12] = accum.extract();
2084 accum.mul(ws[14], p[31]);
2085 accum.mul(ws[15], p[30]);
2086 accum.mul(ws[16], p[29]);
2087 accum.mul(ws[17], p[28]);
2088 accum.mul(ws[18], p[27]);
2089 accum.mul(ws[19], p[26]);
2090 accum.mul(ws[20], p[25]);
2091 accum.mul(ws[21], p[24]);
2092 accum.mul(ws[22], p[23]);
2093 accum.mul(ws[23], p[22]);
2094 accum.mul(ws[24], p[21]);
2095 accum.mul(ws[25], p[20]);
2096 accum.mul(ws[26], p[19]);
2097 accum.mul(ws[27], p[18]);
2098 accum.mul(ws[28], p[17]);
2099 accum.mul(ws[29], p[16]);
2100 accum.mul(ws[30], p[15]);
2101 accum.mul(ws[31], p[14]);
2102 accum.add(z[45]);
2103 ws[13] = accum.extract();
2104 accum.mul(ws[15], p[31]);
2105 accum.mul(ws[16], p[30]);
2106 accum.mul(ws[17], p[29]);
2107 accum.mul(ws[18], p[28]);
2108 accum.mul(ws[19], p[27]);
2109 accum.mul(ws[20], p[26]);
2110 accum.mul(ws[21], p[25]);
2111 accum.mul(ws[22], p[24]);
2112 accum.mul(ws[23], p[23]);
2113 accum.mul(ws[24], p[22]);
2114 accum.mul(ws[25], p[21]);
2115 accum.mul(ws[26], p[20]);
2116 accum.mul(ws[27], p[19]);
2117 accum.mul(ws[28], p[18]);
2118 accum.mul(ws[29], p[17]);
2119 accum.mul(ws[30], p[16]);
2120 accum.mul(ws[31], p[15]);
2121 accum.add(z[46]);
2122 ws[14] = accum.extract();
2123 accum.mul(ws[16], p[31]);
2124 accum.mul(ws[17], p[30]);
2125 accum.mul(ws[18], p[29]);
2126 accum.mul(ws[19], p[28]);
2127 accum.mul(ws[20], p[27]);
2128 accum.mul(ws[21], p[26]);
2129 accum.mul(ws[22], p[25]);
2130 accum.mul(ws[23], p[24]);
2131 accum.mul(ws[24], p[23]);
2132 accum.mul(ws[25], p[22]);
2133 accum.mul(ws[26], p[21]);
2134 accum.mul(ws[27], p[20]);
2135 accum.mul(ws[28], p[19]);
2136 accum.mul(ws[29], p[18]);
2137 accum.mul(ws[30], p[17]);
2138 accum.mul(ws[31], p[16]);
2139 accum.add(z[47]);
2140 ws[15] = accum.extract();
2141 accum.mul(ws[17], p[31]);
2142 accum.mul(ws[18], p[30]);
2143 accum.mul(ws[19], p[29]);
2144 accum.mul(ws[20], p[28]);
2145 accum.mul(ws[21], p[27]);
2146 accum.mul(ws[22], p[26]);
2147 accum.mul(ws[23], p[25]);
2148 accum.mul(ws[24], p[24]);
2149 accum.mul(ws[25], p[23]);
2150 accum.mul(ws[26], p[22]);
2151 accum.mul(ws[27], p[21]);
2152 accum.mul(ws[28], p[20]);
2153 accum.mul(ws[29], p[19]);
2154 accum.mul(ws[30], p[18]);
2155 accum.mul(ws[31], p[17]);
2156 accum.add(z[48]);
2157 ws[16] = accum.extract();
2158 accum.mul(ws[18], p[31]);
2159 accum.mul(ws[19], p[30]);
2160 accum.mul(ws[20], p[29]);
2161 accum.mul(ws[21], p[28]);
2162 accum.mul(ws[22], p[27]);
2163 accum.mul(ws[23], p[26]);
2164 accum.mul(ws[24], p[25]);
2165 accum.mul(ws[25], p[24]);
2166 accum.mul(ws[26], p[23]);
2167 accum.mul(ws[27], p[22]);
2168 accum.mul(ws[28], p[21]);
2169 accum.mul(ws[29], p[20]);
2170 accum.mul(ws[30], p[19]);
2171 accum.mul(ws[31], p[18]);
2172 accum.add(z[49]);
2173 ws[17] = accum.extract();
2174 accum.mul(ws[19], p[31]);
2175 accum.mul(ws[20], p[30]);
2176 accum.mul(ws[21], p[29]);
2177 accum.mul(ws[22], p[28]);
2178 accum.mul(ws[23], p[27]);
2179 accum.mul(ws[24], p[26]);
2180 accum.mul(ws[25], p[25]);
2181 accum.mul(ws[26], p[24]);
2182 accum.mul(ws[27], p[23]);
2183 accum.mul(ws[28], p[22]);
2184 accum.mul(ws[29], p[21]);
2185 accum.mul(ws[30], p[20]);
2186 accum.mul(ws[31], p[19]);
2187 accum.add(z[50]);
2188 ws[18] = accum.extract();
2189 accum.mul(ws[20], p[31]);
2190 accum.mul(ws[21], p[30]);
2191 accum.mul(ws[22], p[29]);
2192 accum.mul(ws[23], p[28]);
2193 accum.mul(ws[24], p[27]);
2194 accum.mul(ws[25], p[26]);
2195 accum.mul(ws[26], p[25]);
2196 accum.mul(ws[27], p[24]);
2197 accum.mul(ws[28], p[23]);
2198 accum.mul(ws[29], p[22]);
2199 accum.mul(ws[30], p[21]);
2200 accum.mul(ws[31], p[20]);
2201 accum.add(z[51]);
2202 ws[19] = accum.extract();
2203 accum.mul(ws[21], p[31]);
2204 accum.mul(ws[22], p[30]);
2205 accum.mul(ws[23], p[29]);
2206 accum.mul(ws[24], p[28]);
2207 accum.mul(ws[25], p[27]);
2208 accum.mul(ws[26], p[26]);
2209 accum.mul(ws[27], p[25]);
2210 accum.mul(ws[28], p[24]);
2211 accum.mul(ws[29], p[23]);
2212 accum.mul(ws[30], p[22]);
2213 accum.mul(ws[31], p[21]);
2214 accum.add(z[52]);
2215 ws[20] = accum.extract();
2216 accum.mul(ws[22], p[31]);
2217 accum.mul(ws[23], p[30]);
2218 accum.mul(ws[24], p[29]);
2219 accum.mul(ws[25], p[28]);
2220 accum.mul(ws[26], p[27]);
2221 accum.mul(ws[27], p[26]);
2222 accum.mul(ws[28], p[25]);
2223 accum.mul(ws[29], p[24]);
2224 accum.mul(ws[30], p[23]);
2225 accum.mul(ws[31], p[22]);
2226 accum.add(z[53]);
2227 ws[21] = accum.extract();
2228 accum.mul(ws[23], p[31]);
2229 accum.mul(ws[24], p[30]);
2230 accum.mul(ws[25], p[29]);
2231 accum.mul(ws[26], p[28]);
2232 accum.mul(ws[27], p[27]);
2233 accum.mul(ws[28], p[26]);
2234 accum.mul(ws[29], p[25]);
2235 accum.mul(ws[30], p[24]);
2236 accum.mul(ws[31], p[23]);
2237 accum.add(z[54]);
2238 ws[22] = accum.extract();
2239 accum.mul(ws[24], p[31]);
2240 accum.mul(ws[25], p[30]);
2241 accum.mul(ws[26], p[29]);
2242 accum.mul(ws[27], p[28]);
2243 accum.mul(ws[28], p[27]);
2244 accum.mul(ws[29], p[26]);
2245 accum.mul(ws[30], p[25]);
2246 accum.mul(ws[31], p[24]);
2247 accum.add(z[55]);
2248 ws[23] = accum.extract();
2249 accum.mul(ws[25], p[31]);
2250 accum.mul(ws[26], p[30]);
2251 accum.mul(ws[27], p[29]);
2252 accum.mul(ws[28], p[28]);
2253 accum.mul(ws[29], p[27]);
2254 accum.mul(ws[30], p[26]);
2255 accum.mul(ws[31], p[25]);
2256 accum.add(z[56]);
2257 ws[24] = accum.extract();
2258 accum.mul(ws[26], p[31]);
2259 accum.mul(ws[27], p[30]);
2260 accum.mul(ws[28], p[29]);
2261 accum.mul(ws[29], p[28]);
2262 accum.mul(ws[30], p[27]);
2263 accum.mul(ws[31], p[26]);
2264 accum.add(z[57]);
2265 ws[25] = accum.extract();
2266 accum.mul(ws[27], p[31]);
2267 accum.mul(ws[28], p[30]);
2268 accum.mul(ws[29], p[29]);
2269 accum.mul(ws[30], p[28]);
2270 accum.mul(ws[31], p[27]);
2271 accum.add(z[58]);
2272 ws[26] = accum.extract();
2273 accum.mul(ws[28], p[31]);
2274 accum.mul(ws[29], p[30]);
2275 accum.mul(ws[30], p[29]);
2276 accum.mul(ws[31], p[28]);
2277 accum.add(z[59]);
2278 ws[27] = accum.extract();
2279 accum.mul(ws[29], p[31]);
2280 accum.mul(ws[30], p[30]);
2281 accum.mul(ws[31], p[29]);
2282 accum.add(z[60]);
2283 ws[28] = accum.extract();
2284 accum.mul(ws[30], p[31]);
2285 accum.mul(ws[31], p[30]);
2286 accum.add(z[61]);
2287 ws[29] = accum.extract();
2288 accum.mul(ws[31], p[31]);
2289 accum.add(z[62]);
2290 ws[30] = accum.extract();
2291 accum.add(z[63]);
2292 ws[31] = accum.extract();
2293 word w1 = accum.extract();
2294 bigint_monty_maybe_sub<32>(z, w1, ws, p);
2295 clear_mem(z + 32, 32);
2296}
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_monty_redc_4()
| void Botan::bigint_monty_redc_4 | ( | word | z[8], |
| const word | p[4], | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 14 of file mp_monty_n.cpp.
14 {
15 word3<word> accum;
16 accum.add(z[0]);
17 ws[0] = accum.monty_step(p[0], p_dash);
18 accum.mul(ws[0], p[1]);
19 accum.add(z[1]);
20 ws[1] = accum.monty_step(p[0], p_dash);
21 accum.mul(ws[0], p[2]);
22 accum.mul(ws[1], p[1]);
23 accum.add(z[2]);
24 ws[2] = accum.monty_step(p[0], p_dash);
25 accum.mul(ws[0], p[3]);
26 accum.mul(ws[1], p[2]);
27 accum.mul(ws[2], p[1]);
28 accum.add(z[3]);
29 ws[3] = accum.monty_step(p[0], p_dash);
30 accum.mul(ws[1], p[3]);
31 accum.mul(ws[2], p[2]);
32 accum.mul(ws[3], p[1]);
33 accum.add(z[4]);
34 ws[0] = accum.extract();
35 accum.mul(ws[2], p[3]);
36 accum.mul(ws[3], p[2]);
37 accum.add(z[5]);
38 ws[1] = accum.extract();
39 accum.mul(ws[3], p[3]);
40 accum.add(z[6]);
41 ws[2] = accum.extract();
42 accum.add(z[7]);
43 ws[3] = accum.extract();
44 word w1 = accum.extract();
45 bigint_monty_maybe_sub<4>(z, w1, ws, p);
46 clear_mem(z + 4, 4);
47}
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_monty_redc_6()
| void Botan::bigint_monty_redc_6 | ( | word | z[12], |
| const word | p[6], | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 49 of file mp_monty_n.cpp.
49 {
50 word3<word> accum;
51 accum.add(z[0]);
52 ws[0] = accum.monty_step(p[0], p_dash);
53 accum.mul(ws[0], p[1]);
54 accum.add(z[1]);
55 ws[1] = accum.monty_step(p[0], p_dash);
56 accum.mul(ws[0], p[2]);
57 accum.mul(ws[1], p[1]);
58 accum.add(z[2]);
59 ws[2] = accum.monty_step(p[0], p_dash);
60 accum.mul(ws[0], p[3]);
61 accum.mul(ws[1], p[2]);
62 accum.mul(ws[2], p[1]);
63 accum.add(z[3]);
64 ws[3] = accum.monty_step(p[0], p_dash);
65 accum.mul(ws[0], p[4]);
66 accum.mul(ws[1], p[3]);
67 accum.mul(ws[2], p[2]);
68 accum.mul(ws[3], p[1]);
69 accum.add(z[4]);
70 ws[4] = accum.monty_step(p[0], p_dash);
71 accum.mul(ws[0], p[5]);
72 accum.mul(ws[1], p[4]);
73 accum.mul(ws[2], p[3]);
74 accum.mul(ws[3], p[2]);
75 accum.mul(ws[4], p[1]);
76 accum.add(z[5]);
77 ws[5] = accum.monty_step(p[0], p_dash);
78 accum.mul(ws[1], p[5]);
79 accum.mul(ws[2], p[4]);
80 accum.mul(ws[3], p[3]);
81 accum.mul(ws[4], p[2]);
82 accum.mul(ws[5], p[1]);
83 accum.add(z[6]);
84 ws[0] = accum.extract();
85 accum.mul(ws[2], p[5]);
86 accum.mul(ws[3], p[4]);
87 accum.mul(ws[4], p[3]);
88 accum.mul(ws[5], p[2]);
89 accum.add(z[7]);
90 ws[1] = accum.extract();
91 accum.mul(ws[3], p[5]);
92 accum.mul(ws[4], p[4]);
93 accum.mul(ws[5], p[3]);
94 accum.add(z[8]);
95 ws[2] = accum.extract();
96 accum.mul(ws[4], p[5]);
97 accum.mul(ws[5], p[4]);
98 accum.add(z[9]);
99 ws[3] = accum.extract();
100 accum.mul(ws[5], p[5]);
101 accum.add(z[10]);
102 ws[4] = accum.extract();
103 accum.add(z[11]);
104 ws[5] = accum.extract();
105 word w1 = accum.extract();
106 bigint_monty_maybe_sub<6>(z, w1, ws, p);
107 clear_mem(z + 6, 6);
108}
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_monty_redc_8()
| void Botan::bigint_monty_redc_8 | ( | word | z[16], |
| const word | p[8], | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 110 of file mp_monty_n.cpp.
110 {
111 word3<word> accum;
112 accum.add(z[0]);
113 ws[0] = accum.monty_step(p[0], p_dash);
114 accum.mul(ws[0], p[1]);
115 accum.add(z[1]);
116 ws[1] = accum.monty_step(p[0], p_dash);
117 accum.mul(ws[0], p[2]);
118 accum.mul(ws[1], p[1]);
119 accum.add(z[2]);
120 ws[2] = accum.monty_step(p[0], p_dash);
121 accum.mul(ws[0], p[3]);
122 accum.mul(ws[1], p[2]);
123 accum.mul(ws[2], p[1]);
124 accum.add(z[3]);
125 ws[3] = accum.monty_step(p[0], p_dash);
126 accum.mul(ws[0], p[4]);
127 accum.mul(ws[1], p[3]);
128 accum.mul(ws[2], p[2]);
129 accum.mul(ws[3], p[1]);
130 accum.add(z[4]);
131 ws[4] = accum.monty_step(p[0], p_dash);
132 accum.mul(ws[0], p[5]);
133 accum.mul(ws[1], p[4]);
134 accum.mul(ws[2], p[3]);
135 accum.mul(ws[3], p[2]);
136 accum.mul(ws[4], p[1]);
137 accum.add(z[5]);
138 ws[5] = accum.monty_step(p[0], p_dash);
139 accum.mul(ws[0], p[6]);
140 accum.mul(ws[1], p[5]);
141 accum.mul(ws[2], p[4]);
142 accum.mul(ws[3], p[3]);
143 accum.mul(ws[4], p[2]);
144 accum.mul(ws[5], p[1]);
145 accum.add(z[6]);
146 ws[6] = accum.monty_step(p[0], p_dash);
147 accum.mul(ws[0], p[7]);
148 accum.mul(ws[1], p[6]);
149 accum.mul(ws[2], p[5]);
150 accum.mul(ws[3], p[4]);
151 accum.mul(ws[4], p[3]);
152 accum.mul(ws[5], p[2]);
153 accum.mul(ws[6], p[1]);
154 accum.add(z[7]);
155 ws[7] = accum.monty_step(p[0], p_dash);
156 accum.mul(ws[1], p[7]);
157 accum.mul(ws[2], p[6]);
158 accum.mul(ws[3], p[5]);
159 accum.mul(ws[4], p[4]);
160 accum.mul(ws[5], p[3]);
161 accum.mul(ws[6], p[2]);
162 accum.mul(ws[7], p[1]);
163 accum.add(z[8]);
164 ws[0] = accum.extract();
165 accum.mul(ws[2], p[7]);
166 accum.mul(ws[3], p[6]);
167 accum.mul(ws[4], p[5]);
168 accum.mul(ws[5], p[4]);
169 accum.mul(ws[6], p[3]);
170 accum.mul(ws[7], p[2]);
171 accum.add(z[9]);
172 ws[1] = accum.extract();
173 accum.mul(ws[3], p[7]);
174 accum.mul(ws[4], p[6]);
175 accum.mul(ws[5], p[5]);
176 accum.mul(ws[6], p[4]);
177 accum.mul(ws[7], p[3]);
178 accum.add(z[10]);
179 ws[2] = accum.extract();
180 accum.mul(ws[4], p[7]);
181 accum.mul(ws[5], p[6]);
182 accum.mul(ws[6], p[5]);
183 accum.mul(ws[7], p[4]);
184 accum.add(z[11]);
185 ws[3] = accum.extract();
186 accum.mul(ws[5], p[7]);
187 accum.mul(ws[6], p[6]);
188 accum.mul(ws[7], p[5]);
189 accum.add(z[12]);
190 ws[4] = accum.extract();
191 accum.mul(ws[6], p[7]);
192 accum.mul(ws[7], p[6]);
193 accum.add(z[13]);
194 ws[5] = accum.extract();
195 accum.mul(ws[7], p[7]);
196 accum.add(z[14]);
197 ws[6] = accum.extract();
198 accum.add(z[15]);
199 ws[7] = accum.extract();
200 word w1 = accum.extract();
201 bigint_monty_maybe_sub<8>(z, w1, ws, p);
202 clear_mem(z + 8, 8);
203}
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_monty_redc_generic()
| void Botan::bigint_monty_redc_generic | ( | word | z[], |
| size_t | z_size, | ||
| const word | p[], | ||
| size_t | p_size, | ||
| word | p_dash, | ||
| word | ws[] ) |
Definition at line 31 of file mp_monty.cpp.
31 {
32 BOTAN_ARG_CHECK(z_size >= 2 * p_size && p_size > 0, "Invalid sizes for bigint_monty_redc_generic");
33
34 word3<word> accum;
35
36 accum.add(z[0]);
37
38 ws[0] = accum.monty_step(p[0], p_dash);
39
40 for(size_t i = 1; i != p_size; ++i) {
41 for(size_t j = 0; j < i; ++j) {
42 accum.mul(ws[j], p[i - j]);
43 }
44
45 accum.add(z[i]);
46 ws[i] = accum.monty_step(p[0], p_dash);
47 }
48
49 for(size_t i = 0; i != p_size - 1; ++i) {
50 for(size_t j = i + 1; j != p_size; ++j) {
51 accum.mul(ws[j], p[p_size + i - j]);
52 }
53
54 accum.add(z[p_size + i]);
55 ws[i] = accum.extract();
56 }
57
58 accum.add(z[2 * p_size - 1]);
59
60 ws[p_size - 1] = accum.extract();
61 // w1 is the final part, which is not stored in the workspace
63
64 /*
65 * The result might need to be reduced mod p. To avoid a timing
66 * channel, always perform the subtraction. If in the compution
67 * of x - p a borrow is required then x was already < p.
68 *
69 * x starts at ws[0] and is p_size bytes long plus a possible high
70 * digit left over in w1.
71 *
72 * x - p starts at z[0] and is also p_size bytes long
73 *
74 * If borrow was set after the subtraction, then x was already less
75 * than p and the subtraction was not needed. In that case overwrite
76 * z[0:p_size] with the original x in ws[0:p_size].
77 *
78 * We only copy out p_size in the final step because we know
79 * the Montgomery result is < P
80 */
81
82 bigint_monty_maybe_sub(p_size, z, w1, ws, p);
83
84 // Clear the high words that contain the original input
85 clear_mem(z + p_size, z_size - p_size);
86}
constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], const W p[])
Definition mp_core.h:374
References Botan::word3< W >::add(), bigint_monty_maybe_sub(), BOTAN_ARG_CHECK, clear_mem(), Botan::word3< W >::extract(), Botan::word3< W >::monty_step(), and Botan::word3< W >::mul().
Referenced by bigint_monty_redc().
◆ bigint_mul()
| void Botan::bigint_mul | ( | word | z[], |
| size_t | z_size, | ||
| const word | x[], | ||
| size_t | x_size, | ||
| size_t | x_sw, | ||
| const word | y[], | ||
| size_t | y_size, | ||
| size_t | y_sw, | ||
| word | workspace[], | ||
| size_t | ws_size ) |
Definition at line 282 of file mp_karat.cpp.
291 {
292 clear_mem(z, z_size);
293
294 if(x_sw == 1) {
295 bigint_linmul3(z, y, y_sw, x[0]);
296 } else if(y_sw == 1) {
297 bigint_linmul3(z, x, x_sw, y[0]);
298 } else if(sized_for_comba_mul<4>(x_sw, x_size, y_sw, y_size, z_size)) {
299 bigint_comba_mul4(z, x, y);
300 } else if(sized_for_comba_mul<6>(x_sw, x_size, y_sw, y_size, z_size)) {
301 bigint_comba_mul6(z, x, y);
302 } else if(sized_for_comba_mul<8>(x_sw, x_size, y_sw, y_size, z_size)) {
303 bigint_comba_mul8(z, x, y);
304 } else if(sized_for_comba_mul<9>(x_sw, x_size, y_sw, y_size, z_size)) {
305 bigint_comba_mul9(z, x, y);
306 } else if(sized_for_comba_mul<16>(x_sw, x_size, y_sw, y_size, z_size)) {
307 bigint_comba_mul16(z, x, y);
308 } else if(sized_for_comba_mul<24>(x_sw, x_size, y_sw, y_size, z_size)) {
309 bigint_comba_mul24(z, x, y);
310 } else if(x_sw < KARATSUBA_MULTIPLY_THRESHOLD || y_sw < KARATSUBA_MULTIPLY_THRESHOLD || !workspace) {
311 basecase_mul(z, z_size, x, x_sw, y, y_sw);
312 } else {
313 const size_t N = karatsuba_size(z_size, x_size, x_sw, y_size, y_sw);
314
315 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
316 karatsuba_mul(z, x, y, N, workspace);
317 } else {
318 basecase_mul(z, z_size, x, x_sw, y, y_sw);
319 }
320 }
321}
constexpr void bigint_linmul3(W z[], const W x[], size_t x_size, W y)
Definition mp_core.h:569
void bigint_comba_mul4(word z[8], const word x[4], const word y[4])
Definition mp_comba.cpp:42
void bigint_comba_mul16(word z[32], const word x[16], const word y[16])
Definition mp_comba.cpp:794
void bigint_comba_mul6(word z[12], const word x[6], const word y[6])
Definition mp_comba.cpp:115
void bigint_comba_mul9(word z[18], const word x[9], const word y[9])
Definition mp_comba.cpp:511
void bigint_comba_mul24(word z[48], const word x[24], const word y[24])
Definition mp_comba.cpp:1446
BOTAN_FUZZER_API void basecase_mul(word z[], size_t z_size, const word x[], size_t x_size, const word y[], size_t y_size)
Definition mp_karat.cpp:20
void bigint_comba_mul8(word z[16], const word x[8], const word y[8])
Definition mp_comba.cpp:352
References basecase_mul(), bigint_comba_mul16(), bigint_comba_mul24(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul8(), bigint_comba_mul9(), bigint_linmul3(), and clear_mem().
Referenced by Botan::BigInt::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), operator*(), and Botan::Scalar448::operator*().
◆ bigint_shl1()
template<WordType W>
|
inlineconstexpr |
Definition at line 467 of file mp_core.h.
467 {
470
471 copy_mem(x + word_shift, x, x_words);
472 clear_mem(x, word_shift);
473
476
477 W carry = 0;
478 for(size_t i = word_shift; i != x_size; ++i) {
479 const W w = x[i];
480 x[i] = (w << bit_shift) | carry;
481 carry = carry_mask.if_set_return(w >> carry_shift);
482 }
483}
constexpr uint64_t carry_shift(const donna128 &a, size_t shift)
Definition donna128.h:133
Definition mp_asmi.h:31
References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().
Referenced by Botan::BigInt::operator<<=().
◆ bigint_shl2()
template<WordType W>
|
inlineconstexpr |
Definition at line 510 of file mp_core.h.
510 {
513
514 copy_mem(y + word_shift, x, x_size);
515
518
519 W carry = 0;
520 for(size_t i = word_shift; i != x_size + word_shift + 1; ++i) {
521 const W w = y[i];
522 y[i] = (w << bit_shift) | carry;
523 carry = carry_mask.if_set_return(w >> carry_shift);
524 }
525}
References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().
Referenced by Botan::BigInt::ct_shift_left(), and operator<<().
◆ bigint_shr1()
template<WordType W>
|
inlineconstexpr |
Definition at line 486 of file mp_core.h.
486 {
489
490 const size_t top = x_size >= word_shift ? (x_size - word_shift) : 0;
491
492 if(top > 0) {
493 copy_mem(x, x + word_shift, top);
494 }
495 clear_mem(x + top, std::min(word_shift, x_size));
496
497 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
498 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
499
500 W carry = 0;
501
502 for(size_t i = 0; i != top; ++i) {
503 const W w = x[top - i - 1];
504 x[top - i - 1] = (w >> bit_shift) | carry;
505 carry = carry_mask.if_set_return(w << carry_shift);
506 }
507}
References carry(), carry_shift(), clear_mem(), copy_mem(), and Botan::CT::Mask< T >::expand().
Referenced by Botan::BigInt::operator>>=().
◆ bigint_shr2()
template<WordType W>
|
inlineconstexpr |
Definition at line 528 of file mp_core.h.
528 {
531 const size_t new_size = x_size < word_shift ? 0 : (x_size - word_shift);
532
533 if(new_size > 0) {
534 copy_mem(y, x + word_shift, new_size);
535 }
536
537 const auto carry_mask = CT::Mask<W>::expand(bit_shift);
538 const W carry_shift = carry_mask.if_set_return(WordInfo<W>::bits - bit_shift);
539
540 W carry = 0;
541 for(size_t i = new_size; i > 0; --i) {
542 W w = y[i - 1];
543 y[i - 1] = (w >> bit_shift) | carry;
544 carry = carry_mask.if_set_return(w << carry_shift);
545 }
546}
References carry(), carry_shift(), copy_mem(), and Botan::CT::Mask< T >::expand().
Referenced by gcd(), operator>>(), and redc_p521().
◆ bigint_sqr()
| void Botan::bigint_sqr | ( | word | z[], |
| size_t | z_size, | ||
| const word | x[], | ||
| size_t | x_size, | ||
| size_t | x_sw, | ||
| word | workspace[], | ||
| size_t | ws_size ) |
Definition at line 326 of file mp_karat.cpp.
326 {
327 clear_mem(z, z_size);
328
330
331 if(x_sw == 1) {
332 bigint_linmul3(z, x, x_sw, x[0]);
333 } else if(sized_for_comba_sqr<4>(x_sw, x_size, z_size)) {
334 bigint_comba_sqr4(z, x);
335 } else if(sized_for_comba_sqr<6>(x_sw, x_size, z_size)) {
336 bigint_comba_sqr6(z, x);
337 } else if(sized_for_comba_sqr<8>(x_sw, x_size, z_size)) {
338 bigint_comba_sqr8(z, x);
339 } else if(sized_for_comba_sqr<9>(x_sw, x_size, z_size)) {
340 bigint_comba_sqr9(z, x);
341 } else if(sized_for_comba_sqr<16>(x_sw, x_size, z_size)) {
342 bigint_comba_sqr16(z, x);
343 } else if(sized_for_comba_sqr<24>(x_sw, x_size, z_size)) {
344 bigint_comba_sqr24(z, x);
345 } else if(x_size < KARATSUBA_SQUARE_THRESHOLD || !workspace) {
346 basecase_sqr(z, z_size, x, x_sw);
347 } else {
348 const size_t N = karatsuba_size(z_size, x_size, x_sw);
349
350 if(N && z_size >= 2 * N && ws_size >= 2 * N) {
351 karatsuba_sqr(z, x, N, workspace);
352 } else {
353 basecase_sqr(z, z_size, x, x_sw);
354 }
355 }
356}
BOTAN_FUZZER_API void basecase_sqr(word z[], size_t z_size, const word x[], size_t x_size)
Definition mp_karat.cpp:46
void bigint_comba_sqr6(word z[12], const word x[6])
Definition mp_comba.cpp:74
void bigint_comba_sqr8(word z[16], const word x[8])
Definition mp_comba.cpp:292
void bigint_comba_sqr16(word z[32], const word x[16])
Definition mp_comba.cpp:618
void bigint_comba_sqr9(word z[18], const word x[9])
Definition mp_comba.cpp:440
void bigint_comba_sqr24(word z[48], const word x[24])
Definition mp_comba.cpp:1090
References basecase_sqr(), bigint_comba_sqr16(), bigint_comba_sqr24(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr8(), bigint_comba_sqr9(), bigint_linmul3(), BOTAN_ASSERT, and clear_mem().
Referenced by Botan::Montgomery_Params::sqr(), Botan::BigInt::square(), and Botan::Montgomery_Params::square_this().
◆ bigint_sub2()
template<WordType W>
|
inlineconstexpr |
Two operand subtraction
Definition at line 291 of file mp_core.h.
291 {
292 W borrow = 0;
293
295
296 const size_t blocks = y_size - (y_size % 8);
297
298 for(size_t i = 0; i != blocks; i += 8) {
299 borrow = word8_sub2(x + i, y + i, borrow);
300 }
301
302 for(size_t i = blocks; i != y_size; ++i) {
303 x[i] = word_sub(x[i], y[i], &borrow);
304 }
305
306 for(size_t i = y_size; i != x_size; ++i) {
308 }
309
310 return borrow;
311}
constexpr auto word8_sub2(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:314
References BOTAN_ASSERT, word8_sub2(), and word_sub().
Referenced by Botan::BigInt::add(), redc_p192(), redc_p224(), redc_p256(), and redc_p384().
◆ bigint_sub2_rev()
template<WordType W>
|
inlineconstexpr |
Two operand subtraction, x = y - x; assumes y >= x
Definition at line 317 of file mp_core.h.
317 {
318 W borrow = 0;
319
320 const size_t blocks = y_size - (y_size % 8);
321
322 for(size_t i = 0; i != blocks; i += 8) {
323 borrow = word8_sub2_rev(x + i, y + i, borrow);
324 }
325
326 for(size_t i = blocks; i != y_size; ++i) {
327 x[i] = word_sub(y[i], x[i], &borrow);
328 }
329
331}
constexpr auto word8_sub2_rev(W x[8], const W y[8], W carry) -> W
Definition mp_asmi.h:340
References BOTAN_ASSERT, word8_sub2_rev(), and word_sub().
Referenced by Botan::BigInt::add().
◆ bigint_sub3()
template<WordType W>
|
inlineconstexpr |
Three operand subtraction
Expects that x_size >= y_size
Writes to z[0:x_size] and returns borrow
Definition at line 341 of file mp_core.h.
341 {
342 W borrow = 0;
343
345
346 const size_t blocks = y_size - (y_size % 8);
347
348 for(size_t i = 0; i != blocks; i += 8) {
349 borrow = word8_sub3(z + i, x + i, y + i, borrow);
350 }
351
352 for(size_t i = blocks; i != y_size; ++i) {
353 z[i] = word_sub(x[i], y[i], &borrow);
354 }
355
356 for(size_t i = y_size; i != x_size; ++i) {
358 }
359
360 return borrow;
361}
References BOTAN_ASSERT, word8_sub3(), and word_sub().
Referenced by bigint_mod_sub(), bigint_mod_sub_n(), bigint_sub_abs(), ct_divide(), ct_modulo(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::mod_add(), and Botan::BigInt::reduce_below().
◆ bigint_sub_abs() [1/2]
template<WordType W>
|
inlineconstexpr |
Return abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0
Returns ~0 if x >= y or 0 if x < y
- Parameters
-
z output array of at least N words x input array of N words y input array of N words N length of x and y ws array of at least 2*N words
Definition at line 439 of file mp_core.h.
439 {
440 // Subtract in both direction then conditional copy out the result
441
442 W* ws0 = ws;
443 W* ws1 = ws + N;
444
445 W borrow0 = 0;
446 W borrow1 = 0;
447
448 const size_t blocks = N - (N % 8);
449
450 for(size_t i = 0; i != blocks; i += 8) {
451 borrow0 = word8_sub3(ws0 + i, x + i, y + i, borrow0);
452 borrow1 = word8_sub3(ws1 + i, y + i, x + i, borrow1);
453 }
454
455 for(size_t i = blocks; i != N; ++i) {
456 ws0[i] = word_sub(x[i], y[i], &borrow0);
457 ws1[i] = word_sub(y[i], x[i], &borrow1);
458 }
459
460 return CT::conditional_copy_mem(borrow0, z, ws1, ws0, N);
461}
References Botan::CT::conditional_copy_mem(), word8_sub3(), and word_sub().
Referenced by Botan::BigInt::add2(), gcd(), and Botan::BigInt::rev_sub().
◆ bigint_sub_abs() [2/2]
template<WordType W>
|
inlineconstexpr |
Set z to abs(x-y), ie if x >= y, then compute z = x - y Otherwise compute z = y - x No borrow is possible since the result is always >= 0
Return the relative size of x vs y (-1, 0, 1)
- Parameters
-
z output array of max(x_size,y_size) words x input param x_size length of x y input param y_size length of y
Definition at line 709 of file mp_core.h.
709 {
711
712 // Swap if relative_size == -1
713 const bool need_swap = relative_size < 0;
714 CT::conditional_swap_ptr(need_swap, x, y);
715 CT::conditional_swap(need_swap, x_size, y_size);
716
717 /*
718 * We know at this point that x >= y so if y_size is larger than
719 * x_size, we are guaranteed they are just leading zeros which can
720 * be ignored
721 */
722 y_size = std::min(x_size, y_size);
723
724 bigint_sub3(z, x, x_size, y, y_size);
725
726 return relative_size;
727}
constexpr int32_t bigint_cmp(const W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:592
References bigint_cmp(), bigint_sub3(), Botan::CT::conditional_swap(), and Botan::CT::conditional_swap_ptr().
◆ bit_permute_step()
◆ bit_size_to_32bit_size()
|
inline |
Definition at line 46 of file code_based_util.h.
46 {
47 return (bit_size - 1) / 32 + 1;
48}
Referenced by generate_mceliece_key(), mceliece_decrypt(), and Botan::McEliece_PrivateKey::McEliece_PrivateKey().
◆ bit_size_to_byte_size()
|
inline |
Definition at line 42 of file code_based_util.h.
42 {
43 return (bit_size - 1) / 8 + 1;
44}
Referenced by mceliece_decrypt().
◆ bitlen()
|
constexpr |
Definition at line 98 of file pqcrystals_helpers.h.
98 {
100};
References ceil_log2().
Referenced by Botan::DilithiumConstants::DilithiumConstants(), and Botan::KyberConstants::KyberConstants().
◆ BOTAN_FUNC_ISA() [1/4]
| Botan::BOTAN_FUNC_ISA | ( | "avx2" | ) |
Definition at line 157 of file argon2_avx2.cpp.
157 {
158 for(size_t i = 0; i != 8; ++i) {
159 SIMD_4x64 A = SIMD_4x64::load_le(&N[16 * i + 4 * 0]);
160 SIMD_4x64 B = SIMD_4x64::load_le(&N[16 * i + 4 * 1]);
161 SIMD_4x64 C = SIMD_4x64::load_le(&N[16 * i + 4 * 2]);
162 SIMD_4x64 D = SIMD_4x64::load_le(&N[16 * i + 4 * 3]);
163
164 blamka_R(A, B, C, D);
165
166 A.store_le(&T[16 * i + 4 * 0]);
167 B.store_le(&T[16 * i + 4 * 1]);
168 C.store_le(&T[16 * i + 4 * 2]);
169 D.store_le(&T[16 * i + 4 * 3]);
170 }
171
172 for(size_t i = 0; i != 8; ++i) {
177
178 blamka_R(A, B, C, D);
179
184 }
185
186 for(size_t i = 0; i != 128 / 8; ++i) {
187 SIMD_4x64 n0 = SIMD_4x64::load_le(&N[8 * i]);
188 SIMD_4x64 n1 = SIMD_4x64::load_le(&N[8 * i + 4]);
189 SIMD_4x64 t0 = SIMD_4x64::load_le(&T[8 * i]);
190 SIMD_4x64 t1 = SIMD_4x64::load_le(&T[8 * i + 4]);
191
192 n0 ^= t0;
193 n1 ^= t1;
194 n0.store_le(&N[8 * i]);
195 n1.store_le(&N[8 * i + 4]);
196 }
197}
References T.
◆ BOTAN_FUNC_ISA() [2/4]
| Botan::BOTAN_FUNC_ISA | ( | "sse2" | ) |
Definition at line 126 of file idea_sse2.cpp.
126 {
127 CT::poison(in, 64);
128 CT::poison(out, 64);
129 CT::poison(EK, 52);
130
131 const __m128i* in_mm = reinterpret_cast<const __m128i*>(in);
132
133 __m128i B0 = _mm_loadu_si128(in_mm + 0);
134 __m128i B1 = _mm_loadu_si128(in_mm + 1);
135 __m128i B2 = _mm_loadu_si128(in_mm + 2);
136 __m128i B3 = _mm_loadu_si128(in_mm + 3);
137
138 transpose_in(B0, B1, B2, B3);
139
140 // byte swap
141 B0 = _mm_or_si128(_mm_slli_epi16(B0, 8), _mm_srli_epi16(B0, 8));
142 B1 = _mm_or_si128(_mm_slli_epi16(B1, 8), _mm_srli_epi16(B1, 8));
143 B2 = _mm_or_si128(_mm_slli_epi16(B2, 8), _mm_srli_epi16(B2, 8));
144 B3 = _mm_or_si128(_mm_slli_epi16(B3, 8), _mm_srli_epi16(B3, 8));
145
146 for(size_t i = 0; i != 8; ++i) {
147 B0 = mul(B0, EK[6 * i + 0]);
148 B1 = _mm_add_epi16(B1, _mm_set1_epi16(EK[6 * i + 1]));
149 B2 = _mm_add_epi16(B2, _mm_set1_epi16(EK[6 * i + 2]));
150 B3 = mul(B3, EK[6 * i + 3]);
151
152 __m128i T0 = B2;
153 B2 = _mm_xor_si128(B2, B0);
154 B2 = mul(B2, EK[6 * i + 4]);
155
156 __m128i T1 = B1;
157
158 B1 = _mm_xor_si128(B1, B3);
159 B1 = _mm_add_epi16(B1, B2);
160 B1 = mul(B1, EK[6 * i + 5]);
161
162 B2 = _mm_add_epi16(B2, B1);
163
164 B0 = _mm_xor_si128(B0, B1);
165 B1 = _mm_xor_si128(B1, T0);
166 B3 = _mm_xor_si128(B3, B2);
167 B2 = _mm_xor_si128(B2, T1);
168 }
169
170 B0 = mul(B0, EK[48]);
171 B1 = _mm_add_epi16(B1, _mm_set1_epi16(EK[50]));
172 B2 = _mm_add_epi16(B2, _mm_set1_epi16(EK[49]));
173 B3 = mul(B3, EK[51]);
174
175 // byte swap
176 B0 = _mm_or_si128(_mm_slli_epi16(B0, 8), _mm_srli_epi16(B0, 8));
177 B1 = _mm_or_si128(_mm_slli_epi16(B1, 8), _mm_srli_epi16(B1, 8));
178 B2 = _mm_or_si128(_mm_slli_epi16(B2, 8), _mm_srli_epi16(B2, 8));
179 B3 = _mm_or_si128(_mm_slli_epi16(B3, 8), _mm_srli_epi16(B3, 8));
180
181 transpose_out(B0, B2, B1, B3);
182
183 __m128i* out_mm = reinterpret_cast<__m128i*>(out);
184
185 _mm_storeu_si128(out_mm + 0, B0);
186 _mm_storeu_si128(out_mm + 1, B2);
187 _mm_storeu_si128(out_mm + 2, B1);
188 _mm_storeu_si128(out_mm + 3, B3);
189
190 CT::unpoison(in, 64);
191 CT::unpoison(out, 64);
192 CT::unpoison(EK, 52);
193}
References Botan::CT::poison(), and Botan::CT::unpoison().
◆ BOTAN_FUNC_ISA() [3/4]
| Botan::BOTAN_FUNC_ISA | ( | " | ssse3, |
| aes" | ) |
Definition at line 125 of file aes_ni.cpp.
125 {
137
138 while(blocks >= 4) {
139 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * 0);
140 SIMD_4x32 B1 = SIMD_4x32::load_le(in + 16 * 1);
141 SIMD_4x32 B2 = SIMD_4x32::load_le(in + 16 * 2);
142 SIMD_4x32 B3 = SIMD_4x32::load_le(in + 16 * 3);
143
144 keyxor(K0, B0, B1, B2, B3);
145 aesenc(K1, B0, B1, B2, B3);
146 aesenc(K2, B0, B1, B2, B3);
147 aesenc(K3, B0, B1, B2, B3);
148 aesenc(K4, B0, B1, B2, B3);
149 aesenc(K5, B0, B1, B2, B3);
150 aesenc(K6, B0, B1, B2, B3);
151 aesenc(K7, B0, B1, B2, B3);
152 aesenc(K8, B0, B1, B2, B3);
153 aesenc(K9, B0, B1, B2, B3);
154 aesenclast(K10, B0, B1, B2, B3);
155
156 B0.store_le(out + 16 * 0);
157 B1.store_le(out + 16 * 1);
158 B2.store_le(out + 16 * 2);
159 B3.store_le(out + 16 * 3);
160
161 blocks -= 4;
162 in += 4 * 16;
163 out += 4 * 16;
164 }
165
166 for(size_t i = 0; i != blocks; ++i) {
167 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * i);
168
169 B0 ^= K0;
170 aesenc(K1, B0);
171 aesenc(K2, B0);
172 aesenc(K3, B0);
173 aesenc(K4, B0);
174 aesenc(K5, B0);
175 aesenc(K6, B0);
176 aesenc(K7, B0);
177 aesenc(K8, B0);
178 aesenc(K9, B0);
179 aesenclast(K10, B0);
180
181 B0.store_le(out + 16 * i);
182 }
183}
184
185/*
186* AES-128 Decryption
187*/
188BOTAN_FUNC_ISA("ssse3,aes") void AES_128::hw_aes_decrypt_n(const uint8_t in[], uint8_t out[], size_t blocks) const {
189 const SIMD_4x32 K0 = SIMD_4x32::load_le(&m_DK[4 * 0]);
190 const SIMD_4x32 K1 = SIMD_4x32::load_le(&m_DK[4 * 1]);
192 const SIMD_4x32 K3 = SIMD_4x32::load_le(&m_DK[4 * 3]);
193 const SIMD_4x32 K4 = SIMD_4x32::load_le(&m_DK[4 * 4]);
194 const SIMD_4x32 K5 = SIMD_4x32::load_le(&m_DK[4 * 5]);
195 const SIMD_4x32 K6 = SIMD_4x32::load_le(&m_DK[4 * 6]);
196 const SIMD_4x32 K7 = SIMD_4x32::load_le(&m_DK[4 * 7]);
197 const SIMD_4x32 K8 = SIMD_4x32::load_le(&m_DK[4 * 8]);
198 const SIMD_4x32 K9 = SIMD_4x32::load_le(&m_DK[4 * 9]);
199 const SIMD_4x32 K10 = SIMD_4x32::load_le(&m_DK[4 * 10]);
200
201 while(blocks >= 4) {
202 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * 0);
203 SIMD_4x32 B1 = SIMD_4x32::load_le(in + 16 * 1);
204 SIMD_4x32 B2 = SIMD_4x32::load_le(in + 16 * 2);
205 SIMD_4x32 B3 = SIMD_4x32::load_le(in + 16 * 3);
206
207 keyxor(K0, B0, B1, B2, B3);
208 aesdec(K1, B0, B1, B2, B3);
209 aesdec(K2, B0, B1, B2, B3);
210 aesdec(K3, B0, B1, B2, B3);
211 aesdec(K4, B0, B1, B2, B3);
212 aesdec(K5, B0, B1, B2, B3);
213 aesdec(K6, B0, B1, B2, B3);
214 aesdec(K7, B0, B1, B2, B3);
215 aesdec(K8, B0, B1, B2, B3);
216 aesdec(K9, B0, B1, B2, B3);
217 aesdeclast(K10, B0, B1, B2, B3);
218
219 B0.store_le(out + 16 * 0);
220 B1.store_le(out + 16 * 1);
221 B2.store_le(out + 16 * 2);
222 B3.store_le(out + 16 * 3);
223
224 blocks -= 4;
225 in += 4 * 16;
226 out += 4 * 16;
227 }
228
229 for(size_t i = 0; i != blocks; ++i) {
230 SIMD_4x32 B0 = SIMD_4x32::load_le(in + 16 * i);
231
232 B0 ^= K0;
233 aesdec(K1, B0);
234 aesdec(K2, B0);
235 aesdec(K3, B0);
236 aesdec(K4, B0);
237 aesdec(K5, B0);
238 aesdec(K6, B0);
239 aesdec(K7, B0);
240 aesdec(K8, B0);
241 aesdec(K9, B0);
242 aesdeclast(K10, B0);
243
244 B0.store_le(out + 16 * i);
245 }
246}
247
248/*
249* AES-128 Key Schedule
250*/
251BOTAN_FUNC_ISA("ssse3,aes") void AES_128::aesni_key_schedule(const uint8_t key[], size_t /*length*/) {
252 m_EK.resize(44);
253 m_DK.resize(44);
254
255 const __m128i K0 = _mm_loadu_si128(reinterpret_cast<const __m128i*>(key));
256 const __m128i K1 = aes_128_key_expansion<0x01>(K0, K0);
258 const __m128i K3 = aes_128_key_expansion<0x04>(K2, K2);
259 const __m128i K4 = aes_128_key_expansion<0x08>(K3, K3);
260 const __m128i K5 = aes_128_key_expansion<0x10>(K4, K4);
261 const __m128i K6 = aes_128_key_expansion<0x20>(K5, K5);
262 const __m128i K7 = aes_128_key_expansion<0x40>(K6, K6);
263 const __m128i K8 = aes_128_key_expansion<0x80>(K7, K7);
264 const __m128i K9 = aes_128_key_expansion<0x1B>(K8, K8);
265 const __m128i K10 = aes_128_key_expansion<0x36>(K9, K9);
266
267 __m128i* EK_mm = reinterpret_cast<__m128i*>(m_EK.data());
268 _mm_storeu_si128(EK_mm, K0);
269 _mm_storeu_si128(EK_mm + 1, K1);
270 _mm_storeu_si128(EK_mm + 2, K2);
271 _mm_storeu_si128(EK_mm + 3, K3);
272 _mm_storeu_si128(EK_mm + 4, K4);
273 _mm_storeu_si128(EK_mm + 5, K5);
274 _mm_storeu_si128(EK_mm + 6, K6);
275 _mm_storeu_si128(EK_mm + 7, K7);
276 _mm_storeu_si128(EK_mm + 8, K8);
277 _mm_storeu_si128(EK_mm + 9, K9);
278 _mm_storeu_si128(EK_mm + 10, K10);
279
280 // Now generate decryption keys
281
282 __m128i* DK_mm = reinterpret_cast<__m128i*>(m_DK.data());
283 _mm_storeu_si128(DK_mm, K10);
284 _mm_storeu_si128(DK_mm + 1, _mm_aesimc_si128(K9));
285 _mm_storeu_si128(DK_mm + 2, _mm_aesimc_si128(K8));
286 _mm_storeu_si128(DK_mm + 3, _mm_aesimc_si128(K7));
287 _mm_storeu_si128(DK_mm + 4, _mm_aesimc_si128(K6));
288 _mm_storeu_si128(DK_mm + 5, _mm_aesimc_si128(K5));
289 _mm_storeu_si128(DK_mm + 6, _mm_aesimc_si128(K4));
290 _mm_storeu_si128(DK_mm + 7, _mm_aesimc_si128(K3));
291 _mm_storeu_si128(DK_mm + 8, _mm_aesimc_si128(K2));
292 _mm_storeu_si128(DK_mm + 9, _mm_aesimc_si128(K1));
293 _mm_storeu_si128(DK_mm + 10, K0);
294}
Definition simd_32.h:76
References Botan::SIMD_4x32::load_le(), and Botan::SIMD_4x32::store_le().
◆ BOTAN_FUNC_ISA() [4/4]
| Botan::BOTAN_FUNC_ISA | ( | BOTAN_VPERM_ISA | ) |
Definition at line 483 of file zfec_vperm.cpp.
483 {
484 const auto mask = SIMD_4x32::splat_u8(0x0F);
485
486 // fetch the lookup tables for the given y
487 const auto t_lo = SIMD_4x32::load_le(GFTBL + 32 * y);
488 const auto t_hi = SIMD_4x32::load_le(GFTBL + 32 * y + 16);
489
490 const size_t orig_size = size;
491
492 while(size >= 16) {
493 const auto x_1 = SIMD_4x32::load_le(x);
494 auto z_1 = SIMD_4x32::load_le(z);
495
496 // mask to get LO nibble for LO LUT input
497 const auto x_lo = x_1 & mask;
498 // mask to get HI nibble for HI LUT input
499 const auto x_hi = x_1.shr<4>() & mask;
500
501 // 16x parallel lookups
502 const auto r_lo = table_lookup(t_lo, x_lo);
503 const auto r_hi = table_lookup(t_hi, x_hi);
504
505 // sum the outputs.
506 z_1 ^= r_lo;
507 z_1 ^= r_hi;
508
509 z_1.store_le(z);
510
511 x += 16;
512 z += 16;
513 size -= 16;
514 }
515
516 return orig_size - size;
517}
References Botan::SIMD_4x32::load_le(), and Botan::SIMD_4x32::splat_u8().
◆ BOTAN_FUNC_ISA_INLINE()
| Botan::BOTAN_FUNC_ISA_INLINE | ( | " | gfni, |
| avx2" | ) const & |
◆ buffer_insert() [1/2]
template<typename T , typename Alloc , typename Alloc2 >
| size_t Botan::buffer_insert | ( | std::vector< T, Alloc > & | buf, |
| size_t | buf_offset, | ||
| const std::vector< T, Alloc2 > & | input ) |
Definition at line 325 of file mem_ops.h.
325 {
326 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
327 const size_t to_copy = std::min(input.size(), buf.size() - buf_offset);
328 if(to_copy > 0) {
329 copy_mem(&buf[buf_offset], input.data(), to_copy);
330 }
331 return to_copy;
332}
References BOTAN_ASSERT_NOMSG, and copy_mem().
◆ buffer_insert() [2/2]
template<typename T , typename Alloc >
| size_t Botan::buffer_insert | ( | std::vector< T, Alloc > & | buf, |
| size_t | buf_offset, | ||
| const T | input[], | ||
| size_t | input_length ) |
Definition at line 314 of file mem_ops.h.
314 {
315 BOTAN_ASSERT_NOMSG(buf_offset <= buf.size());
316 const size_t to_copy = std::min(input_length, buf.size() - buf_offset);
317 if(to_copy > 0) {
318 copy_mem(&buf[buf_offset], input, to_copy);
319 }
320 return to_copy;
321}
References BOTAN_ASSERT_NOMSG, and copy_mem().
◆ carry()
template<size_t S, int64_t MUL = 1>
requires (S > 0 && S < 64)
requires (S > 0 && S < 64)
|
inline |
Definition at line 28 of file ed25519_internal.h.
30{
31 const int64_t X1 = (static_cast<int64_t>(1) << S);
32 const int64_t X2 = (static_cast<int64_t>(1) << (S - 1));
33 int64_t c = (h0 + X2) >> S;
34 h1 += c * MUL;
35 h0 -= c * X1;
36}
Referenced by basecase_mul(), basecase_sqr(), bigint_add2_nc(), bigint_add3_nc(), bigint_cnd_abs(), bigint_cnd_add(), bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_linmul2(), bigint_linmul3(), bigint_mod_sub(), bigint_mod_sub_n(), bigint_modop_vartime(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), Botan::Streebog::compress_64(), Botan::FE_25519::from_bytes(), ge_scalarmult_base(), Botan::BigInt::mul(), Botan::FE_25519::mul(), Botan::BigInt::operator*=(), Botan::donna128::operator+=(), Botan::donna128::operator+=(), redc_crandall(), redc_p521(), sc_muladd(), sc_reduce(), Botan::EC_Group_Data::scalar_from_bytes_with_trunc(), shift_left(), shift_right(), Botan::Sodium::sodium_add(), Botan::Sodium::sodium_increment(), Botan::FE_25519::sqr2(), Botan::FE_25519::sqr_iter(), word3_muladd(), word3_muladd_2(), word4_add3(), word4_sub3(), word8_add2(), word8_add3(), word8_linmul2(), word8_linmul3(), word8_madd3(), word8_sub2(), word8_sub2_rev(), word8_sub3(), word_add(), word_madd2(), word_madd3(), word_sub(), and xts_update_tweak_block().
◆ carry0() [1/2]
template<size_t S>
requires (S > 0 && S < 32)
requires (S > 0 && S < 32)
|
inline |
Definition at line 49 of file ed25519_internal.h.
51{
52 const int32_t X1 = (static_cast<int64_t>(1) << S);
53 int32_t c = h0 >> S;
54 h1 += c;
55 h0 -= c * X1;
56}
◆ carry0() [2/2]
template<size_t S>
requires (S > 0 && S < 64)
requires (S > 0 && S < 64)
|
inline |
Definition at line 39 of file ed25519_internal.h.
41{
42 const int64_t X1 = (static_cast<int64_t>(1) << S);
43 int64_t c = h0 >> S;
44 h1 += c;
45 h0 -= c * X1;
46}
Referenced by sc_muladd(), sc_reduce(), and Botan::FE_25519::to_bytes().
◆ carry_shift()
|
inlineconstexpr |
Definition at line 133 of file donna128.h.
133 {
134 return (a >> shift).lo();
135}
Referenced by bigint_shl1(), bigint_shl2(), bigint_shr1(), and bigint_shr2().
◆ cast_char_ptr_to_uint8() [1/2]
|
inline |
◆ cast_char_ptr_to_uint8() [2/2]
|
inline |
Definition at line 273 of file mem_ops.h.
273 {
274 return reinterpret_cast<const uint8_t*>(s);
275}
Referenced by Botan::DER_Encoder::add_object(), Botan::TLS::append_tls_length_value(), Botan::BigInt::BigInt(), botan_mp_set_from_radix_str(), check_bcrypt(), Botan::cSHAKE_XOF::cSHAKE_XOF(), Botan::CryptoBox::decrypt(), Botan::CryptoBox::decrypt_bin(), Botan::KDF::derive_key(), Botan::KDF::derive_key(), Botan::KDF::derive_key(), Botan::PK_Key_Agreement::derive_key(), Botan::PK_Key_Agreement::derive_key(), Botan::Scrypt::derive_key(), Botan::Encrypted_PSK_Database::get(), hkdf_expand_label(), Botan::Pipe::process_msg(), Botan::Encrypted_PSK_Database::remove(), Botan::TLS::Channel::send(), Botan::TLS::Application_Layer_Protocol_Notification::serialize(), Botan::TLS::Server_Name_Indicator::serialize(), Botan::Encrypted_PSK_Database::set(), Botan::PSK_Database::set_str(), Botan::Buffered_Computation::update(), Botan::PK_Signer::update(), Botan::PK_Verifier::update(), Botan::HTTP::url_encode(), Botan::Roughtime::Response::validate(), Botan::Pipe::write(), Botan_FFI::write_str_output(), Botan_FFI::write_str_output(), and Botan_FFI::write_str_output().
◆ cast_uint8_ptr_to_char() [1/2]
|
inline |
Definition at line 277 of file mem_ops.h.
References b.
Referenced by Botan::BigInt::decode(), Botan::CryptoBox::decrypt(), Botan::Base64_Decoder::end_msg(), Botan::Hex_Decoder::end_msg(), Botan::PSK_Database::get_str(), Botan::TLS::TLS_Data_Reader::get_string(), Botan::HTTP::http_sync(), Botan::Encrypted_PSK_Database::list_names(), Botan::TPM2::Context::manufacturer(), Botan::HTTP::operator<<(), operator<<(), operator>>(), Botan::DataSource_Stream::peek(), Botan::DataSource_Stream::read(), Botan::Pipe::read_all_as_string(), Botan::ASN1::to_string(), Botan::TPM2::Context::vendor(), Botan::Base64_Decoder::write(), Botan::DataSink_Stream::write(), and Botan::Hex_Decoder::write().
◆ cast_uint8_ptr_to_char() [2/2]
|
inline |
◆ ceil_division()
◆ ceil_log2()
|
constexpr |
Definition at line 122 of file bit_ops.h.
124{
127 }
128
129 uint8_t result = 0;
130 T compare = 1;
131
132 while(compare < x) {
133 compare <<= 1;
134 result++;
135 }
136
137 return result;
138}
References T.
Referenced by bitlen(), Botan::BigInt::ct_shift_left(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), Botan::McEliece_PrivateKey::McEliece_PrivateKey(), and mceliece_work_factor().
◆ ceil_tobytes()
Return the number of bytes necessary to contain bits bits.
Definition at line 157 of file bit_ops.h.
159{
160 return (bits + 7) / 8;
161}
Referenced by Botan::FrodoMatrix::unpack().
◆ chain_lengths()
| BOTAN_TEST_API std::vector< WotsHashIndex > Botan::chain_lengths | ( | const SphincsTreeNode & | msg, |
| const Sphincs_Parameters & | params ) |
Given a msg construct the lengths (amount of hashes for signature) for each WOTS+ chain, including the checksum.
Corresponds to FIPS 205, Algorithm 7 or 8, Step 1-7
Definition at line 91 of file sp_wots.cpp.
91 {
93
96
97 base_2_b(msg_base_w, msg.get(), params);
98 wots_checksum(checksum_base_w, msg_base_w, params);
99
100 return result;
101}
References Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::wots_len_1(), and Botan::Sphincs_Parameters::wots_len_2().
Referenced by wots_public_key_from_signature(), and xmss_sign_and_pkgen().
◆ check_bcrypt()
| bool Botan::check_bcrypt | ( | std::string_view | password, |
| std::string_view | hash ) |
Check a previously created password hash
Takes a password and a bcrypt hash and returns true if the password is the same as the one that was used to generate the bcrypt hash.
- Parameters
-
password the password to check against hash the stored hash to check against
Definition at line 159 of file bcrypt.cpp.
159 {
160 if(hash.size() != 60 || hash[0] != '$' || hash[1] != '2' || hash[3] != '$' || hash[6] != '$') {
161 return false;
162 }
163
164 const char bcrypt_version = hash[2];
165
166 if(bcrypt_version != 'a' && bcrypt_version != 'b' && bcrypt_version != 'y') {
167 return false;
168 }
169
171
172 const std::vector<uint8_t> salt = bcrypt_base64_decode(hash.substr(7, 22));
173 if(salt.size() != 16) {
174 return false;
175 }
176
177 const std::string compare = make_bcrypt(pass, salt, workfactor, bcrypt_version);
178
179 return CT::is_equal(cast_char_ptr_to_uint8(hash.data()), cast_char_ptr_to_uint8(compare.data()), compare.size())
180 .as_bool();
181}
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:273
References cast_char_ptr_to_uint8(), Botan::CT::is_equal(), and to_uint16().
Referenced by botan_bcrypt_is_valid().
◆ check_passhash9()
| bool Botan::check_passhash9 | ( | std::string_view | password, |
| std::string_view | hash ) |
Check a previously created password hash
- Parameters
-
password the password to check against hash the stored hash to check against
Definition at line 75 of file passhash9.cpp.
75 {
76 const size_t BINARY_LENGTH = ALGID_BYTES + WORKFACTOR_BYTES + PASSHASH9_PBKDF_OUTPUT_LEN + SALT_BYTES;
77
78 const size_t BASE64_LENGTH = MAGIC_PREFIX.size() + (BINARY_LENGTH * 8) / 6;
79
80 if(hash.size() != BASE64_LENGTH) {
81 return false;
82 }
83
84 for(size_t i = 0; i != MAGIC_PREFIX.size(); ++i) {
85 if(hash[i] != MAGIC_PREFIX[i]) {
86 return false;
87 }
88 }
89
90 secure_vector<uint8_t> bin = base64_decode(hash.data() + MAGIC_PREFIX.size());
91
92 if(bin.size() != BINARY_LENGTH) {
93 return false;
94 }
95
96 uint8_t alg_id = bin[0];
97
98 const size_t work_factor = load_be<uint16_t>(&bin[ALGID_BYTES], 0);
99
100 // Bug in the format, bad states shouldn't be representable, but are...
101 if(work_factor == 0) {
102 return false;
103 }
104
105 if(work_factor > 512) {
106 throw Invalid_Argument("Requested passhash9 work factor " + std::to_string(work_factor) + " is too large");
107 }
108
109 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
110
111 auto pbkdf_prf = get_pbkdf_prf(alg_id);
112
113 if(!pbkdf_prf) {
114 return false; // unknown algorithm, reject
115 }
116
117 PKCS5_PBKDF2 kdf(std::move(pbkdf_prf));
118
119 secure_vector<uint8_t> cmp =
120 kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, &bin[ALGID_BYTES + WORKFACTOR_BYTES], SALT_BYTES, kdf_iterations)
121 .bits_of();
122
123 const uint8_t* hashbytes = &bin[ALGID_BYTES + WORKFACTOR_BYTES + SALT_BYTES];
124
125 return CT::is_equal(cmp.data(), hashbytes, PASSHASH9_PBKDF_OUTPUT_LEN).as_bool();
126}
References base64_decode(), Botan::OctetString::bits_of(), Botan::PBKDF::derive_key(), Botan::CT::is_equal(), and load_be().
◆ checked_add() [1/2]
template<std::unsigned_integral T>
|
inlineconstexpr |
Definition at line 19 of file int_utils.h.
Referenced by checked_add(), Botan::AlternativeName::count(), and Botan::OID::encode_into().
◆ checked_add() [2/2]
template<std::unsigned_integral T, std::unsigned_integral... Ts>
requires all_same_v<T, Ts...>
requires all_same_v<T, Ts...>
|
inlineconstexpr |
Definition at line 37 of file int_utils.h.
37 {
40 } else {
41 return {};
42 }
43}
References b, and checked_add().
◆ checked_cast_to()
template<typename RT , typename AT >
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
|
constexpr |
Definition at line 74 of file int_utils.h.
74 {
75 return checked_cast_to_or_throw<RT, Internal_Error>(i, "Error during integer conversion");
76}
References checked_cast_to_or_throw().
Referenced by Botan::ML_DSA_MessageHash::start(), and Botan::HSS_LMS_PublicKeyInternal::verify_signature().
◆ checked_cast_to_or_throw()
template<typename RT , typename ExceptionType , typename AT >
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
requires std::integral<strong_type_wrapped_type<RT>> && std::integral<strong_type_wrapped_type<AT>>
|
constexpr |
Definition at line 61 of file int_utils.h.
61 {
63
65 if(unwrapped_input != static_cast<strong_type_wrapped_type<AT>>(unwrapped_result)) [[unlikely]] {
66 throw ExceptionType(error_msg_on_fail);
67 }
68
69 return wrap_strong_type<RT>(unwrapped_result);
70}
constexpr decltype(auto) unwrap_strong_type(T &&t)
Generically unwraps a strong type to its underlying type.
Definition strong_type.h:198
typename detail::wrapped_type_helper< std::remove_cvref_t< T > >::type strong_type_wrapped_type
Extracts the wrapped type from a strong type.
Definition strong_type.h:262
References unwrap_strong_type(), and wrap_strong_type().
Referenced by checked_cast_to(), and Botan::HSS_LMS_Params::HSS_LMS_Params().
◆ checked_mul()
template<std::unsigned_integral T>
|
inlineconstexpr |
Definition at line 46 of file int_utils.h.
46 {
47 // Multiplication by 1U is a hack to work around C's insane
48 // integer promotion rules.
49 // https://stackoverflow.com/questions/24795651
51 // If a == 0 then the multiply certainly did not overflow
52 // Otherwise r / a == b unless overflow occured
53 if(a != 0 && r / a != b) {
54 return {};
55 }
56 return r;
57}
Referenced by Botan::mlock_allocator::allocate(), allocate_memory(), and Botan::mlock_allocator::deallocate().
◆ checked_sub()
Definition at line 28 of file int_utils.h.
References b.
◆ choose()
Definition at line 193 of file bit_ops.h.
193 {
194 //return (mask & a) | (~mask & b);
195 return (b ^ (mask & (a ^ b)));
196}
References b.
Referenced by majority(), Botan::CT::Mask< T >::select(), Botan::CT::Mask< T >::select_n(), SHA2_32_F(), and SHA2_64_F().
◆ clear_bytes()
|
inlineconstexpr |
Zero out some bytes. Warning: use secure_scrub_memory instead if the memory is about to be freed or otherwise the compiler thinks it can elide the writes.
- Parameters
-
ptr a pointer to memory to zero bytes the number of bytes to zero in ptr
Definition at line 103 of file mem_ops.h.
103 {
104 if(bytes > 0) {
105 std::memset(ptr, 0, bytes);
106 }
107}
Referenced by clear_mem(), clear_mem(), and Botan::Memory_Pool::Memory_Pool().
◆ clear_mem() [1/2]
template<ranges::contiguous_output_range R>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<R>>
|
inlineconstexpr |
Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation.
- Parameters
-
mem a contiguous range of Ts to zero
Definition at line 132 of file mem_ops.h.
References clear_bytes(), and Botan::ranges::size_bytes().
◆ clear_mem() [2/2]
Zero memory before use. This simply calls memset and should not be used in cases where the compiler cannot see the call as a side-effecting operation (for example, if calling clear_mem before deallocating memory, the compiler would be allowed to omit the call to memset entirely under the as-if rule.)
- Parameters
-
ptr a pointer to an array of Ts to zero n the number of Ts pointed to by ptr
Definition at line 120 of file mem_ops.h.
References clear_bytes(), and T.
Referenced by base_decode(), basecase_mul(), basecase_sqr(), bigint_monty_redc_16(), bigint_monty_redc_24(), bigint_monty_redc_32(), bigint_monty_redc_4(), bigint_monty_redc_6(), bigint_monty_redc_8(), bigint_monty_redc_generic(), bigint_mul(), bigint_shl1(), bigint_shr1(), bigint_sqr(), Botan_FFI::botan_view_bin_bounce_fn(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::clear(), Botan::CT::copy_output(), create_aes_row_generator(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305(), Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open(), Botan::BigInt::ct_reduce_below(), Botan::BigInt::ct_shift_left(), Botan::Bcrypt_PBKDF::derive_key(), Botan::ZFEC::encode_shares(), Botan::BigInt::encode_words(), Botan::FE_25519::FE_25519(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::fill_up_with_zeros(), Botan::StreamCipher::generate_keystream(), Botan::Gf448Elem::Gf448Elem(), hex_decode(), Botan::BLAKE2b::key_schedule(), Botan::PKCS11::MechanismWrapper::MechanismParameters::MechanismParameters(), Botan::EC_Point_Var_Point_Precompute::mul(), pbkdf2(), Botan::CRYSTALS::Trait_Base< ConstantsT, DerivedT >::polyvec_pointwise_acc_montgomery(), redc_p521(), Botan::Modular_Reducer::reduce(), Botan::BigInt::reduce_below(), Botan::BigInt::rev_sub(), Botan::polyn_gf2m::set_to_zero(), Botan::polyn_gf2m::sqmod_init(), Botan_FFI::write_output(), Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::Zlib_Style_Stream(), and Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::~Zlib_Style_Stream().
◆ comba_mul()
template<size_t N, WordType W>
|
inlineconstexpr |
Definition at line 948 of file mp_core.h.
948 {
949 if(!std::is_constant_evaluated()) {
950 if constexpr(std::same_as<W, word> && N == 4) {
952 }
953 if constexpr(std::same_as<W, word> && N == 6) {
954 return bigint_comba_mul6(z, x, y);
955 }
956 if constexpr(std::same_as<W, word> && N == 7) {
958 }
959 if constexpr(std::same_as<W, word> && N == 8) {
961 }
962 if constexpr(std::same_as<W, word> && N == 9) {
964 }
965 if constexpr(std::same_as<W, word> && N == 16) {
967 }
968 }
969
970 word3<W> accum;
971
972 for(size_t i = 0; i != 2 * N; ++i) {
973 const size_t start = i + 1 < N ? 0 : i + 1 - N;
974 const size_t end = std::min(N, i + 1);
975
976 for(size_t j = start; j != end; ++j) {
977 accum.mul(x[j], y[i - j]);
978 }
979 z[i] = accum.extract();
980 }
981}
void bigint_comba_mul7(word z[14], const word x[7], const word y[7])
Definition mp_comba.cpp:221
References bigint_comba_mul16(), bigint_comba_mul4(), bigint_comba_mul6(), bigint_comba_mul7(), bigint_comba_mul8(), bigint_comba_mul9(), Botan::word3< W >::extract(), and Botan::word3< W >::mul().
◆ comba_sqr()
template<size_t N, WordType W>
|
inlineconstexpr |
Definition at line 984 of file mp_core.h.
984 {
985 if(!std::is_constant_evaluated()) {
986 if constexpr(std::same_as<W, word> && N == 4) {
988 }
989 if constexpr(std::same_as<W, word> && N == 6) {
990 return bigint_comba_sqr6(z, x);
991 }
992 if constexpr(std::same_as<W, word> && N == 7) {
994 }
995 if constexpr(std::same_as<W, word> && N == 8) {
997 }
998 if constexpr(std::same_as<W, word> && N == 9) {
1000 }
1001 if constexpr(std::same_as<W, word> && N == 16) {
1003 }
1004 }
1005
1006 word3<W> accum;
1007
1008 for(size_t i = 0; i != 2 * N; ++i) {
1009 const size_t start = i + 1 < N ? 0 : i + 1 - N;
1010 const size_t end = std::min(N, i + 1);
1011
1012 for(size_t j = start; j != end; ++j) {
1013 accum.mul(x[j], x[i - j]);
1014 }
1015 z[i] = accum.extract();
1016 }
1017}
void bigint_comba_sqr4(word z[8], const word x[4])
Definition mp_comba.cpp:16
void bigint_comba_sqr7(word z[14], const word x[7])
Definition mp_comba.cpp:171
References bigint_comba_sqr16(), bigint_comba_sqr4(), bigint_comba_sqr6(), bigint_comba_sqr7(), bigint_comba_sqr8(), bigint_comba_sqr9(), Botan::word3< W >::extract(), and Botan::word3< W >::mul().
◆ combine_lower()
|
inlineconstexpr |
Definition at line 137 of file donna128.h.
References b, and Botan::donna128::lo().
◆ commoncrypto_adjust_key_size()
| void Botan::commoncrypto_adjust_key_size | ( | const uint8_t | key[], |
| size_t | length, | ||
| const CommonCryptor_Opts & | opts, | ||
| secure_vector< uint8_t > & | full_key ) |
Definition at line 134 of file commoncrypto_utils.cpp.
137 {
139 size_t repeat;
140 switch(length) {
141 case 1:
142 repeat = 8;
143 break;
144 case 2:
145 repeat = 4;
146 break;
147 case 3:
148 repeat = 3;
149 break;
150 default:
151 repeat = 2;
152 break;
153 }
154
155 full_key.resize(length * repeat);
156 for(size_t i = 0; i < repeat; i++) {
157 copy_mem(full_key.data() + i * length, key, length);
158 }
160 full_key += std::make_pair(key, 8);
161 }
162}
References Botan::CommonCryptor_Opts::algo, and copy_mem().
◆ commoncrypto_opts_from_algo()
| CommonCryptor_Opts Botan::commoncrypto_opts_from_algo | ( | std::string_view | algo | ) |
Definition at line 96 of file commoncrypto_utils.cpp.
96 {
97 SCAN_Name spec(algo);
98
99 std::string algo_name = spec.algo_name();
100 std::string cipher_mode = spec.cipher_mode();
101 std::string cipher_mode_padding = spec.cipher_mode_pad();
102
104
105 //TODO add CFB and XTS support
106 if(cipher_mode.empty() || cipher_mode == "ECB") {
107 opts.mode = kCCModeECB;
108 } else if(cipher_mode == "CBC") {
109 opts.mode = kCCModeCBC;
110 } else if(cipher_mode == "CTR") {
111 opts.mode = kCCModeCTR;
112 } else if(cipher_mode == "OFB") {
113 opts.mode = kCCModeOFB;
114 } else {
115 throw CommonCrypto_Error("Unsupported cipher mode!");
116 }
117
118 if(cipher_mode_padding == "NoPadding") {
119 opts.padding = ccNoPadding;
120 }
121 /*
122 else if(cipher_mode_padding.empty() || cipher_mode_padding == "PKCS7")
123 {
124 opts.padding = ccPKCS7Padding;
125 }
126 */
127 else {
128 throw CommonCrypto_Error("Unsupported cipher mode padding!");
129 }
130
131 return opts;
132}
Definition scan_name.h:22
CommonCryptor_Opts commoncrypto_opts_from_algo_name(std::string_view algo_name)
Definition commoncrypto_utils.cpp:56
References Botan::SCAN_Name::algo_name(), Botan::SCAN_Name::cipher_mode(), Botan::SCAN_Name::cipher_mode_pad(), commoncrypto_opts_from_algo_name(), Botan::CommonCryptor_Opts::mode, and Botan::CommonCryptor_Opts::padding.
Referenced by make_commoncrypto_cipher_mode().
◆ commoncrypto_opts_from_algo_name()
| CommonCryptor_Opts Botan::commoncrypto_opts_from_algo_name | ( | std::string_view | algo_name | ) |
Definition at line 56 of file commoncrypto_utils.cpp.
56 {
57 CommonCryptor_Opts opts;
58
59 if(algo_name.compare(0, 3, "AES") == 0) {
60 opts.algo = kCCAlgorithmAES;
61 opts.block_size = kCCBlockSizeAES128;
62 if(algo_name == "AES-128") {
64 } else if(algo_name == "AES-192") {
65 opts.key_spec = Key_Length_Specification(kCCKeySizeAES192);
66 } else if(algo_name == "AES-256") {
67 opts.key_spec = Key_Length_Specification(kCCKeySizeAES256);
68 } else {
69 throw CommonCrypto_Error("Unknown AES algorithm");
70 }
71 } else if(algo_name == "DES") {
72 opts.algo = kCCAlgorithmDES;
73 opts.block_size = kCCBlockSizeDES;
74 opts.key_spec = Key_Length_Specification(kCCKeySizeDES);
75 } else if(algo_name == "TripleDES") {
76 opts.algo = kCCAlgorithm3DES;
77 opts.block_size = kCCBlockSize3DES;
78 opts.key_spec = Key_Length_Specification(16, kCCKeySize3DES, 8);
79 } else if(algo_name == "Blowfish") {
80 opts.algo = kCCAlgorithmBlowfish;
81 opts.block_size = kCCBlockSizeBlowfish;
82 opts.key_spec = Key_Length_Specification(1, kCCKeySizeMaxBlowfish, 1);
83 } else if(algo_name == "CAST-128") {
84 opts.algo = kCCAlgorithmCAST;
85 opts.block_size = kCCBlockSizeCAST;
86 // Botan's base implementation of CAST does not support shorter keys
87 // so we limit its minimum key size to 11 here.
88 opts.key_spec = Key_Length_Specification(11, kCCKeySizeMaxCAST, 1);
89 } else {
90 throw CommonCrypto_Error("Unsupported cipher");
91 }
92
93 return opts;
94}
Definition sym_algo.h:21
Key_Length_Specification key_spec
Definition commoncrypto_utils.h:22
References Botan::CommonCryptor_Opts::algo, Botan::CommonCryptor_Opts::block_size, and Botan::CommonCryptor_Opts::key_spec.
Referenced by commoncrypto_opts_from_algo(), and make_commoncrypto_block_cipher().
◆ compute_root() [1/2]
| BOTAN_TEST_API void Botan::compute_root | ( | StrongSpan< SphincsTreeNode > | out, |
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes, | ||
| const SphincsTreeNode & | leaf, | ||
| TreeNodeIndex | leaf_idx, | ||
| uint32_t | idx_offset, | ||
| StrongSpan< const SphincsAuthenticationPath > | authentication_path, | ||
| uint32_t | tree_height, | ||
| Sphincs_Address & | tree_address ) |
Using a leaf node and the authentication path (neighbor nodes on the way from leaf to root), computes the the root node of the respective tree. This function is generic and used by FORS and XMSS in the SLH-DSA verification logic.
Definition at line 102 of file sp_treehash.cpp.
110 {
114
115 // Use the `out` parameter as intermediate buffer for left/right nodes
116 // while traversing the tree.
117 copy_mem(out, leaf);
118
119 // Views into either `auth_path` or `out` depending on the tree location.
120 StrongSpan<const SphincsTreeNode> left;
121 StrongSpan<const SphincsTreeNode> right;
122
123 BufferSlicer auth_path(authentication_path);
124
125 // The leaf is put in the left or right buffer, depending on its indexes parity.
126 // Same for the first node of the authentication path
127
129 // The input of the hash function takes the current node and the node
130 // given in the authentication path. If the current node is a right node
131 // in the tree (i.e. its leaf index is uneven) the hash function inputs
132 // must be swapped.
133 left = out;
135
136 if((leaf_idx & 1) == 1U) {
137 std::swap(left, right);
138 }
139
140 leaf_idx /= 2;
141 idx_offset /= 2;
143
144 hashes.T(out, tree_address, left, right);
145 }
146
147 BOTAN_ASSERT_NOMSG(auth_path.empty());
148}
Definition stl_util.h:84
Sphincs_Address & set_tree_height(TreeLayerIndex tree_height)
Definition sp_address.h:89
Sphincs_Address & set_tree_index(TreeNodeIndex tree_index)
Definition sp_address.h:99
void T(std::span< uint8_t > out, const Sphincs_Address &address, BufferTs &&... in)
Definition sp_hash.h:57
Definition strong_type.h:614
decltype(auto) size() const noexcept(noexcept(this->m_span.size()))
Definition strong_type.h:663
Definition strong_type.h:172
References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::BufferSlicer::empty(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().
Referenced by fors_public_key_from_signature(), and ht_verify().
◆ compute_root() [2/2]
template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address >
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
|
inline |
Uses an authentication path and a leaf node to reconstruct the root node of a merkle tree.
- Parameters
-
out_root A output buffer for the root node of the merkle tree. authentication_path The authentication path in one buffer (concatenated nodes). leaf_idx The index of the leaf used to sig in the bottom layer beginning with 0. leaf The leaf node used to sig. node_size The size of each node in the tree. total_tree_height The hight of the merkle tree to construct. idx_offset If we compute a subtree this marks the index of the leftmost leaf node in the bottom layer. node_pair_hash The function to process two child nodes to compute their parent node. tree_address The address that is passed to node_pair hash. This function will update the address accordings to the currently processed node. This object may contain further algorithm specific information, like the position of this merkle tree in a hypertree.
Definition at line 214 of file tree_hash.h.
223 {
225 BOTAN_ASSERT_NOMSG(authentication_path.size() == node_size * static_cast<size_t>(total_tree_height.get()));
227
228 // Use the `out` parameter as intermediate buffer for left/right nodes
229 // while traversing the tree.
230 copy_mem(out_root, leaf);
231
232 // Views into either `auth_path` or `out` depending on the tree location.
233 StrongSpan<const TreeNode> left;
234 StrongSpan<const TreeNode> right;
235
236 BufferSlicer auth_path(authentication_path);
237
238 // The leaf is put in the left or right buffer, depending on its indexes parity.
239 // Same for the first node of the authentication path
240
242 // The input of the hash function takes the current node and the node
243 // given in the authentication path. If the current node is a right node
244 // in the tree (i.e. its leaf index is uneven) the hash function inputs
245 // must be swapped.
246 left = out_root;
247 right = auth_path.take<TreeNode>(node_size);
248
249 if((leaf_idx & 1) == 1U) {
250 std::swap(left, right);
251 }
252
253 leaf_idx /= 2;
254 idx_offset /= 2;
255 tree_address.set_address(i + 1, leaf_idx + idx_offset);
256
257 node_pair_hash(out_root, tree_address, left, right);
258 }
259
260 BOTAN_ASSERT_NOMSG(auth_path.empty());
261}
References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), Botan::StrongSpan< T >::size(), and Botan::BufferSlicer::take().
◆ concat()
template<typename OutR = detail::AutoDetect, ranges::spanable_range... Rs>
requires (all_same_v<std::ranges::range_value_t<Rs>...>)
requires (all_same_v<std::ranges::range_value_t<Rs>...>)
|
constexpr |
Concatenate an arbitrary number of buffers. Performs range-checks as needed.
The output type can be auto-detected based on the input ranges, or explicitly specified by the caller. If all input ranges have a static extent, the total size is calculated at compile time and a statically sized std::array<> is used. Otherwise this tries to use the type of the first input range as output type.
Alternatively, the output container type can be specified explicitly.
Definition at line 263 of file stl_util.h.
265{
266 if constexpr(std::same_as<detail::AutoDetect, OutR>) {
267 // Try to auto-detect a reasonable output type given the input ranges
268 static_assert(sizeof...(Rs) > 0, "Cannot auto-detect the output type if not a single input range is provided.");
269 using candidate_result_t = std::remove_cvref_t<std::tuple_element_t<0, std::tuple<Rs...>>>;
270 using result_range_value_t = std::remove_cvref_t<std::ranges::range_value_t<candidate_result_t>>;
271
273 // If all input ranges have a static extent, we can calculate the total size at compile time
274 // and therefore can use a statically sized output container. This is constexpr.
275 constexpr size_t total_size = (decltype(std::span{ranges})::extent + ... + 0);
276 using out_array_t = std::array<result_range_value_t, total_size>;
277 return detail::concatenate<out_array_t>(std::forward<Rs>(ranges)...);
278 } else {
279 // If at least one input range has a dynamic extent, we must use a dynamically allocated output container.
280 // We assume that the user wants to use the first input range's container type as output type.
281 static_assert(
282 concepts::reservable_container<candidate_result_t>,
283 "First input range has static extent, but a dynamically allocated output range is required. Please explicitly specify a dynamically allocatable output type.");
284 return detail::concatenate<candidate_result_t>(std::forward<Rs>(ranges)...);
285 }
286 } else {
287 // The caller has explicitly specified the output type
288 return detail::concatenate<OutR>(std::forward<Rs>(ranges)...);
289 }
290}
References Botan::detail::concatenate().
Referenced by Botan::PKIX::check_ocsp(), Botan::Kyber_Expanded_Keypair_Codec::encode_keypair(), Botan::ML_KEM_Expanding_Keypair_Codec::encode_keypair(), Botan::SphincsPlus_PrivateKey::private_key_bits(), Botan::FrodoKEM_PrivateKey::raw_private_key_bits(), Botan::FrodoKEM_PublicKey::raw_public_key_bits(), Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits(), Botan::XMSS_PublicKey::raw_public_key_bits(), Botan::HSS_LMS_PublicKeyInternal::to_bytes(), and Botan::LMS_PublicKey::to_bytes().
◆ constant_time_compare() [1/2]
|
inline |
Memory comparison, input insensitive
- Parameters
-
x a pointer to an array y a pointer to another array len the number of Ts in x and y
- Returns
- true iff x[i] == y[i] forall i in [0...n)
Definition at line 90 of file mem_ops.h.
90 {
91 // simply assumes that *x and *y point to len allocated bytes at least
93}
bool constant_time_compare(std::span< const uint8_t > x, std::span< const uint8_t > y)
Definition mem_ops.cpp:17
References constant_time_compare().
◆ constant_time_compare() [2/2]
| bool Botan::constant_time_compare | ( | std::span< const uint8_t > | x, |
| std::span< const uint8_t > | y ) |
Memory comparison, input insensitive
- Parameters
-
x a range of bytes y another range of bytes
- Returns
- true iff x and y have equal lengths and x[i] == y[i] forall i in [0...n)
Definition at line 17 of file mem_ops.cpp.
17 {
21 return (equal_content & equal_size).as_bool();
22}
References Botan::CT::Mask< T >::expand(), Botan::CT::is_equal(), Botan::CT::Mask< T >::is_equal(), and Botan::CT::Mask< T >::is_lte().
Referenced by constant_time_compare().
◆ copy_mem() [1/2]
template<ranges::contiguous_output_range OutR, ranges::contiguous_range InR>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
requires std::is_same_v<std::ranges::range_value_t<OutR>, std::ranges::range_value_t<InR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<InR>>
|
inlineconstexpr |
Copy memory
- Parameters
-
out the destination array in the source array
Definition at line 162 of file mem_ops.h.
162 {
163 ranges::assert_equal_byte_lengths(out, in);
164 if(std::is_constant_evaluated()) {
165 std::copy(std::ranges::begin(in), std::ranges::end(in), std::ranges::begin(out));
166 } else if(ranges::size_bytes(out) > 0) {
167 std::memmove(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out));
168 }
169}
References Botan::ranges::assert_equal_byte_lengths(), and Botan::ranges::size_bytes().
◆ copy_mem() [2/2]
Copy memory
- Parameters
-
out the destination array in the source array n the number of elements of in/out
Definition at line 146 of file mem_ops.h.
146 {
147 BOTAN_ASSERT_IMPLICATION(n > 0, in != nullptr && out != nullptr, "If n > 0 then args are not null");
148
149 if(in != nullptr && out != nullptr && n > 0) {
151 }
152}
References BOTAN_ASSERT_IMPLICATION, and T.
Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), bigint_shl1(), bigint_shl2(), bigint_shr1(), bigint_shr2(), Botan::Argon2::blamka(), botan_privkey_ed25519_get_privkey(), botan_privkey_ed448_get_privkey(), botan_privkey_x25519_get_privkey(), botan_privkey_x448_get_privkey(), botan_pubkey_ed25519_get_pubkey(), botan_pubkey_ed448_get_pubkey(), botan_pubkey_x25519_get_pubkey(), botan_pubkey_x448_get_pubkey(), Botan_FFI::botan_view_bin_bounce_fn(), buffer_insert(), buffer_insert(), Botan::Ed25519_PublicKey::check_key(), Botan::CRYSTALS::Polynomial< Trait, D >::clone(), Botan::CRYSTALS::PolynomialVector< Trait, D >::clone(), commoncrypto_adjust_key_size(), Botan::Streebog::compress_64(), compute_root(), compute_root(), Botan::TPM2::copy_into(), Botan::TPM2::copy_into(), Botan::Sodium::crypto_auth_hmacsha512256(), Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_seed_keypair(), curve25519_donna(), ed25519_gen_keypair(), Botan::Ed448_PublicKey::Ed448_PublicKey(), Botan::ML_KEM_Encryptor::encapsulate(), Botan::BigInt::encode_words(), Botan::CryptoBox::encrypt(), expand_message_xmd(), Botan::FE_25519::FE_25519(), Botan::RawHashFunction::final_result(), Botan::TLS::Stream_Handshake_IO::format(), Botan::CCM_Mode::format_b0(), Botan::CCM_Mode::format_c0(), Botan::TPM_Context::gen_random(), Botan::BER_Decoder::get_next_value(), Botan::Gf448Elem::Gf448Elem(), Botan::GHASH::ghash_update(), hkdf_expand_label(), Botan::HKDF_Expand::kdf(), Botan::HKDF_Extract::kdf(), Botan::KDF1::kdf(), Botan::KDF1_18033::kdf(), Botan::KDF2::kdf(), Botan::SP800_108_Counter::kdf(), Botan::SP800_108_Feedback::kdf(), Botan::SP800_108_Pipeline::kdf(), Botan::X942_PRF::kdf(), Botan::BLAKE2b::key_schedule(), mceliece_decrypt(), Botan::Montgomery_Params::mul_by(), Botan::Montgomery_Params::mul_by(), nist_key_unwrap(), nist_key_unwrap_padded(), nist_key_wrap(), nist_key_wrap_padded(), operator^(), Botan::DataSource_Memory::peek(), Botan::PseudorandomKeyGeneration::PseudorandomKeyGeneration(), Botan::DataSource_Memory::read(), Botan::Blowfish::salted_set_key(), Botan::Scalar448::Scalar448(), Botan::CTR_BE::seek(), Botan::EC_AffinePoint_Data_PC::serialize_uncompressed_to(), Botan::EC_AffinePoint_Data_BN::serialize_x_to(), Botan::EC_AffinePoint_Data_PC::serialize_x_to(), Botan::EC_AffinePoint_Data_BN::serialize_xy_to(), Botan::EC_AffinePoint_Data_PC::serialize_xy_to(), Botan::EC_AffinePoint_Data_BN::serialize_y_to(), Botan::EC_AffinePoint_Data_PC::serialize_y_to(), Botan::TLS::Session_Keys::Session_Keys(), Botan::CFB_Mode::shift_register(), Botan::HSS_LMS_PrivateKeyInternal::sign(), Botan::RTSS_Share::split(), Botan::polyn_gf2m::sqmod_init(), Botan::Montgomery_Params::square_this(), treehash(), treehash(), Botan::Base64_Decoder::write(), Botan::Base64_Encoder::write(), Botan::Buffered_Filter::write(), Botan::Hex_Decoder::write(), Botan::Hex_Encoder::write(), Botan_FFI::write_output(), and Botan::X448_PublicKey::X448_PublicKey().
◆ copy_out_be()
template<ranges::spanable_range InR>
|
inline |
Partially copy a subset of in into out using big-endian byte order.
Definition at line 801 of file loadstor.h.
801 {
803 std::span<const T> in_s{in};
804 const auto remaining_bytes = detail::copy_out_any_word_aligned_portion<detail::Endianness::Big>(out, in_s);
805
806 // copy remaining bytes as a partial word
807 for(size_t i = 0; i < remaining_bytes; ++i) {
808 out[i] = get_byte_var(i, in_s.front());
809 }
810}
References Botan::detail::copy_out_any_word_aligned_portion(), get_byte_var(), and T.
◆ copy_out_le()
template<ranges::spanable_range InR>
|
inline |
Partially copy a subset of in into out using little-endian byte order.
Definition at line 817 of file loadstor.h.
817 {
819 std::span<const T> in_s{in};
820 const auto remaining_bytes = detail::copy_out_any_word_aligned_portion<detail::Endianness::Little>(out, in_s);
821
822 // copy remaining bytes as a partial word
823 for(size_t i = 0; i < remaining_bytes; ++i) {
825 }
826}
References Botan::detail::copy_out_any_word_aligned_portion(), get_byte_var(), and T.
Referenced by Botan::BLAKE2b::final_result(), and xts_update_tweak_block().
◆ crandall_p()
template<WordType W, size_t N, W C>
|
consteval |
Return 2**B - C
Definition at line 1101 of file mp_core.h.
1101 {
1102 static_assert(C % 2 == 1);
1103 std::array<W, N> P;
1104 for(size_t i = 0; i != N; ++i) {
1105 P[i] = WordInfo<W>::max;
1106 }
1107 P[0] = WordInfo<W>::max - (C - 1);
1108 return P;
1109}
Referenced by redc_crandall().
◆ create_aes_row_generator()
|
inline |
Definition at line 25 of file frodo_aes_generator.h.
25 {
27
29 AES_128 aes;
30 aes.set_key(seed);
31 return aes;
32 };
33
34 return [n = static_cast<uint16_t>(constants.n()), aes = setup_aes(seed_a)](std::span<uint8_t> out, uint16_t i) {
35 BufferStuffer out_bs(out);
36
37 BOTAN_DEBUG_ASSERT(out_bs.remaining_capacity() % AES_128::BLOCK_SIZE == 0);
38
39 for(uint16_t j = 0; j < n; j += AES_128::BLOCK_SIZE / 2) {
40 // set up the to-be-encrypted 'b' value in the out variable
41 // for in-place encryption of the block cipher
42 // b = i || j || 0000...
43 out_bs.append(store_le(i, j));
44 clear_mem(out_bs.next<AES_128::BLOCK_SIZE - sizeof(i) - sizeof(j)>());
45 }
46
47 BOTAN_DEBUG_ASSERT(out_bs.full());
48
49 aes.encrypt(out);
50 };
51}
Definition aes.h:18
void encrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:75
References Botan::BufferStuffer::append(), Botan::Block_Cipher_Fixed_Params< 16, 16 >::BLOCK_SIZE, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, clear_mem(), Botan::BufferStuffer::full(), Botan::FrodoKEMMode::is_aes(), Botan::FrodoKEMConstants::mode(), Botan::FrodoKEMConstants::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::SymmetricAlgorithm::set_key(), and store_le().
◆ create_ec_private_key()
| std::unique_ptr< Private_Key > Botan::create_ec_private_key | ( | std::string_view | algo_name, |
| const EC_Group & | group, | ||
| RandomNumberGenerator & | rng ) |
Create a new ECC key
Definition at line 425 of file pk_algs.cpp.
427 {
428 // Potentially unused if all EC algorithms are disabled
429 BOTAN_UNUSED(alg_name, ec_group, rng);
430
431#if defined(BOTAN_HAS_ECDSA)
432 if(alg_name == "ECDSA") {
433 return std::make_unique<ECDSA_PrivateKey>(rng, ec_group);
434 }
435#endif
436
437#if defined(BOTAN_HAS_ECDH)
438 if(alg_name == "ECDH") {
439 return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
440 }
441#endif
442
443#if defined(BOTAN_HAS_ECKCDSA)
444 if(alg_name == "ECKCDSA") {
445 return std::make_unique<ECKCDSA_PrivateKey>(rng, ec_group);
446 }
447#endif
448
449#if defined(BOTAN_HAS_GOST_34_10_2001)
450 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
451 return std::make_unique<GOST_3410_PrivateKey>(rng, ec_group);
452 }
453#endif
454
455#if defined(BOTAN_HAS_SM2)
456 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
457 return std::make_unique<SM2_PrivateKey>(rng, ec_group);
458 }
459#endif
460
461#if defined(BOTAN_HAS_ECGDSA)
462 if(alg_name == "ECGDSA") {
463 return std::make_unique<ECGDSA_PrivateKey>(rng, ec_group);
464 }
465#endif
466
467 return nullptr;
468}
References BOTAN_UNUSED.
Referenced by create_private_key().
◆ create_hex_fingerprint() [1/2]
| std::string Botan::create_hex_fingerprint | ( | const uint8_t | bits[], |
| size_t | bits_len, | ||
| std::string_view | hash_name ) |
Definition at line 30 of file pk_keys.cpp.
30 {
31 auto hash_fn = HashFunction::create_or_throw(hash_name);
33
34 std::string fprint;
35
36 for(size_t i = 0; i != hex_hash.size(); i += 2) {
37 if(i != 0) {
38 fprint.push_back(':');
39 }
40
41 fprint.push_back(hex_hash[i]);
42 fprint.push_back(hex_hash[i + 1]);
43 }
44
45 return fprint;
46}
void hex_encode(char output[], const uint8_t input[], size_t input_length, bool uppercase)
Definition hex.cpp:35
References Botan::HashFunction::create_or_throw(), and hex_encode().
Referenced by create_hex_fingerprint(), Botan::X509_Certificate::fingerprint(), Botan::Private_Key::fingerprint_private(), and Botan::Public_Key::fingerprint_public().
◆ create_hex_fingerprint() [2/2]
|
inline |
Definition at line 397 of file pk_keys.h.
397 {
399}
std::string create_hex_fingerprint(const uint8_t bits[], size_t bits_len, std::string_view hash_name)
Definition pk_keys.cpp:30
References create_hex_fingerprint().
◆ create_pk_from_sk()
| BOTAN_TEST_API std::array< uint8_t, ED448_LEN > Botan::create_pk_from_sk | ( | std::span< const uint8_t, ED448_LEN > | sk | ) |
Create a public key point from a secret key (RFC 8032 5.2.5)
Definition at line 224 of file ed448_internal.cpp.
224 {
225 // 5.2.5. Key Generation
226 // The 57-byte public key is generated by the following steps:
228 shake_xof.update(sk);
229
231 // 3. Interpret the buffer as the little-endian integer, forming a
232 // secret scalar s. Perform a known-base-point scalar
233 // multiplication [s]B.
234 return (s * Ed448Point::base_point()).encode();
235}
Definition shake_xof.h:66
References Botan::Ed448Point::base_point().
Referenced by Botan::Ed448_PrivateKey::Ed448_PrivateKey(), and Botan::Ed448_PrivateKey::Ed448_PrivateKey().
◆ create_private_key()
| std::unique_ptr< Private_Key > Botan::create_private_key | ( | std::string_view | algo_name, |
| RandomNumberGenerator & | rng, | ||
| std::string_view | algo_params = "", | ||
| std::string_view | provider = "" ) |
Create a new key For ECC keys, algo_params specifies EC group (eg, "secp256r1") For DH/DSA/ElGamal keys, algo_params is DL group (eg, "modp/ietf/2048") For RSA, algo_params is integer keylength For McEliece, algo_params is n,t If algo_params is left empty, suitable default parameters are chosen.
Definition at line 470 of file pk_algs.cpp.
473 {
474 /*
475 * Default paramaters are chosen for work factor > 2**128 where possible
476 */
477
478#if defined(BOTAN_HAS_X25519)
479 if(alg_name == "X25519" || alg_name == "Curve25519") {
480 return std::make_unique<X25519_PrivateKey>(rng);
481 }
482#endif
483
484#if defined(BOTAN_HAS_X448)
485 if(alg_name == "X448") {
486 return std::make_unique<X448_PrivateKey>(rng);
487 }
488#endif
489
490#if defined(BOTAN_HAS_RSA)
491 if(alg_name == "RSA") {
493 return std::make_unique<RSA_PrivateKey>(rng, modulus_bits);
494 }
495#endif
496
497#if defined(BOTAN_HAS_MCELIECE)
498 if(alg_name == "McEliece") {
499 const auto [n, t] = [&]() -> std::pair<size_t, size_t> {
500 if(params.empty()) {
501 return {2960, 57};
502 }
503
505
506 if(mce_params.size() != 2) {
508 }
509
512 return {mce_n, mce_t};
513 }();
514
515 return std::make_unique<McEliece_PrivateKey>(rng, n, t);
516 }
517#endif
518
519#if defined(BOTAN_HAS_FRODOKEM)
520 if(alg_name == "FrodoKEM") {
521 const auto mode = params.empty() ? FrodoKEMMode::FrodoKEM976_SHAKE : FrodoKEMMode(params);
522 return std::make_unique<FrodoKEM_PrivateKey>(rng, mode);
523 }
524#endif
525
526#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
527 if(alg_name == "Kyber") {
528 const auto mode = [&]() -> KyberMode {
529 if(params.empty()) {
530 return KyberMode::Kyber1024_R3;
531 }
532 return KyberMode(params);
533 }();
534
535 return std::make_unique<Kyber_PrivateKey>(rng, mode);
536 }
537#endif
538
539#if defined(BOTAN_HAS_ML_KEM)
540 if(alg_name == "ML-KEM") {
541 const auto mode = [&]() -> ML_KEM_Mode {
542 if(params.empty()) {
543 return ML_KEM_Mode::ML_KEM_768;
544 }
546 }();
547
548 return std::make_unique<ML_KEM_PrivateKey>(rng, mode);
549 }
550#endif
551
552#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
553 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
554 const auto mode = [&]() -> DilithiumMode {
555 if(params.empty()) {
556 return DilithiumMode::Dilithium6x5;
557 }
558 return DilithiumMode(params);
559 }();
560
561 return std::make_unique<Dilithium_PrivateKey>(rng, mode);
562 }
563#endif
564
565#if defined(BOTAN_HAS_ML_DSA)
566 if(alg_name == "ML-DSA") {
567 const auto mode = [&]() -> ML_DSA_Mode {
568 if(params.empty()) {
569 return ML_DSA_Mode::ML_DSA_6x5;
570 }
572 }();
573
574 return std::make_unique<ML_DSA_PrivateKey>(rng, mode);
575 }
576#endif
577
578#if defined(BOTAN_HAS_HSS_LMS)
579 if(alg_name == "HSS-LMS") {
580 return std::make_unique<HSS_LMS_PrivateKey>(rng, params);
581 }
582#endif
583
584#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
585 if(alg_name == "SPHINCS+" || alg_name == "SphincsPlus") {
586 auto sphincs_params = Sphincs_Parameters::create(params);
587
588 return std::make_unique<SphincsPlus_PrivateKey>(rng, sphincs_params);
589 }
590#endif
591
592#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
593 if(alg_name == "SLH-DSA") {
594 auto slh_dsa_params = SLH_DSA_Parameters::create(params);
595
596 return std::make_unique<SLH_DSA_PrivateKey>(rng, slh_dsa_params);
597 }
598#endif
599
600#if defined(BOTAN_HAS_XMSS_RFC8391)
601 if(alg_name == "XMSS") {
602 const auto xmss_oid = [&]() -> XMSS_Parameters::xmss_algorithm_t {
603 if(params.empty()) {
604 return XMSS_Parameters::XMSS_SHA2_10_512;
605 }
606 return XMSS_Parameters(params).oid();
607 }();
608
609 return std::make_unique<XMSS_PrivateKey>(xmss_oid, rng);
610 }
611#endif
612
613#if defined(BOTAN_HAS_ED25519)
614 if(alg_name == "Ed25519") {
615 return std::make_unique<Ed25519_PrivateKey>(rng);
616 }
617#endif
618
619#if defined(BOTAN_HAS_ED448)
620 if(alg_name == "Ed448") {
621 return std::make_unique<Ed448_PrivateKey>(rng);
622 }
623#endif
624
625 // ECC crypto
626#if defined(BOTAN_HAS_ECC_PUBLIC_KEY_CRYPTO)
627
628 if(alg_name == "ECDSA" || alg_name == "ECDH" || alg_name == "ECKCDSA" || alg_name == "ECGDSA" || alg_name == "SM2" ||
629 alg_name == "SM2_Sig" || alg_name == "SM2_Enc" || alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" ||
630 alg_name == "GOST-34.10-2012-512") {
631 const std::string group_id = [&]() -> std::string {
632 if(!params.empty()) {
633 return std::string(params);
634 }
635 if(alg_name == "SM2" || alg_name == "SM2_Enc" || alg_name == "SM2_Sig") {
636 return "sm2p256v1";
637 }
638 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256") {
639 return "gost_256A";
640 }
641 if(alg_name == "GOST-34.10-2012-512") {
642 return "gost_512A";
643 }
644 if(alg_name == "ECGDSA") {
645 return "brainpool256r1";
646 }
647 return "secp256r1";
648 }();
649
650 auto ec_group = EC_Group::from_name(group_id);
652 }
653#endif
654
655 // DL crypto
656#if defined(BOTAN_HAS_DL_GROUP)
657 if(alg_name == "DH" || alg_name == "DSA" || alg_name == "ElGamal") {
658 const std::string group_id = [&]() -> std::string {
659 if(!params.empty()) {
660 return std::string(params);
661 }
662 if(alg_name == "DSA") {
663 return "dsa/botan/2048";
664 }
665 return "modp/ietf/2048";
666 }();
667
668 DL_Group modp_group(group_id);
669
670 #if defined(BOTAN_HAS_DIFFIE_HELLMAN)
671 if(alg_name == "DH") {
672 return std::make_unique<DH_PrivateKey>(rng, modp_group);
673 }
674 #endif
675
676 #if defined(BOTAN_HAS_DSA)
677 if(alg_name == "DSA") {
678 return std::make_unique<DSA_PrivateKey>(rng, modp_group);
679 }
680 #endif
681
682 #if defined(BOTAN_HAS_ELGAMAL)
683 if(alg_name == "ElGamal") {
684 return std::make_unique<ElGamal_PrivateKey>(rng, modp_group);
685 }
686 #endif
687 }
688#endif
689
690 BOTAN_UNUSED(alg_name, rng, params, provider);
691
692 return std::unique_ptr<Private_Key>();
693}
std::unique_ptr< Private_Key > create_ec_private_key(std::string_view alg_name, const EC_Group &ec_group, RandomNumberGenerator &rng)
Definition pk_algs.cpp:425
References BOTAN_UNUSED, Botan::Sphincs_Parameters::create(), create_ec_private_key(), Botan::DilithiumMode::Dilithium6x5, fmt(), Botan::FrodoKEMMode::FrodoKEM976_SHAKE, Botan::EC_Group::from_name(), Botan::KyberMode::Kyber1024_R3, Botan::DilithiumMode::ML_DSA_6x5, Botan::KyberMode::ML_KEM_768, Botan::XMSS_Parameters::oid(), split_on(), to_u32bit(), and Botan::XMSS_Parameters::XMSS_SHA2_10_512.
Referenced by botan_privkey_create(), and Botan::TLS::Hybrid_KEM_PrivateKey::generate_from_group().
◆ create_shake_row_generator()
|
inline |
Definition at line 23 of file frodo_shake_generator.h.
23 {
25
26 return [xof = SHAKE_128_XOF(), a = FrodoSeedA(seed_a)](std::span<uint8_t> out, uint16_t i) mutable {
27 xof.clear();
28 xof.update(store_le(i));
29 xof.update(a);
30 xof.output(out);
31 };
32}
Definition shake_xof.h:52
References BOTAN_ASSERT_NOMSG, Botan::FrodoKEMMode::is_shake(), Botan::FrodoKEMConstants::mode(), and store_le().
◆ ct_compare_u8()
| uint8_t Botan::ct_compare_u8 | ( | const uint8_t | x[], |
| const uint8_t | y[], | ||
| size_t | len ) |
Memory comparison, input insensitive
- Parameters
-
x a pointer to an array y a pointer to another array len the number of Ts in x and y
- Returns
- 0xFF iff x[i] == y[i] forall i in [0...n) or 0x00 otherwise
Definition at line 13 of file mem_ops.cpp.
13 {
14 return CT::is_equal(x, y, len).value();
15}
References Botan::CT::is_equal().
◆ ct_divide() [1/2]
BigInt division, const time variant
This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.
- Parameters
-
x an integer y a non-zero integer
- Returns
- x/y with remainder discarded
Definition at line 49 of file divide.h.
49 {
50 BigInt q, r;
51 ct_divide(x, y, q, r);
52 return q;
53}
void ct_divide(const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:48
References ct_divide().
◆ ct_divide() [2/2]
| BOTAN_TEST_API void Botan::ct_divide | ( | const BigInt & | x, |
| const BigInt & | y, | ||
| BigInt & | q, | ||
| BigInt & | r ) |
BigInt division, const time variant
This runs with control flow independent of the values of x/y. Warning: the loop bounds still leak the sizes of x and y.
- Parameters
-
x an integer y a non-zero integer q will be set to x / y r will be set to x % y
Definition at line 48 of file divide.cpp.
48 {
51 }
52
55
57
58 BigInt q = BigInt::with_capacity(x_words);
59 BigInt r = BigInt::with_capacity(y_words);
60 BigInt t = BigInt::with_capacity(y_words); // a temporary
61
62 for(size_t i = 0; i != x_bits; ++i) {
63 const size_t b = x_bits - 1 - i;
65
66 r *= 2;
67 r.conditionally_set_bit(0, x_b);
68
69 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
70
71 q.conditionally_set_bit(b, r_gte_y);
72 r.ct_cond_swap(r_gte_y, t);
73 }
74
75 sign_fixup(x, y, q, r);
76 r_out = r;
77 q_out = q;
78}
References Botan::BigInt::_data(), b, bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::get_bit(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().
Referenced by ct_divide(), Botan::FPE_FE1::decrypt(), Botan::FPE_FE1::encrypt(), lcm(), and Botan::Modular_Reducer::Modular_Reducer().
◆ ct_divide_word()
| BOTAN_TEST_API void Botan::ct_divide_word | ( | const BigInt & | x, |
| word | y, | ||
| BigInt & | q, | ||
| word & | r ) |
BigInt division, const time variant
This runs with control flow independent of the values of x/y. Warning: the loop bounds still leaks the size of x.
- Parameters
-
x an integer y a non-zero integer q will be set to x / y r will be set to x % y
Definition at line 80 of file divide.cpp.
80 {
81 if(y == 0) {
83 }
84
87
88 BigInt q = BigInt::with_capacity(x_words);
89 word r = 0;
90
91 for(size_t i = 0; i != x_bits; ++i) {
92 const size_t b = x_bits - 1 - i;
94
95 const auto r_carry = CT::Mask<word>::expand_top_bit(r);
96
97 r *= 2;
98 r += x_b;
99
100 const auto r_gte_y = CT::Mask<word>::is_gte(r, y) | r_carry;
101 q.conditionally_set_bit(b, r_gte_y.as_bool());
102 r = r_gte_y.select(r - y, r);
103 }
104
106 q.flip_sign();
107 if(r != 0) {
108 --q;
109 r = y - r;
110 }
111 }
112
113 r_out = r;
114 q_out = q;
115}
References b, Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::CT::Mask< T >::expand_top_bit(), Botan::BigInt::flip_sign(), Botan::BigInt::get_bit(), Botan::CT::Mask< T >::is_gte(), Botan::BigInt::is_negative(), Botan::BigInt::sig_words(), and Botan::BigInt::with_capacity().
Referenced by operator/(), and Botan::BigInt::to_dec_string().
◆ ct_is_zero()
If arg is zero, return ~0. Otherwise return 0
Definition at line 33 of file bit_ops.h.
35{
36 return expand_top_bit<T>(~x & (x - 1));
37}
References expand_top_bit().
Referenced by ctz(), Botan::CT::Choice::from_int(), Botan::CT::Mask< T >::is_zero(), and prefetch_array_raw().
◆ ct_modulo()
| BOTAN_TEST_API BigInt Botan::ct_modulo | ( | const BigInt & | x, |
| const BigInt & | modulo ) |
BigInt modulo, const time variant
Using this function is (slightly) cheaper than calling ct_divide and using only the remainder.
- Parameters
-
x a non-negative integer modulo a positive integer
- Returns
- result x % modulo
Definition at line 117 of file divide.cpp.
117 {
118 if(y.is_negative() || y.is_zero()) {
120 }
121
122 const size_t y_words = y.sig_words();
123
125
126 BigInt r = BigInt::with_capacity(y_words);
127 BigInt t = BigInt::with_capacity(y_words);
128
129 for(size_t i = 0; i != x_bits; ++i) {
130 const size_t b = x_bits - 1 - i;
132
133 r *= 2;
134 r.conditionally_set_bit(0, x_b);
135
136 const bool r_gte_y = bigint_sub3(t.mutable_data(), r._data(), r.size(), y._data(), y_words) == 0;
137
138 r.ct_cond_swap(r_gte_y, t);
139 }
140
142 if(r.is_nonzero()) {
143 r = y - r;
144 }
145 }
146
147 return r;
148}
References Botan::BigInt::_data(), b, bigint_sub3(), Botan::BigInt::bits(), Botan::BigInt::conditionally_set_bit(), Botan::BigInt::ct_cond_swap(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::size(), and Botan::BigInt::with_capacity().
Referenced by Botan::RSA_PrivateKey::check_key(), inverse_mod(), Botan::Modular_Reducer::reduce(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().
◆ ctz()
|
inlineconstexpr |
Count the trailing zero bits in n
- Parameters
-
n an integer value
- Returns
- maximum x st 2^x divides n
Definition at line 102 of file bit_ops.h.
104{
105 /*
106 * If n == 0 then this function will compute 8*sizeof(T)-1, so
107 * initialize lb to 1 if n == 0 to produce the expected result.
108 */
110
114 lb += z;
115 n >>= z;
116 }
117
118 return lb;
119}
References ct_is_zero(), and T.
Referenced by low_zero_bits(), and var_ctz32().
◆ curve25519_basepoint()
| void Botan::curve25519_basepoint | ( | uint8_t | mypublic[32], |
| const uint8_t | secret[32] ) |
Exponentiate by the x25519 base point
- Parameters
-
mypublic output value secret random scalar
Definition at line 19 of file x25519.cpp.
19 {
20 const uint8_t basepoint[32] = {9};
21 curve25519_donna(mypublic, secret, basepoint);
22}
References curve25519_donna().
Referenced by Botan::X25519_PrivateKey::check_key(), Botan::Sodium::crypto_scalarmult_curve25519_base(), Botan::X25519_PrivateKey::X25519_PrivateKey(), Botan::X25519_PrivateKey::X25519_PrivateKey(), and Botan::X25519_PrivateKey::X25519_PrivateKey().
◆ curve25519_donna()
| void Botan::curve25519_donna | ( | uint8_t | mypublic[32], |
| const uint8_t | secret[32], | ||
| const uint8_t | basepoint[32] ) |
Definition at line 454 of file donna.cpp.
454 {
455 CT::poison(secret, 32);
456 CT::poison(basepoint, 32);
457
458 uint64_t bp[5], x[5], z[5], zmone[5];
459 uint8_t e[32];
460
461 copy_mem(e, secret, 32);
462 e[0] &= 248;
463 e[31] &= 127;
464 e[31] |= 64;
465
466 fexpand(bp, basepoint);
467 cmult(x, z, e, bp);
468 crecip(zmone, z);
469 fmul(z, x, zmone);
470 fcontract(mypublic, z);
471
472 CT::unpoison(secret, 32);
473 CT::unpoison(basepoint, 32);
474 CT::unpoison(mypublic, 32);
475}
References copy_mem(), Botan::CT::poison(), and Botan::CT::unpoison().
Referenced by Botan::Sodium::crypto_scalarmult_curve25519(), and curve25519_basepoint().
◆ deallocate_memory()
| void Botan::deallocate_memory | ( | void * | p, |
| size_t | elems, | ||
| size_t | elem_size ) |
Free a pointer returned by allocate_memory
- Parameters
-
p the pointer returned by allocate_memory elems the number of elements, as passed to allocate_memory elem_size the size of each element, as passed to allocate_memory
Definition at line 47 of file allocator.cpp.
47 {
48 if(p == nullptr) {
49 [[unlikely]] return;
50 }
51
52 secure_scrub_memory(p, elems * elem_size);
53
54#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
55 if(mlock_allocator::instance().deallocate(p, elems, elem_size)) {
56 return;
57 }
58#endif
59
60 std::free(p); // NOLINT(*-no-malloc)
61}
References Botan::mlock_allocator::instance(), and secure_scrub_memory().
Referenced by Botan::secure_allocator< T >::deallocate().
◆ decode_gf2m()
| gf2m Botan::decode_gf2m | ( | const uint8_t * | mem | ) |
Definition at line 101 of file gf2m_small_m.cpp.
Referenced by Botan::polyn_gf2m::polyn_gf2m().
◆ decode_point()
| BOTAN_TEST_API Point448 Botan::decode_point | ( | std::span< const uint8_t > | p_bytes | ) |
Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate)
Definition at line 25 of file x448_internal.cpp.
25 {
27 return typecast_copy<Point448>(p_bytes);
28}
References BOTAN_ARG_CHECK, typecast_copy(), and X448_LEN.
◆ decode_scalar()
| BOTAN_TEST_API ScalarX448 Botan::decode_scalar | ( | std::span< const uint8_t > | scalar_bytes | ) |
Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448)
Definition at line 30 of file x448_internal.cpp.
30 {
32 auto buf = typecast_copy<ScalarX448>(scalar_bytes);
33
34 buf[0] &= 0xfc;
35 buf[55] |= 0x80;
36
37 return buf;
38}
References BOTAN_ARG_CHECK, typecast_copy(), and X448_LEN.
◆ dl_exponent_size()
| size_t BOTAN_TEST_API Botan::dl_exponent_size | ( | size_t | prime_group_size | ) |
Return the appropriate exponent size to use for a particular prime group. This is twice the size of the estimated cost of breaking the key using an index calculus attack; the assumption is that if an arbitrary discrete log on a group of size bits would take about 2^n effort, and thus using an exponent of size 2^(2*n) implies that all available attacks are about as easy (as e.g Pollard's kangaroo algorithm can compute the DL in sqrt(x) operations) while minimizing the exponent size for performance reasons.
Definition at line 51 of file workfactor.cpp.
51 {
52 if(bits == 0) {
53 return 0;
54 }
55 if(bits <= 256) {
56 return bits - 1;
57 }
58 if(bits <= 1024) {
59 return 192;
60 }
61 if(bits <= 1536) {
62 return 224;
63 }
64 if(bits <= 2048) {
65 return 256;
66 }
67 if(bits <= 4096) {
68 return 384;
69 }
70 return 512;
71}
Referenced by Botan::DL_Group::DL_Group().
◆ dl_work_factor()
| size_t BOTAN_TEST_API Botan::dl_work_factor | ( | size_t | prime_group_size | ) |
Estimate work factor for discrete logarithm
- Parameters
-
prime_group_size size of the group in bits
- Returns
- estimated security level for this group
Definition at line 46 of file workfactor.cpp.
46 {
47 // Lacking better estimates...
49}
References if_work_factor().
◆ do_throw_error()
template<typename E , typename... Args>
|
inline |
◆ ecp_work_factor()
| size_t Botan::ecp_work_factor | ( | size_t | prime_group_size | ) |
Estimate work factor for EC discrete logarithm
- Parameters
-
prime_group_size size of the group in bits
- Returns
- estimated security level for this group
Definition at line 14 of file workfactor.cpp.
14 {
15 return bits / 2;
16}
Referenced by Botan::EC_PublicKey::estimated_strength().
◆ ed25519_gen_keypair() [1/2]
| void Botan::ed25519_gen_keypair | ( | uint8_t * | pk, |
| uint8_t * | sk, | ||
| const uint8_t | seed[32] ) |
Definition at line 20 of file ed25519.cpp.
20 {
21 uint8_t az[64];
22
23 SHA_512 sha;
24 sha.update(seed, 32);
25 sha.final(az);
26 az[0] &= 248;
27 az[31] &= 63;
28 az[31] |= 64;
29
30 ge_scalarmult_base(pk, az);
31
32 // todo copy_mem
33 copy_mem(sk, seed, 32);
34 copy_mem(sk + 32, pk, 32);
35}
void update(const uint8_t in[], size_t length)
Definition buf_comp.h:35
Definition sha2_64.h:58
void ge_scalarmult_base(uint8_t out[32], const uint8_t in[32])
Definition ge.cpp:2043
References copy_mem(), Botan::Buffered_Computation::final(), ge_scalarmult_base(), and Botan::Buffered_Computation::update().
Referenced by Botan::Sodium::crypto_sign_ed25519_seed_keypair(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), Botan::Ed25519_PrivateKey::Ed25519_PrivateKey(), and Botan::Ed25519_PrivateKey::Ed25519_PrivateKey().
◆ ed25519_gen_keypair() [2/2]
| void Botan::ed25519_gen_keypair | ( | uint8_t | pk[32], |
| uint8_t | sk[64], | ||
| const uint8_t | seed[32] ) |
◆ ed25519_sign()
| void Botan::ed25519_sign | ( | uint8_t | sig[64], |
| const uint8_t | m[], | ||
| size_t | mlen, | ||
| const uint8_t | sk[64], | ||
| const uint8_t | domain_sep[], | ||
| size_t | domain_sep_len ) |
Definition at line 37 of file ed25519.cpp.
42 {
43 uint8_t az[64];
44 uint8_t nonce[64];
45 uint8_t hram[64];
46
47 SHA_512 sha;
48
49 sha.update(sk, 32);
50 sha.final(az);
51 az[0] &= 248;
52 az[31] &= 63;
53 az[31] |= 64;
54
55 sha.update(domain_sep, domain_sep_len);
56 sha.update(az + 32, 32);
57 sha.update(m, mlen);
58 sha.final(nonce);
59
60 sc_reduce(nonce);
61 ge_scalarmult_base(sig, nonce);
62
63 sha.update(domain_sep, domain_sep_len);
64 sha.update(sig, 32);
65 sha.update(sk + 32, 32);
66 sha.update(m, mlen);
67 sha.final(hram);
68
69 sc_reduce(hram);
70 sc_muladd(sig + 32, hram, az, nonce);
71}
void sc_muladd(uint8_t *, const uint8_t *, const uint8_t *, const uint8_t *)
Definition sc_muladd.cpp:26
References Botan::Buffered_Computation::final(), ge_scalarmult_base(), sc_muladd(), sc_reduce(), and Botan::Buffered_Computation::update().
Referenced by Botan::Sodium::crypto_sign_ed25519_detached().
◆ ed25519_verify() [1/2]
| bool Botan::ed25519_verify | ( | const uint8_t * | m, |
| size_t | mlen, | ||
| const uint8_t | sig[64], | ||
| const uint8_t * | pk, | ||
| const uint8_t | domain_sep[], | ||
| size_t | domain_sep_len ) |
Definition at line 73 of file ed25519.cpp.
78 {
79 uint8_t h[64];
80 uint8_t rcheck[32];
81 ge_p3 A;
82 SHA_512 sha;
83
84 if(sig[63] & 224) {
85 return false;
86 }
87 if(ge_frombytes_negate_vartime(&A, pk) != 0) {
88 return false;
89 }
90
91 const uint64_t CURVE25519_ORDER[4] = {
92 0x1000000000000000,
93 0x0000000000000000,
94 0x14def9dea2f79cd6,
95 0x5812631a5cf5d3ed,
96 };
97
98 const uint64_t s[4] = {load_le<uint64_t>(sig + 32, 3),
99 load_le<uint64_t>(sig + 32, 2),
100 load_le<uint64_t>(sig + 32, 1),
101 load_le<uint64_t>(sig + 32, 0)};
102
103 // RFC 8032 adds the requirement that we verify that s < order in
104 // the signature; this did not exist in the original Ed25519 spec.
105 for(size_t i = 0; i != 4; ++i) {
106 if(s[i] > CURVE25519_ORDER[i]) {
107 return false;
108 }
109 if(s[i] < CURVE25519_ORDER[i]) {
110 break;
111 }
112 if(i == 3) { // here s == order
113 return false;
114 }
115 }
116
117 sha.update(domain_sep, domain_sep_len);
118 sha.update(sig, 32);
119 sha.update(pk, 32);
120 sha.update(m, mlen);
121 sha.final(h);
122 sc_reduce(h);
123
124 ge_double_scalarmult_vartime(rcheck, h, &A, sig + 32);
125
126 return CT::is_equal(rcheck, sig, 32).as_bool();
127}
void ge_double_scalarmult_vartime(uint8_t out[32], const uint8_t a[], const ge_p3 *A, const uint8_t b[])
Definition ed25519_internal.h:79
References Botan::Buffered_Computation::final(), ge_double_scalarmult_vartime(), ge_frombytes_negate_vartime(), Botan::CT::is_equal(), load_le(), sc_reduce(), and Botan::Buffered_Computation::update().
Referenced by Botan::Sodium::crypto_sign_ed25519_verify_detached().
◆ ed25519_verify() [2/2]
| bool Botan::ed25519_verify | ( | const uint8_t | msg[], |
| size_t | msg_len, | ||
| const uint8_t | sig[64], | ||
| const uint8_t | pk[32], | ||
| const uint8_t | domain_sep[], | ||
| size_t | domain_sep_len ) |
◆ encode_gf2m()
| uint32_t Botan::encode_gf2m | ( | gf2m | to_enc, |
| uint8_t * | mem ) |
Definition at line 95 of file gf2m_small_m.cpp.
95 {
96 mem[0] = to_enc >> 8;
97 mem[1] = to_enc & 0xFF;
98 return sizeof(to_enc);
99}
◆ encode_point()
| BOTAN_TEST_API secure_vector< uint8_t > Botan::encode_point | ( | const Point448 & | p | ) |
Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate)
Definition at line 21 of file x448_internal.cpp.
21 {
23}
decltype(auto) begin() noexcept(noexcept(this->get().begin()))
Definition strong_type.h:103
decltype(auto) end() noexcept(noexcept(this->get().end()))
Definition strong_type.h:107
References Botan::detail::Strong_Adapter< T >::begin(), and Botan::detail::Strong_Adapter< T >::end().
◆ expand_mask_16bit()
Expand an input to a bit mask depending on it being being zero or non-zero
- Parameters
-
tst the input
- Returns
- the mask 0xFFFF if tst is non-zero and 0 otherwise
Definition at line 25 of file code_based_util.h.
25 {
26 const uint16_t result = (tst != 0);
27 return ~(result - 1);
28}
Referenced by Botan::polyn_gf2m::calc_degree_secure(), Botan::polyn_gf2m::eea_with_coefficients(), and Botan::polyn_gf2m::patchup_deg_secure().
◆ expand_message_xmd() [1/2]
| void BOTAN_TEST_API Botan::expand_message_xmd | ( | std::string_view | hash_fn, |
| std::span< uint8_t > | output, | ||
| std::span< const uint8_t > | input, | ||
| std::span< const uint8_t > | domain_sep ) |
XMD hash function from RFC 9380
This is only used internally to implement hash2curve so is not exposed to end users.
Definition at line 16 of file xmd.cpp.
19 {
20 if(domain_sep.size() > 0xFF) {
21 // RFC 9380 has a specification for handling this
23 }
24
25 const uint8_t domain_sep_len = static_cast<uint8_t>(domain_sep.size());
26
27 auto hash = HashFunction::create_or_throw(hash_fn);
28 const size_t block_size = hash->hash_block_size();
29 if(block_size == 0) {
30 throw Invalid_Argument(fmt("expand_message_xmd cannot be used with {}", hash_fn));
31 }
32
33 const size_t hash_output_size = hash->output_length();
34 if(output.size() > 255 * hash_output_size || output.size() > 0xFFFF) {
35 throw Invalid_Argument("expand_message_xmd requested output length too long");
36 }
37
38 // Compute b_0 = H(msg_prime) = H(Z_pad || msg || l_i_b_str || 0x00 || DST_prime)
39
40 hash->update(std::vector<uint8_t>(block_size));
41 hash->update(input);
42 hash->update_be(static_cast<uint16_t>(output.size()));
43 hash->update(0x00);
44 hash->update(domain_sep);
45 hash->update(domain_sep_len);
46
47 const secure_vector<uint8_t> b_0 = hash->final();
48
49 // Compute b_1 = H(b_0 || 0x01 || DST_prime)
50
51 hash->update(b_0);
52 hash->update(0x01);
53 hash->update(domain_sep);
54 hash->update(domain_sep_len);
55
56 secure_vector<uint8_t> b_i = hash->final();
57
58 uint8_t cnt = 2;
59 for(;;) {
60 const size_t produced = std::min(output.size(), hash_output_size);
61
62 copy_mem(&output[0], b_i.data(), produced);
63 output = output.subspan(produced);
64
65 if(output.empty()) {
66 break;
67 }
68
69 // Now compute the next b_i if needed
70
71 b_i ^= b_0;
72 hash->update(b_i);
73 hash->update(cnt);
74 hash->update(domain_sep);
75 hash->update(domain_sep_len);
76 hash->final(b_i);
77 cnt += 1;
78 }
79}
References copy_mem(), Botan::HashFunction::create_or_throw(), and fmt().
Referenced by expand_message_xmd().
◆ expand_message_xmd() [2/2]
|
inline |
Definition at line 27 of file xmd.h.
30 {
31 std::span<const uint8_t> input(reinterpret_cast<const uint8_t*>(input_str.data()), input_str.size());
32
33 std::span<const uint8_t> domain_sep(reinterpret_cast<const uint8_t*>(domain_sep_str.data()), domain_sep_str.size());
34
35 expand_message_xmd(hash_fn, output, input, domain_sep);
36}
void expand_message_xmd(std::string_view hash_fn, std::span< uint8_t > output, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep)
Definition xmd.cpp:16
References expand_message_xmd().
◆ expand_top_bit()
If top bit of arg is set, return ~0. Otherwise return 0.
Definition at line 23 of file bit_ops.h.
References T.
Referenced by ct_is_zero(), and Botan::CT::Mask< T >::expand_top_bit().
◆ extended_euclidean_algorithm()
template<std::integral T>
|
consteval |
Run the extended Euclidean algorithm to find the greatest common divisor of a and b and the Bézout coefficients, u and v.
Definition at line 69 of file pqcrystals_helpers.h.
69 {
70 if(a > b) {
71 std::swap(a, b);
72 }
73
74 T u1 = 0, v1 = 1, u2 = 1, v2 = 0;
75
76 if(a != b) {
77 while(a != 0) {
80 std::tie(u1, v1, u2, v2) = std::make_tuple(u2, v2, static_cast<T>(u1 - q * u2), static_cast<T>(v1 - q * v2));
81 }
82 }
83
85}
Referenced by modular_inverse().
◆ fe_0()
|
inline |
Definition at line 170 of file ed25519_fe.h.
◆ fe_1()
|
inline |
Definition at line 174 of file ed25519_fe.h.
Referenced by ge_frombytes_negate_vartime().
◆ fe_add()
Definition at line 178 of file ed25519_fe.h.
178 {
179 x = FE_25519::add(a, b);
180}
References Botan::FE_25519::add(), and b.
Referenced by ge_frombytes_negate_vartime().
◆ fe_copy()
◆ fe_frombytes()
|
inline |
Definition at line 150 of file ed25519_fe.h.
References b, and Botan::FE_25519::from_bytes().
Referenced by ge_frombytes_negate_vartime().
◆ fe_invert()
Definition at line 206 of file ed25519_fe.h.
206 {
207 x = FE_25519::invert(z);
208}
References Botan::FE_25519::invert().
◆ fe_isnegative()
|
inline |
Definition at line 166 of file ed25519_fe.h.
166 {
168}
References Botan::FE_25519::is_negative().
Referenced by ge_frombytes_negate_vartime().
◆ fe_isnonzero()
|
inline |
Definition at line 162 of file ed25519_fe.h.
162 {
164}
References Botan::FE_25519::is_zero().
Referenced by ge_frombytes_negate_vartime().
◆ fe_mul()
Definition at line 190 of file ed25519_fe.h.
190 {
191 x = FE_25519::mul(a, b);
192}
References b, and Botan::FE_25519::mul().
Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().
◆ fe_neg()
Definition at line 186 of file ed25519_fe.h.
186 {
187 x = FE_25519::negate(z);
188}
References Botan::FE_25519::negate().
Referenced by ge_frombytes_negate_vartime().
◆ fe_pow22523()
Definition at line 210 of file ed25519_fe.h.
210 {
211 x = FE_25519::pow_22523(y);
212}
References Botan::FE_25519::pow_22523().
Referenced by ge_frombytes_negate_vartime().
◆ fe_sq()
Definition at line 194 of file ed25519_fe.h.
194 {
195 x = FE_25519::sqr(z);
196}
References Botan::FE_25519::sqr().
Referenced by ge_frombytes_negate_vartime(), Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().
◆ fe_sq2()
Definition at line 202 of file ed25519_fe.h.
202 {
203 x = FE_25519::sqr2(z);
204}
References Botan::FE_25519::sqr2().
◆ fe_sq_iter()
Definition at line 198 of file ed25519_fe.h.
198 {
199 x = FE_25519::sqr_iter(z, iter);
200}
References Botan::FE_25519::sqr_iter().
Referenced by Botan::FE_25519::invert(), and Botan::FE_25519::pow_22523().
◆ fe_sub()
Definition at line 182 of file ed25519_fe.h.
182 {
183 x = FE_25519::sub(a, b);
184}
References b, and Botan::FE_25519::sub().
Referenced by ge_frombytes_negate_vartime().
◆ fe_tobytes()
|
inline |
Definition at line 154 of file ed25519_fe.h.
References b, and Botan::FE_25519::to_bytes().
◆ find_roots_gf2m_decomp()
| secure_vector< gf2m > Botan::find_roots_gf2m_decomp | ( | const polyn_gf2m & | polyn, |
| size_t | code_length ) |
Find the roots of a polynomial over GF(2^m) using the method by Federenko et al.
Definition at line 254 of file gf2m_rootfind_dcmp.cpp.
254 {
255 gf2m_decomp_rootfind_state state(polyn, code_length);
256 return state.find_roots(polyn);
257}
References find_roots_gf2m_decomp().
Referenced by find_roots_gf2m_decomp().
◆ fmt()
template<typename... T>
| std::string Botan::fmt | ( | std::string_view | format, |
| const T &... | args ) |
Simple formatter utility.
Should be replaced with std::format once that's available on all our supported compilers.
'{}' markers in the format string are replaced by the arguments. Unlike std::format, there is no support for escaping or for any kind of conversion flags.
Definition at line 53 of file fmt.h.
53 {
54 std::ostringstream oss;
55 oss.imbue(std::locale::classic());
56 fmt_detail::do_fmt(oss, format, args...);
57 return oss.str();
58}
References Botan::fmt_detail::do_fmt().
Referenced by Botan::AlternativeName::add_attribute(), Botan::GOST_3410_PublicKey::algo_name(), Botan::TLS::KEX_to_KEM_Adapter_PublicKey::algo_name(), Botan::AlternativeName::AlternativeName(), argon2_generate_pwhash(), assert_unreachable(), Botan::TLS::auth_method_from_string(), Botan::CFB_Mode::CFB_Mode(), Botan::TPM2::cipher_tss2_to_botan(), Botan::CMAC::CMAC(), Botan::AES_256_CTR_XOF::copy_state(), Botan::KDF::create(), Botan::TPM2::PrivateKey::create(), Botan::TPM2::PublicKey::create(), Botan::Private_Key::create_decryption_op(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), Botan::PKCS11::MechanismWrapper::create_ecdsa_mechanism(), Botan::Public_Key::create_encryption_op(), Botan::Private_Key::create_kem_decryption_op(), Botan::Public_Key::create_kem_encryption_op(), Botan::Private_Key::create_key_agreement_op(), create_private_key(), Botan::Private_Key::create_signature_op(), Botan::Public_Key::create_verification_op(), Botan::Public_Key::create_x509_verification_op(), Botan::PEM_Code::decode(), Botan::PEM_Code::decode_check_label(), Botan::ASN1_String::decode_from(), Botan::Cert_Extension::TNAuthList::Entry::decode_from(), Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), Botan::EC_Group::EC_Group(), Botan::PEM_Code::encode(), expand_message_xmd(), Botan::Stream_Decompression::finish(), Botan::PSS_Params::from_emsa_name(), Botan::EC_Group::from_name(), Botan::EC_Group::from_OID(), Botan::OID::from_string(), generate_dsa_primes(), Botan::EC_PublicKey::get_int_field(), Botan::TPM2::get_raw_rc(), Botan::GOST_28147_89_Params::GOST_28147_89_Params(), Botan::GOST_3410_PrivateKey::GOST_3410_PrivateKey(), Botan::GOST_3410_PublicKey::GOST_3410_PublicKey(), Botan::Sphincs_Parameters::hash_name(), hex_decode(), hkdf_expand_label(), Botan::HSS_LMS_Params::HSS_LMS_Params(), Botan::HTTP::http_sync(), Botan::Keccak_1600::Keccak_1600(), Botan::TLS::kex_method_from_string(), Botan::Lion::Lion(), load_private_key(), load_public_key(), Botan::PEM_Code::matches(), Botan::BLAKE2b::name(), Botan::BLAKE2s::name(), Botan::Cascade_Cipher::name(), Botan::CBC_Mode::name(), Botan::CCM_Mode::name(), Botan::CFB_Mode::name(), Botan::ChaCha::name(), Botan::CMAC::name(), Botan::Comb4P::name(), Botan::CTR_BE::name(), Botan::DilithiumMessageHash::name(), Botan::FPE_FE1::name(), Botan::GCM_Mode::name(), Botan::GeneralName::name(), Botan::GMAC::name(), Botan::HKDF::name(), Botan::HKDF_Expand::name(), Botan::HKDF_Extract::name(), Botan::HMAC::name(), Botan::HMAC_DRBG::name(), Botan::KDF1::name(), Botan::KDF1_18033::name(), Botan::KDF2::name(), Botan::Keccak_1600::name(), Botan::KMAC128::name(), Botan::KMAC256::name(), Botan::Lion::name(), Botan::OFB::name(), Botan::PBKDF2_Family::name(), Botan::PKCS5_PBKDF2::name(), Botan::RFC4880_S2K_Family::name(), Botan::SHA_3::name(), Botan::SHAKE_128::name(), Botan::SHAKE_256::name(), Botan::SipHash::name(), Botan::Skein_512::name(), Botan::SP800_108_Counter::name(), Botan::SP800_108_Feedback::name(), Botan::SP800_108_Pipeline::name(), Botan::SP800_56C_One_Step_Hash::name(), Botan::SP800_56C_One_Step_HMAC::name(), Botan::SP800_56C_Two_Step::name(), Botan::Streebog::name(), Botan::TLS_12_PRF::name(), Botan::Truncated_Hash::name(), Botan::Asymmetric_Key::object_identifier(), pbes2_decrypt(), Botan::PK_Decryptor_EME::PK_Decryptor_EME(), Botan::PK_Encryptor_EME::PK_Encryptor_EME(), Botan::PK_KEM_Decryptor::PK_KEM_Decryptor(), Botan::PK_KEM_Encryptor::PK_KEM_Encryptor(), Botan::PK_Key_Agreement::PK_Key_Agreement(), Botan::PK_Signer::PK_Signer(), Botan::PK_Verifier::PK_Verifier(), Botan::PK_Verifier::PK_Verifier(), Botan::Credentials_Manager::psk(), Botan::Dynamically_Loaded_Library::resolve_symbol(), Botan::RFC6979_Nonce_Generator::RFC6979_Nonce_Generator(), Botan::Sqlite3_Database::row_count(), Botan::RSA_PrivateKey::RSA_PrivateKey(), runtime_version_check(), Botan::SHA_3::SHA_3(), Botan::SHAKE_128::SHAKE_128(), Botan::SHAKE_256::SHAKE_256(), split_on(), srp6_client_agree(), srp6_generate_verifier(), Botan::XOF::start(), Botan::SRP6_Server_Session::step1(), Botan::SRP6_Server_Session::step2(), Botan::Streebog::Streebog(), throw_invalid_argument(), throw_invalid_state(), Botan::Argon2::to_string(), Botan::ASN1_Time::to_string(), Botan::Bcrypt_PBKDF::to_string(), Botan::PBKDF2::to_string(), Botan::RFC4880_S2K::to_string(), Botan::Scrypt::to_string(), Botan::TLS::Cipher_State::update_read_keys(), Botan::TLS::Cipher_State::update_write_keys(), Botan::UUID::UUID(), Botan::TLS::Certificate_Type_Base::validate_selection(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), Botan::XMSS_Hash::XMSS_Hash(), Botan::XMSS_Parameters::xmss_id_from_string(), Botan::XMSS_WOTS_Parameters::xmss_wots_id_from_string(), and Botan::XTS_Mode::XTS_Mode().
◆ format_char_for_display()
| std::string Botan::format_char_for_display | ( | char | c | ) |
Return a string containing 'c', quoted and possibly escaped
This is used when creating an error message nothing an invalid character in some codex (for example during hex decoding)
Currently this function escapes tab, newlines and carriage return as "\t", "\n", and "\r", and also escapes characters > 0x7F as "\xHH" where HH is the hex code.
Definition at line 98 of file charset.cpp.
98 {
99 std::ostringstream oss;
100
101 oss << "'";
102
103 if(c == '\t') {
104 oss << "\\t";
105 } else if(c == '\n') {
106 oss << "\\n";
107 } else if(c == '\r') {
108 oss << "\\r";
109 } else if(static_cast<unsigned char>(c) >= 128) {
110 unsigned char z = static_cast<unsigned char>(c);
111 oss << "\\x" << std::hex << std::uppercase << static_cast<int>(z);
112 } else {
113 oss << c;
114 }
115
116 oss << "'";
117
118 return oss.str();
119}
Referenced by hex_decode().
◆ fors_public_key_from_signature()
| BOTAN_TEST_API SphincsTreeNode Botan::fors_public_key_from_signature | ( | const SphincsHashedMessage & | hashed_message, |
| StrongSpan< const ForsSignature > | signature, | ||
| const Sphincs_Address & | address, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hash ) |
FIPS 205, Algorithm 17: fors_pkFromSig.
Reconstructs the FORS public key from a given FORS signature and message. This is tailored for the use case in the SLH-DSA implementation and is not meant for general usability.
Definition at line 129 of file sp_fors.cpp.
133 {
134 const auto indices = fors_message_to_indices(hashed_message, params);
135
136 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTree);
137
138 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
139
140 BufferSlicer s(signature);
142 BufferStuffer roots(roots_buffer);
143
144 // For each of the k FORS subtrees: Reconstruct the subtree's root node by using the
145 // leaf and the authentication path offered in the FORS signature.
148 uint32_t idx_offset = i * (1 << params.a());
149
150 // Compute the FORS leaf by using the secret leaf contained in the signature
151 fors_tree_addr.set_tree_height(TreeLayerIndex(0)).set_tree_index(indices[i] + idx_offset);
155
156 // Reconstruct the subtree's root using the authentication path
158 params,
159 hashes,
160 leaf,
161 indices[i],
162 idx_offset,
163 auth_path,
164 params.a(),
165 fors_tree_addr);
166 }
167
168 BOTAN_ASSERT_NOMSG(roots.full());
169
170 // Reconstruct the public key the signature creates with the hash of the concatenation of all roots
171 // Only if the signature is valid, the pk is the correct FORS pk.
172 return hashes.T<SphincsTreeNode>(fors_pk_addr, roots_buffer);
173}
Helper class to ease in-place marshalling of concatenated fixed-length values.
Definition stl_util.h:142
void compute_root(StrongSpan< SphincsTreeNode > out, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes, const SphincsTreeNode &leaf, TreeNodeIndex leaf_idx, uint32_t idx_offset, StrongSpan< const SphincsAuthenticationPath > authentication_path, uint32_t total_tree_height, Sphincs_Address &tree_address)
Definition sp_treehash.cpp:102
References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, compute_root(), Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), and Botan::BufferSlicer::take().
◆ fors_sign_and_pkgen()
| BOTAN_TEST_API SphincsTreeNode Botan::fors_sign_and_pkgen | ( | StrongSpan< ForsSignature > | sig_out, |
| const SphincsHashedMessage & | hashed_message, | ||
| const SphincsSecretSeed & | secret_seed, | ||
| const Sphincs_Address & | address, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes ) |
FIPS 205, Algorithm 16: fors_sign (with simultaneous FORS pk generation)
Implements a domain specific wrapper for the few-times signature scheme FORS (Forest of Random Subsets). It is meant to be used inside SLH-DSA and does not aim to be applicable for other use cases.
Definition at line 63 of file sp_fors.cpp.
68 {
70
71 const auto indices = fors_message_to_indices(hashed_message, params);
72
73 auto fors_tree_addr = Sphincs_Address::as_keypair_from(address);
74
75 auto fors_pk_addr = Sphincs_Address::as_keypair_from(address).set_type(Sphincs_Address::ForsTreeRootsCompression);
76
78 BufferStuffer roots(roots_buffer);
79 BufferStuffer sig(sig_out);
80
81 // Buffer to hold the FORS leafs during tree traversal
82 // (Avoids a secure_vector allocation/deallocation in the hot path)
84
85 // For each of the k FORS subtrees: Compute the secret leaf, the authentication path
86 // and the trees' root and append the signature respectively
89 uint32_t idx_offset = i * (1 << params.a());
90
91 // Compute the secret leaf given by the chunk of the message and append it to the signature
92 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration)
93 .set_tree_height(TreeLayerIndex(0))
94 .set_tree_index(indices[i] + idx_offset);
95
97
98 // Compute the authentication path and root for this leaf node
99 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
100
101 GenerateLeafFunction fors_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
102 fors_tree_addr.set_tree_index(address_index);
103 fors_tree_addr.set_type(Sphincs_Address_Type::ForsKeyGeneration);
104
105 hashes.PRF(fors_leaf_secret, secret_seed, fors_tree_addr);
106
107 fors_tree_addr.set_type(Sphincs_Address_Type::ForsTree);
108 hashes.T(out_root, fors_tree_addr, fors_leaf_secret);
109 };
110
111 treehash(roots.next<SphincsTreeNode>(params.n()),
113 params,
114 hashes,
115 indices[i],
116 idx_offset,
117 params.a(),
118 fors_gen_leaf,
119 fors_tree_addr);
120 }
121
122 BOTAN_ASSERT_NOMSG(sig.full());
123 BOTAN_ASSERT_NOMSG(roots.full());
124
125 // Compute the public key by the hash of the concatenation of all roots
127}
void PRF(StrongSpan< ForsLeafSecret > out, const SphincsSecretSeed &sk_seed, const Sphincs_Address &address)
Definition sp_hash.h:70
uint32_t fors_signature_bytes() const
Definition sp_parameters.h:180
Strong< std::vector< uint8_t >, struct SphincsTreeNode_ > SphincsTreeNode
Either an XMSS or FORS tree node or leaf.
Definition sp_types.h:70
std::function< void(StrongSpan< SphincsTreeNode >, TreeNodeIndex)> GenerateLeafFunction
Definition sp_treehash.h:25
References Botan::Sphincs_Parameters::a(), Botan::Sphincs_Address::as_keypair_from(), BOTAN_ASSERT_NOMSG, Botan::Sphincs_Parameters::fors_signature_bytes(), ForsKeyGeneration, ForsTree, Botan::BufferStuffer::full(), Botan::Sphincs_Parameters::k(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_type(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), and treehash().
◆ gamma()
Definition at line 44 of file noekeon_simd.cpp.
44 {
45 A1 ^= ~(A2 | A3);
46 A0 ^= A2 & A1;
47
49 A3 = A0;
50 A0 = T;
51
52 A2 ^= A0 ^ A1 ^ A3;
53
54 A1 ^= ~(A2 | A3);
55 A0 ^= A2 & A1;
56}
References T.
Referenced by Botan::Noekeon::decrypt_n(), and Botan::Noekeon::encrypt_n().
◆ gcd()
Compute the greatest common divisor
- Parameters
-
x a positive integer y a positive integer
- Returns
- gcd(x,y)
Definition at line 193 of file numthry.cpp.
193 {
194 if(a.is_zero()) {
196 }
197 if(b.is_zero()) {
198 return abs(a);
199 }
200
202 auto u = BigInt::with_capacity(sz);
203 auto v = BigInt::with_capacity(sz);
204 u += a;
205 v += b;
206
207 CT::poison_all(u, v);
208
209 u.set_sign(BigInt::Positive);
210 v.set_sign(BigInt::Positive);
211
212 // In the worst case we have two fully populated big ints. After right
213 // shifting so many times, we'll have reached the result for sure.
214 const size_t loop_cnt = u.bits() + v.bits();
215
216 using WordMask = CT::Mask<word>;
217
218 // This temporary is big enough to hold all intermediate results of the
219 // algorithm. No reallocation will happen during the loop.
220 // Note however, that `ct_cond_assign()` will invalidate the 'sig_words'
221 // cache, which _does not_ shrink the capacity of the underlying buffer.
222 auto tmp = BigInt::with_capacity(sz);
223 size_t factors_of_two = 0;
224 for(size_t i = 0; i != loop_cnt; ++i) {
225 auto both_odd = WordMask::expand(u.is_odd()) & WordMask::expand(v.is_odd());
226
227 // Subtract the smaller from the larger if both are odd
229 bigint_sub_abs(tmp.mutable_data(), u._data(), sz, v._data(), sz);
230 u.ct_cond_assign((u_gt_v & both_odd).as_bool(), tmp);
231 v.ct_cond_assign((~u_gt_v & both_odd).as_bool(), tmp);
232
233 const auto u_is_even = WordMask::expand(u.is_even());
234 const auto v_is_even = WordMask::expand(v.is_even());
235 BOTAN_DEBUG_ASSERT((u_is_even | v_is_even).as_bool());
236
237 // When both are even, we're going to eliminate a factor of 2.
238 // We have to reapply this factor to the final result.
239 factors_of_two += (u_is_even & v_is_even).if_set_return(1);
240
241 // remove one factor of 2, if u is even
242 bigint_shr2(tmp.mutable_data(), u._data(), sz, 1);
243 u.ct_cond_assign(u_is_even.as_bool(), tmp);
244
245 // remove one factor of 2, if v is even
246 bigint_shr2(tmp.mutable_data(), v._data(), sz, 1);
247 v.ct_cond_assign(v_is_even.as_bool(), tmp);
248 }
249
250 // The GCD (without factors of two) is either in u or v, the other one is
251 // zero. The non-zero variable _must_ be odd, because all factors of two were
252 // removed in the loop iterations above.
253 BOTAN_DEBUG_ASSERT(u.is_zero() || v.is_zero());
254 BOTAN_DEBUG_ASSERT(u.is_odd() || v.is_odd());
255
256 // make sure that the GCD (without factors of two) is in u
257 u.ct_cond_assign(u.is_even() /* .is_zero() would not be constant time */, v);
258
259 // re-apply the factors of two
260 u.ct_shift_left(factors_of_two);
261
262 CT::unpoison_all(u, v);
263
264 return u;
265}
constexpr void bigint_shr2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:528
constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
Definition mp_core.h:439
References abs(), b, bigint_cmp(), bigint_shr2(), bigint_sub_abs(), BOTAN_DEBUG_ASSERT, Botan::BigInt::is_zero(), Botan::CT::poison_all(), Botan::BigInt::Positive, Botan::BigInt::sig_words(), Botan::CT::unpoison_all(), and Botan::BigInt::with_capacity().
Referenced by botan_mp_gcd(), generate_rsa_prime(), lcm(), and random_prime().
◆ ge_double_scalarmult_vartime() [1/2]
| void Botan::ge_double_scalarmult_vartime | ( | uint8_t | out[32], |
| const uint8_t * | a, | ||
| const ge_p3 * | A, | ||
| const uint8_t * | b ) |
Definition at line 480 of file ge.cpp.
480 {
481 static const ge_precomp Bi[8] = {
482 {
483 {25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
484 {-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
485 {-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
486 },
487 {
488 {15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
489 {16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
490 {30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
491 },
492 {
493 {10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
494 {4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
495 {19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
496 },
497 {
498 {5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
499 {-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
500 {28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
501 },
502 {
503 {-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
504 {-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
505 {4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
506 },
507 {
508 {-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
509 {25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
510 {23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
511 },
512 {
513 {-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
514 {-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
515 {-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
516 },
517 {
518 {-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
519 {-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
520 {-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
521 },
522 };
523
524 int8_t aslide[256];
525 int8_t bslide[256];
526 ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
527 ge_p1p1 t;
528 ge_p3 u;
529 ge_p3 A2;
530 ge_p2 r;
531 int i;
532
533 slide(aslide, a);
534 slide(bslide, b);
535
536 ge_p3_to_cached(&Ai[0], A);
537 ge_p3_dbl(&t, A);
538 ge_p1p1_to_p3(&A2, &t);
539 ge_add(&t, &A2, &Ai[0]);
540 ge_p1p1_to_p3(&u, &t);
541 ge_p3_to_cached(&Ai[1], &u);
542 ge_add(&t, &A2, &Ai[1]);
543 ge_p1p1_to_p3(&u, &t);
544 ge_p3_to_cached(&Ai[2], &u);
545 ge_add(&t, &A2, &Ai[2]);
546 ge_p1p1_to_p3(&u, &t);
547 ge_p3_to_cached(&Ai[3], &u);
548 ge_add(&t, &A2, &Ai[3]);
549 ge_p1p1_to_p3(&u, &t);
550 ge_p3_to_cached(&Ai[4], &u);
551 ge_add(&t, &A2, &Ai[4]);
552 ge_p1p1_to_p3(&u, &t);
553 ge_p3_to_cached(&Ai[5], &u);
554 ge_add(&t, &A2, &Ai[5]);
555 ge_p1p1_to_p3(&u, &t);
556 ge_p3_to_cached(&Ai[6], &u);
557 ge_add(&t, &A2, &Ai[6]);
558 ge_p1p1_to_p3(&u, &t);
559 ge_p3_to_cached(&Ai[7], &u);
560
561 ge_p2_0(&r);
562
563 for(i = 255; i >= 0; --i) {
564 if(aslide[i] || bslide[i]) {
565 break;
566 }
567 }
568
569 for(; i >= 0; --i) {
570 ge_p2_dbl(&t, &r);
571
572 if(aslide[i] > 0) {
573 ge_p1p1_to_p3(&u, &t);
574 ge_add(&t, &u, &Ai[aslide[i] >> 1]);
575 } else if(aslide[i] < 0) {
576 ge_p1p1_to_p3(&u, &t);
577 ge_sub(&t, &u, &Ai[(-aslide[i]) >> 1]);
578 }
579
580 if(bslide[i] > 0) {
581 ge_p1p1_to_p3(&u, &t);
582 ge_madd(&t, &u, &Bi[bslide[i] >> 1]);
583 } else if(bslide[i] < 0) {
584 ge_p1p1_to_p3(&u, &t);
585 ge_msub(&t, &u, &Bi[(-bslide[i]) >> 1]);
586 }
587
588 ge_p1p1_to_p2(&r, &t);
589 }
590
591 ge_tobytes(out, &r);
592}
References b.
◆ ge_double_scalarmult_vartime() [2/2]
| void Botan::ge_double_scalarmult_vartime | ( | uint8_t | out[32], |
| const uint8_t | a[], | ||
| const ge_p3 * | A, | ||
| const uint8_t | b[] ) |
Referenced by Botan::Ed25519_PublicKey::check_key(), and ed25519_verify().
◆ ge_frombytes_negate_vartime()
| int Botan::ge_frombytes_negate_vartime | ( | ge_p3 * | v, |
| const uint8_t * | s ) |
Definition at line 425 of file ge.cpp.
425 {
427 -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116};
428 static const FE_25519 sqrtm1 = {
429 -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482};
430
431 FE_25519 u;
432 FE_25519 v;
433 FE_25519 v3;
434 FE_25519 vxx;
435 FE_25519 check;
436
437 fe_frombytes(h->Y, s);
438 fe_1(h->Z);
439 fe_sq(u, h->Y);
440 fe_mul(v, u, d);
443
444 fe_sq(v3, v);
446 fe_sq(h->X, v3);
447 fe_mul(h->X, h->X, v);
449
451 fe_mul(h->X, h->X, v3);
453
454 fe_sq(vxx, h->X);
455 fe_mul(vxx, vxx, v);
460 return -1;
461 }
462 fe_mul(h->X, h->X, sqrtm1);
463 }
464
466 fe_neg(h->X, h->X);
467 }
468
469 fe_mul(h->T, h->X, h->Y);
470 return 0;
471}
References fe_1(), fe_add(), fe_frombytes(), fe_isnegative(), fe_isnonzero(), fe_mul(), fe_neg(), fe_pow22523(), fe_sq(), fe_sub(), Botan::ge_p3::T, Botan::ge_p3::X, Botan::ge_p3::Y, and Botan::ge_p3::Z.
Referenced by Botan::Ed25519_PublicKey::check_key(), and ed25519_verify().
◆ ge_scalarmult_base()
| void Botan::ge_scalarmult_base | ( | uint8_t | out[32], |
| const uint8_t | in[32] ) |
Definition at line 2043 of file ge.cpp.
2043 {
2044 int8_t e[64];
2045 int8_t carry;
2046 ge_p1p1 r;
2047 ge_p2 s;
2048 ge_p3 h;
2049 ge_precomp t;
2050 int i;
2051
2052 for(i = 0; i < 32; ++i) {
2053 e[2 * i + 0] = (a[i] >> 0) & 15;
2054 e[2 * i + 1] = (a[i] >> 4) & 15;
2055 }
2056 /* each e[i] is between 0 and 15 */
2057 /* e[63] is between 0 and 7 */
2058
2059 carry = 0;
2060 for(i = 0; i < 63; ++i) {
2061 e[i] += carry;
2062 carry = e[i] + 8;
2063 carry >>= 4;
2064 e[i] -= carry << 4;
2065 }
2066 e[63] += carry;
2067 /* each e[i] is between -8 and 8 */
2068
2069 ge_p3_0(&h);
2070 for(i = 1; i < 64; i += 2) {
2071 select(&t, B_precomp[i / 2], e[i]);
2072 ge_madd(&r, &h, &t);
2073 ge_p1p1_to_p3(&h, &r);
2074 }
2075
2076 ge_p3_dbl(&r, &h);
2077 ge_p1p1_to_p2(&s, &r);
2078 ge_p2_dbl(&r, &s);
2079 ge_p1p1_to_p2(&s, &r);
2080 ge_p2_dbl(&r, &s);
2081 ge_p1p1_to_p2(&s, &r);
2082 ge_p2_dbl(&r, &s);
2083 ge_p1p1_to_p3(&h, &r);
2084
2085 for(i = 0; i < 64; i += 2) {
2086 select(&t, B_precomp[i / 2], e[i]);
2087 ge_madd(&r, &h, &t);
2088 ge_p1p1_to_p3(&h, &r);
2089 }
2090
2091 ge_p3_tobytes(out, &h);
2092}
References carry().
Referenced by ed25519_gen_keypair(), and ed25519_sign().
◆ generalize_to() [1/2]
template<typename GeneralVariantT , typename SpecialT >
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
requires (std::is_constructible_v<GeneralVariantT, std::decay_t<SpecialT>>)
|
constexprnoexcept |
Converts a given variant into another variant-ish whose type states are a super set of the given variant.
This is useful to convert restricted variant types into more general variants types.
Definition at line 315 of file stl_util.h.
317{
318 return std::forward<SpecialT>(specific);
319}
Referenced by Botan::TLS::Channel_Impl_13::send_handshake_message(), and Botan::TLS::Channel_Impl_13::send_handshake_message().
◆ generalize_to() [2/2]
template<typename GeneralVariantT , typename... SpecialTs>
|
constexprnoexcept |
Converts a given variant into another variant-ish whose type states are a super set of the given variant.
This is useful to convert restricted variant types into more general variants types.
Definition at line 329 of file stl_util.h.
329 {
330 static_assert(
331 is_generalizable_to<GeneralVariantT>(specific),
332 "Desired general type must be implicitly constructible by all types of the specialized std::variant<>");
333 return std::visit([](auto s) -> GeneralVariantT { return s; }, std::move(specific));
334}
References is_generalizable_to().
◆ generate_bcrypt()
| std::string Botan::generate_bcrypt | ( | std::string_view | password, |
| RandomNumberGenerator & | rng, | ||
| uint16_t | work_factor = 12, | ||
| char | version = 'a' ) |
Create a password hash using Bcrypt
Takes the password to hash, a rng, and a work_factor. The resulting password hash is returned as a string.
Higher work factors increase the amount of time the algorithm runs, increasing the cost of cracking attempts. The increase is exponential, so a work factor of 12 takes roughly twice as long as work factor 11. The default work factor was set to 10 up until the 2.8.0 release.
It is recommended to set the work factor as high as your system can tolerate (from a performance and latency perspective) since higher work factors greatly improve the security against GPU-based attacks. For example, for protecting high value administrator passwords, consider using work factor 15 or 16; at these work factors each bcrypt computation takes several seconds. Since admin logins will be relatively uncommon, it might be acceptable for each login attempt to take some time. As of 2018, a good password cracking rig (with 8 NVIDIA 1080 cards) can attempt about 1 billion bcrypt computations per month for work factor 13. For work factor 12, it can do twice as many. For work factor 15, it can do only one quarter as many attempts.
Due to bugs affecting various implementations of bcrypt, several different variants of the algorithm are defined. As of 2.7.0 Botan supports generating (or checking) the 2a, 2b, and 2y variants. Since Botan has never been affected by any of the bugs which necessitated these version upgrades, all three versions are identical beyond the version identifier. Which variant to use is controlled by the version argument.
The bcrypt work_factor must be at least 4 (though at this work factor bcrypt is not very secure). The bcrypt format allows up to 31, but Botan currently rejects all work factors greater than 18 since even that work factor requires roughly 15 seconds of computation on a fast machine.
- Warning
- The password is truncated at at most 72 characters; characters after that do not have any effect on the resulting hash. To support longer passwords, consider pre-hashing the password, for example by using the hex encoding of SHA-256 of the password as the input to bcrypt.
- Parameters
-
password the password. rng a random number generator work_factor how much work to do to slow down guessing attacks version which version to emit (may be 'a', 'b', or 'y' all of which have identical behavior in this implementation).
TODO(Botan4) Convert work_factor to a size_t
Definition at line 144 of file bcrypt.cpp.
144 {
145 /*
146 2a, 2b and 2y are identical for our purposes because our implementation of 2a
147 never had the truncation or signed char bugs in the first place.
148 */
149
150 if(version != 'a' && version != 'b' && version != 'y') {
152 }
153
154 std::vector<uint8_t> salt;
155 rng.random_vec(salt, 16);
156 return make_bcrypt(pass, salt, work_factor, version);
157}
References Botan::RandomNumberGenerator::random_vec().
Referenced by botan_bcrypt_generate().
◆ generate_dsa_primes() [1/2]
| std::vector< uint8_t > Botan::generate_dsa_primes | ( | RandomNumberGenerator & | rng, |
| BigInt & | p_out, | ||
| BigInt & | q_out, | ||
| size_t | pbits, | ||
| size_t | qbits ) |
Generate DSA parameters using the FIPS 186 kosherizer
- Parameters
-
rng a random number generator p_out where the prime p will be stored q_out where the prime q will be stored pbits how long p will be in bits qbits how long q will be in bits
- Returns
- random seed used to generate this parameter set
Definition at line 134 of file dsa_gen.cpp.
134 {
135 while(true) {
136 std::vector<uint8_t> seed(qbits / 8);
137 rng.randomize(seed.data(), seed.size());
138
140 return seed;
141 }
142 }
143}
bool generate_dsa_primes(RandomNumberGenerator &rng, BigInt &p, BigInt &q, size_t pbits, size_t qbits, const std::vector< uint8_t > &seed_c, size_t offset)
Definition dsa_gen.cpp:53
References generate_dsa_primes(), and Botan::RandomNumberGenerator::randomize().
◆ generate_dsa_primes() [2/2]
| bool BOTAN_TEST_API Botan::generate_dsa_primes | ( | RandomNumberGenerator & | rng, |
| BigInt & | p_out, | ||
| BigInt & | q_out, | ||
| size_t | pbits, | ||
| size_t | qbits, | ||
| const std::vector< uint8_t > & | seed, | ||
| size_t | offset = 0 ) |
Generate DSA parameters using the FIPS 186 kosherizer
- Parameters
-
rng a random number generator p_out where the prime p will be stored q_out where the prime q will be stored pbits how long p will be in bits qbits how long q will be in bits seed the seed used to generate the parameters offset optional offset from seed to start searching at
- Returns
- true if seed generated a valid DSA parameter set, otherwise false. p_out and q_out are only valid if true was returned.
Definition at line 53 of file dsa_gen.cpp.
59 {
60 if(!fips186_3_valid_size(pbits, qbits)) {
61 throw Invalid_Argument(fmt("FIPS 186-3 does not allow DSA domain parameters of {}/{} bits long", pbits, qbits));
62 }
63
64 if(seed_c.size() * 8 < qbits) {
65 throw Invalid_Argument(
66 fmt("Generating a DSA parameter set with a {} bit long q requires a seed at least as many bits long", qbits));
67 }
68
69 const std::string hash_name = hash_function_for(qbits);
70 auto hash = HashFunction::create_or_throw(hash_name);
71
72 const size_t HASH_SIZE = hash->output_length();
73
75 public:
77
78 const std::vector<uint8_t>& value() const { return m_seed; }
79
81 for(size_t j = m_seed.size(); j > 0; --j) {
82 if(++m_seed[j - 1]) {
83 break;
84 }
85 }
86 return (*this);
87 }
88
89 private:
90 std::vector<uint8_t> m_seed;
91 };
92
93 Seed seed(seed_c);
94
95 q._assign_from_bytes(hash->process(seed.value()));
96 q.set_bit(qbits - 1);
97 q.set_bit(0);
98
100 return false;
101 }
102
104
105 BigInt X;
106 std::vector<uint8_t> V(HASH_SIZE * (n + 1));
107
108 Modular_Reducer mod_2q(2 * q);
109
110 for(size_t j = 0; j != 4 * pbits; ++j) {
111 for(size_t k = 0; k <= n; ++k) {
112 ++seed;
113 hash->update(seed.value());
114 hash->final(&V[HASH_SIZE * (n - k)]);
115 }
116
117 if(j >= offset) {
118 X._assign_from_bytes(std::span{V}.subspan(HASH_SIZE - 1 - b / 8));
119 X.set_bit(pbits - 1);
120
122
124 return true;
125 }
126 }
127 }
128 return false;
129}
constexpr auto operator++(Strong< T, Tags... > &a, int)
Definition strong_type.h:573
bool is_prime(const BigInt &n, RandomNumberGenerator &rng, size_t prob, bool is_random)
Definition numthry.cpp:355
References Botan::BigInt::_assign_from_bytes(), b, Botan::BigInt::bits(), Botan::HashFunction::create_or_throw(), final, fmt(), is_prime(), operator++(), Botan::Modular_Reducer::reduce(), Botan::BigInt::set_bit(), and X.
Referenced by Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group(), and generate_dsa_primes().
◆ generate_mceliece_key()
| McEliece_PrivateKey Botan::generate_mceliece_key | ( | RandomNumberGenerator & | rng, |
| size_t | ext_deg, | ||
| size_t | code_length, | ||
| size_t | t ) |
Definition at line 184 of file code_based_key_gen.cpp.
184 {
185 const size_t codimension = t * ext_deg;
186
187 if(code_length <= codimension) {
189 }
190
191 auto sp_field = std::make_shared<GF2m_Field>(ext_deg);
192
193 //pick the support.........
194 std::vector<gf2m> L(code_length);
195
196 for(size_t i = 0; i != L.size(); i++) {
197 L[i] = static_cast<gf2m>(i);
198 }
199 randomize_support(L, rng);
200 polyn_gf2m g(sp_field); // create as zero
201
202 bool success = false;
203 std::unique_ptr<binary_matrix> R;
204
205 do {
206 // create a random irreducible polynomial
207 g = polyn_gf2m(t, rng, sp_field);
208
209 try {
210 R = generate_R(L, &g, *sp_field, code_length, t);
211 success = true;
212 } catch(const Invalid_State&) {}
213 } while(!success);
214
215 std::vector<polyn_gf2m> sqrtmod = polyn_gf2m::sqrt_mod_init(g);
217
218 // Each F[i] is the (precomputed) syndrome of the error vector with
219 // a single '1' in i-th position.
220 // We do not store the F[i] as polynomials of degree t , but
221 // as binary vectors of length ext_deg * t (this will
222 // speed up the syndrome computation)
223 //
225 std::vector<uint32_t> H(co32 * code_length);
226 uint32_t* sk = H.data();
227 for(size_t i = 0; i < code_length; ++i) {
228 for(size_t l = 0; l < t; ++l) {
229 const size_t k = (l * ext_deg) / 32;
230 const size_t j = (l * ext_deg) % 32;
231 sk[k] ^= static_cast<uint32_t>(F[i].get_coef(l)) << j;
232 if(j + ext_deg > 32) {
233 if(j > 0) {
234 sk[k + 1] ^= F[i].get_coef(l) >> (32 - j);
235 }
236 }
237 }
238 sk += co32;
239 }
240
241 // We need the support L for decoding (decryption). In fact the
242 // inverse is needed
243
244 std::vector<gf2m> Linv(code_length);
245 for(size_t i = 0; i != Linv.size(); ++i) {
247 }
248 std::vector<uint8_t> pubmat(R->elem().size() * 4);
249 for(size_t i = 0; i < R->elem().size(); i++) {
250 store_le(R->elem()[i], &pubmat[i * 4]);
251 }
252
253 return McEliece_PrivateKey(g, H, sqrtmod, Linv, pubmat);
254}
std::vector< polyn_gf2m > syndrome_init(const polyn_gf2m &generator, const std::vector< gf2m > &support, int n)
Definition polyn_gf2m.cpp:608
size_t bit_size_to_32bit_size(size_t bit_size)
Definition code_based_util.h:46
References bit_size_to_32bit_size(), Botan::polyn_gf2m::sqrt_mod_init(), store_le(), and syndrome_init().
Referenced by Botan::McEliece_PrivateKey::McEliece_PrivateKey().
◆ generate_passhash9()
| std::string Botan::generate_passhash9 | ( | std::string_view | password, |
| RandomNumberGenerator & | rng, | ||
| uint16_t | work_factor = 15, | ||
| uint8_t | alg_id = 4 ) |
Create a password hash using PBKDF2
Functions much like generate_bcrypt(). The last parameter, alg_id, specifies which PRF to use. Currently defined values are:
The work_factor must be greater than zero and less than 512. This performs 10000 * work_factor PBKDF2 iterations, using 96 bits of salt taken from rng. Using work factor of 10 or more is recommended.
- Parameters
-
password the password rng a random number generator work_factor how much work to do to slow down guessing attacks alg_id specifies which PRF to use with PBKDF2 0 is HMAC(SHA-1) 1 is HMAC(SHA-256) 2 is CMAC(Blowfish) 3 is HMAC(SHA-384) 4 is HMAC(SHA-512) all other values are currently undefined
Definition at line 46 of file passhash9.cpp.
49 {
51
52 auto prf = get_pbkdf_prf(alg_id);
53
54 if(!prf) {
56 }
57
58 PKCS5_PBKDF2 kdf(std::move(prf));
59
60 secure_vector<uint8_t> salt(SALT_BYTES);
61 rng.randomize(salt.data(), salt.size());
62
63 const size_t kdf_iterations = WORK_FACTOR_SCALE * work_factor;
64
65 secure_vector<uint8_t> blob;
66 blob.push_back(alg_id);
67 blob.push_back(get_byte<0>(work_factor));
68 blob.push_back(get_byte<1>(work_factor));
69 blob += salt;
70 blob += kdf.derive_key(PASSHASH9_PBKDF_OUTPUT_LEN, pass, salt.data(), salt.size(), kdf_iterations).bits_of();
71
72 return MAGIC_PREFIX + base64_encode(blob);
73}
References base64_encode(), Botan::OctetString::bits_of(), BOTAN_ARG_CHECK, Botan::PBKDF::derive_key(), get_byte(), and Botan::RandomNumberGenerator::randomize().
◆ generate_rfc6979_nonce()
|
inline |
- Parameters
-
x the secret (EC)DSA key q the group order h the message hash already reduced mod q hash the hash function used to generate h
Definition at line 52 of file rfc6979.h.
References Botan::BigInt::bits(), and Botan::RFC6979_Nonce_Generator::nonce_for().
◆ generate_rsa_prime()
| BigInt Botan::generate_rsa_prime | ( | RandomNumberGenerator & | keygen_rng, |
| RandomNumberGenerator & | prime_test_rng, | ||
| size_t | bits, | ||
| const BigInt & | coprime, | ||
| size_t | prob = 128 ) |
Generate a prime suitable for RSA p/q
- Parameters
-
keygen_rng a random number generator prime_test_rng a random number generator bits how large the resulting prime should be in bits (must be >= 512) coprime a positive integer that (prime - 1) should be coprime to prob use test so false positive is bounded by 1/2**prob
- Returns
- random prime with the specified criteria
Definition at line 211 of file make_prm.cpp.
215 {
216 if(bits < 512) {
218 }
219
220 /*
221 * The restriction on coprime <= 64 bits is arbitrary but generally speaking
222 * very large RSA public exponents are a bad idea both for performance and due
223 * to attacks on small d.
224 */
226 throw Invalid_Argument("generate_rsa_prime coprime must be small odd positive integer");
227 }
228
229 const size_t MAX_ATTEMPTS = 32 * 1024;
230
232
233 while(true) {
234 BigInt p(keygen_rng, bits);
235
236 /*
237 Force high two bits so multiplication always results in expected n bit integer
238
239 Force the two low bits, and step by 4, so the generated prime is always == 3 (mod 4).
240 This way when we perform the inversion modulo phi(n) it is always of the form 2*o
241 with o odd, which allows a fastpath and avoids leaking any information about the
242 structure of the prime.
243 */
244 p.set_bit(bits - 1);
245 p.set_bit(bits - 2);
246 p.set_bit(1);
247 p.set_bit(0);
248
249 const word step = 4;
250
251 Prime_Sieve sieve(p, bits, step, false);
252
253 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
254 p += step;
255
256 if(!sieve.next()) {
257 continue;
258 }
259
260 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
261
262 Modular_Reducer mod_p(p);
263
264 /*
265 * Do a single primality test first before checking coprimality, since
266 * currently a single Miller-Rabin test is faster than computing gcd,
267 * and this eliminates almost all wasted gcd computations.
268 */
270 continue;
271 }
272
273 /*
274 * Check if p - 1 and coprime are relatively prime.
275 */
277 continue;
278 }
279
280 if(p.bits() > bits) {
281 break;
282 }
283
285 return p;
286 }
287 }
288 }
289}
bool is_miller_rabin_probable_prime(const BigInt &n, const Modular_Reducer &mod_n, RandomNumberGenerator &rng, size_t test_iterations)
Definition primality.cpp:150
size_t miller_rabin_test_iterations(size_t n_bits, size_t prob, bool random)
Definition primality.cpp:172
References Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, gcd(), Botan::BigInt::is_even(), is_miller_rabin_probable_prime(), miller_rabin_test_iterations(), and Botan::BigInt::set_bit().
Referenced by Botan::RSA_PrivateKey::RSA_PrivateKey().
◆ get_aead()
|
inline |
Get an AEAD mode by name (eg "AES-128/GCM" or "Serpent/EAX")
- Parameters
-
name AEAD name direction Cipher_Dir::Encryption or Cipher_Dir::Decryption
Definition at line 140 of file aead.h.
140 {
142}
References Botan::AEAD_Mode::create(), and name.
◆ get_byte()
|
inlineconstexpr |
Byte extraction
- Parameters
-
input the value to extract from
- Returns
- byte byte number B of input
Definition at line 75 of file loadstor.h.
77{
79 return static_cast<uint8_t>((input >> shift) & 0xFF);
80}
References T.
Referenced by Botan::TLS::TLS_CBC_HMAC_AEAD_Mode::assoc_data_with_len(), Botan::polyn_gf2m::encode(), Botan::detail::fallback_store_any(), Botan::TLS::Connection_Cipher_State::format_ad(), generate_passhash9(), hex_encode(), hkdf_expand_label(), Botan::TLS::Channel_Impl_12::key_material_export(), Botan::McEliece_PrivateKey::private_key_bits(), Botan::TLS::Application_Layer_Protocol_Notification::serialize(), Botan::TLS::Certificate_Verify::serialize(), Botan::TLS::Cookie::serialize(), Botan::TLS::EarlyDataIndication::serialize(), Botan::TLS::Extensions::serialize(), Botan::TLS::PSK::serialize(), Botan::TLS::Record_Size_Limit::serialize(), Botan::TLS::Server_Hello::serialize(), Botan::TLS::Server_Name_Indicator::serialize(), Botan::TLS::SRTP_Protection_Profiles::serialize(), Botan::TLS::Supported_Groups::serialize(), Botan::TLS::Server_Key_Exchange::Server_Key_Exchange(), Botan::CCM_Mode::set_associated_data_n(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n(), and Botan::RTSS_Share::split().
◆ get_byte_var()
Byte extraction
- Parameters
-
byte_num which byte to extract, 0 == highest byte input the value to extract from
- Returns
- byte byte_num of input
Definition at line 65 of file loadstor.h.
References T.
Referenced by Botan::TLS::append_tls_length_value(), Botan::BigInt::binary_encode(), Botan::BigInt::byte_at(), copy_out_be(), copy_out_le(), Botan::CCM_Mode::encode_length(), Botan::TLS::Certificate_12::serialize(), and Botan::TLS::Certificate_Status::serialize().
◆ get_cipher() [1/3]
|
inline |
Factory method for general symmetric cipher filters. No key will be set in the filter.
- Parameters
-
algo_spec the name of the desired cipher direction determines whether the filter will be an encrypting or decrypting filter
- Returns
- pointer to the encryption or decryption filter
Definition at line 201 of file filters.h.
201 {
202 auto c = Cipher_Mode::create_or_throw(algo_spec, direction);
204}
Definition filters.h:159
References Botan::Cipher_Mode::create_or_throw().
Referenced by get_cipher(), and get_cipher().
◆ get_cipher() [2/3]
|
inline |
Factory method for general symmetric cipher filters.
- Parameters
-
algo_spec the name of the desired cipher key the key to be used for encryption/decryption performed by the filter direction determines whether the filter will be an encrypting or decrypting filter
- Returns
- pointer to the encryption or decryption filter
Definition at line 215 of file filters.h.
215 {
217 cipher->set_key(key);
218 return cipher;
219}
Definition filters.h:116
virtual void set_key(const SymmetricKey &key)=0
Keyed_Filter * get_cipher(std::string_view algo_spec, Cipher_Dir direction)
Definition filters.h:201
References get_cipher(), and Botan::Keyed_Filter::set_key().
◆ get_cipher() [3/3]
|
inline |
Factory method for general symmetric cipher filters.
- Parameters
-
algo_spec the name of the desired cipher key the key to be used for encryption/decryption performed by the filter iv the initialization vector to be used direction determines whether the filter will be an encrypting or decrypting filter
- Returns
- pointer to newly allocated encryption or decryption filter
Definition at line 231 of file filters.h.
234 {
237 cipher->set_iv(iv);
238 }
239 return cipher;
240}
virtual void set_iv(const InitializationVector &iv)
Definition filters.h:129
References get_cipher(), Botan::OctetString::length(), and Botan::Keyed_Filter::set_iv().
◆ get_cipher_mode()
|
inline |
Get a cipher mode by name (eg "AES-128/CBC" or "Serpent/XTS")
- Parameters
-
algo_spec cipher name direction Cipher_Dir::Encryption or Cipher_Dir::Decryption provider provider implementation to choose
Definition at line 285 of file cipher_mode.h.
285 {
286 return Cipher_Mode::create(algo_spec, direction, provider).release();
287}
References Botan::Cipher_Mode::create().
◆ get_files_recursive()
| BOTAN_TEST_API std::vector< std::string > Botan::get_files_recursive | ( | std::string_view | dir | ) |
Definition at line 121 of file filesystem.cpp.
121 {
122 std::vector<std::string> files;
123
124#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
125 files = impl_readdir(dir);
126#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
127 files = impl_win32(dir);
128#else
129 BOTAN_UNUSED(dir);
131#endif
132
133 std::sort(files.begin(), files.end());
134
135 return files;
136}
Definition filesystem.h:20
References BOTAN_UNUSED.
◆ get_kdf()
|
inline |
Factory method for KDF (key derivation function)
- Parameters
-
algo_spec the name of the KDF to create
- Returns
- pointer to newly allocated object of that type
Prefer KDF::create
Definition at line 215 of file kdf.h.
215 {
216 auto kdf = KDF::create(algo_spec);
217 if(kdf) {
218 return kdf.release();
219 }
220
221 if(algo_spec == "Raw") {
222 return nullptr;
223 }
224
225 throw Algorithm_Not_Found(algo_spec);
226}
References Botan::KDF::create().
◆ get_pbkdf()
|
inline |
Password based key derivation function factory method
- Parameters
-
algo_spec the name of the desired PBKDF algorithm provider the provider to use
- Returns
- pointer to newly allocated object of that type
Definition at line 243 of file pbkdf.h.
243 {
244 return PBKDF::create_or_throw(algo_spec, provider).release();
245}
◆ get_s2k()
|
inline |
◆ get_uint32()
template<WordType W>
|
constexpr |
Definition at line 33 of file pcurves_solinas.h.
33 {
35
37 return xw[i];
38 } else {
39 return static_cast<uint32_t>(xw[i / 2] >> ((i % 2) * 32));
40 }
41}
Referenced by redc_p192(), redc_p224(), redc_p256(), and redc_p384().
◆ gf2p8affine()
Definition at line 53 of file simd_avx2_gfni.h.
◆ gf2p8affineinv()
Definition at line 59 of file simd_avx2_gfni.h.
◆ gfni_matrix()
|
consteval |
Definition at line 19 of file simd_avx2_gfni.h.
19 {
20 uint64_t matrix = 0;
21 size_t bit_cnt = 0;
22 uint8_t row = 0;
23
24 for(char c : s) {
25 if(c == ' ' || c == '\n') {
26 continue;
27 }
28 if(c != '0' && c != '1') {
29 throw std::runtime_error("gfni_matrix: invalid bit value");
30 }
31
32 if(c == '1') {
33 row |= 0x80 >> (7 - bit_cnt % 8);
34 }
35 bit_cnt++;
36
37 if(bit_cnt % 8 == 0) {
38 matrix <<= 8;
39 matrix |= row;
40 row = 0;
41 }
42 }
43
44 if(bit_cnt != 64) {
45 throw std::runtime_error("gfni_matrix: invalid bit count");
46 }
47
48 return matrix;
49}
◆ gray_to_lex()
Definition at line 30 of file code_based_util.h.
30 {
31 gf2m result = gray ^ (gray >> 8);
32 result ^= (result >> 4);
33 result ^= (result >> 2);
34 result ^= (result >> 1);
35 return result;
36}
◆ has_filesystem_impl()
| BOTAN_TEST_API bool Botan::has_filesystem_impl | ( | ) |
Definition at line 111 of file filesystem.cpp.
111 {
112#if defined(BOTAN_TARGET_OS_HAS_POSIX1)
113 return true;
114#elif defined(BOTAN_TARGET_OS_HAS_WIN32)
115 return true;
116#else
117 return false;
118#endif
119}
◆ hex_decode() [1/6]
| std::vector< uint8_t > Botan::hex_decode | ( | const char | input[], |
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
input some hex input input_length the length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded hex output
Definition at line 149 of file hex.cpp.
149 {
150 std::vector<uint8_t> bin(1 + input_length / 2);
151
153
154 bin.resize(written);
155 return bin;
156}
size_t hex_decode(uint8_t output[], const char input[], size_t input_length, size_t &input_consumed, bool ignore_ws)
Definition hex.cpp:73
References hex_decode().
◆ hex_decode() [2/6]
| size_t Botan::hex_decode | ( | std::span< uint8_t > | output, |
| std::string_view | input, | ||
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
output a contiguous byte buffer of at least input_length/2 bytes input some hex input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 132 of file hex.cpp.
References hex_decode().
◆ hex_decode() [3/6]
| std::vector< uint8_t > Botan::hex_decode | ( | std::string_view | input, |
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
input some hex input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded hex output
Definition at line 158 of file hex.cpp.
References hex_decode().
◆ hex_decode() [4/6]
| size_t Botan::hex_decode | ( | uint8_t | output[], |
| const char | input[], | ||
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
output an array of at least input_length/2 bytes input some hex input input_length length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 117 of file hex.cpp.
117 {
118 size_t consumed = 0;
120
121 if(consumed != input_length) {
123 }
124
125 return written;
126}
References hex_decode().
◆ hex_decode() [5/6]
| size_t Botan::hex_decode | ( | uint8_t | output[], |
| const char | input[], | ||
| size_t | input_length, | ||
| size_t & | input_consumed, | ||
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
output an array of at least input_length/2 bytes input some hex input input_length length of input in bytes input_consumed is an output parameter which says how many bytes of input were actually consumed. If less than input_length, then the range input[consumed:length] should be passed in later along with more input. ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 73 of file hex.cpp.
73 {
74 uint8_t* out_ptr = output;
75 bool top_nibble = true;
76
77 clear_mem(output, input_length / 2);
78
79 for(size_t i = 0; i != input_length; ++i) {
80 const uint8_t bin = hex_char_to_bin(input[i]);
81
82 if(bin >= 0x10) {
83 if(bin == 0x80 && ignore_ws) {
84 continue;
85 }
86
87 throw Invalid_Argument(fmt("hex_decode: invalid character '{}'", format_char_for_display(input[i])));
88 }
89
90 if(top_nibble) {
91 *out_ptr |= bin << 4;
92 } else {
93 *out_ptr |= bin;
94 }
95
96 top_nibble = !top_nibble;
97 if(top_nibble) {
98 ++out_ptr;
99 }
100 }
101
102 input_consumed = input_length;
104
105 /*
106 * We only got half of a uint8_t at the end; zap the half-written
107 * output and mark it as unread
108 */
109 if(!top_nibble) {
110 *out_ptr = 0;
111 input_consumed -= 1;
112 }
113
114 return written;
115}
References clear_mem(), fmt(), format_char_for_display(), and out_ptr().
Referenced by botan_hex_decode(), Botan::Hex_Decoder::end_msg(), Botan::TLS::Session_Manager_SQL::find_some(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode(), hex_decode_locked(), Botan::OctetString::OctetString(), Botan::UUID::UUID(), and Botan::Hex_Decoder::write().
◆ hex_decode() [6/6]
| size_t Botan::hex_decode | ( | uint8_t | output[], |
| std::string_view | input, | ||
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
output an array of at least input_length/2 bytes input some hex input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- number of bytes written to output
Definition at line 128 of file hex.cpp.
References hex_decode().
◆ hex_decode_locked() [1/2]
| secure_vector< uint8_t > Botan::hex_decode_locked | ( | const char | input[], |
| size_t | input_length, | ||
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
input some hex input input_length the length of input in bytes ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded hex output
Definition at line 136 of file hex.cpp.
136 {
137 secure_vector<uint8_t> bin(1 + input_length / 2);
138
140
141 bin.resize(written);
142 return bin;
143}
References hex_decode().
Referenced by Botan::BigInt::decode(), hex_decode_locked(), and Botan::RTSS_Share::RTSS_Share().
◆ hex_decode_locked() [2/2]
| secure_vector< uint8_t > Botan::hex_decode_locked | ( | std::string_view | input, |
| bool | ignore_ws = true ) |
Perform hex decoding
- Parameters
-
input some hex input ignore_ws ignore whitespace on input; if false, throw an exception if whitespace is encountered
- Returns
- decoded hex output
Definition at line 145 of file hex.cpp.
145 {
147}
secure_vector< uint8_t > hex_decode_locked(const char input[], size_t input_length, bool ignore_ws)
Definition hex.cpp:136
References hex_decode_locked().
◆ hex_encode() [1/3]
| void Botan::hex_encode | ( | char | output[], |
| const uint8_t | input[], | ||
| size_t | input_length, | ||
| bool | uppercase = true ) |
Perform hex encoding
- Parameters
-
output an array of at least input_length*2 bytes input is some binary data input_length length of input in bytes uppercase should output be upper or lower case?
Definition at line 35 of file hex.cpp.
35 {
36 for(size_t i = 0; i != input_length; ++i) {
37 const uint16_t h = hex_encode_2nibble(input[i], uppercase);
38 output[2 * i] = get_byte<0>(h);
39 output[2 * i + 1] = get_byte<1>(h);
40 }
41}
References get_byte().
Referenced by botan_hex_encode(), create_hex_fingerprint(), hex_encode(), hex_encode(), Botan::TLS::Session_Manager_SQL::remove(), Botan::TLS::Session_Manager_SQL::retrieve_one(), Botan::TLS::Session_Manager_SQL::store(), Botan::BigInt::to_hex_string(), Botan::OctetString::to_string(), Botan::RTSS_Share::to_string(), Botan::UUID::to_string(), Botan::X509_Certificate::to_string(), Botan::HTTP::url_encode(), and Botan::UUID::UUID().
◆ hex_encode() [2/3]
| std::string Botan::hex_encode | ( | const uint8_t | input[], |
| size_t | input_length, | ||
| bool | uppercase = true ) |
Perform hex encoding
- Parameters
-
input some input input_length length of input in bytes uppercase should output be upper or lower case?
- Returns
- hexadecimal representation of input
Definition at line 43 of file hex.cpp.
43 {
44 std::string output(2 * input_length, 0);
45
46 if(input_length) {
47 hex_encode(&output.front(), input, input_length, uppercase);
48 }
49
50 return output;
51}
References hex_encode().
◆ hex_encode() [3/3]
|
inline |
Perform hex encoding
- Parameters
-
input some input uppercase should output be upper or lower case?
- Returns
- hexadecimal representation of input
Definition at line 43 of file hex.h.
References hex_encode().
◆ hex_to_words()
template<WordType W, size_t N>
|
constexpr |
Definition at line 890 of file mp_core.h.
890 {
891 // Char count includes null terminator which we ignore
892 const constexpr size_t C = N - 1;
893
894 // Number of nibbles that a word can hold
896
897 // Round up to the next number of words that will fit the input
898 const constexpr size_t S = (C + NPW - 1) / NPW;
899
900 auto hex2int = [](char c) -> int8_t {
901 if(c >= '0' && c <= '9') {
902 return static_cast<int8_t>(c - '0');
903 } else if(c >= 'a' && c <= 'f') {
904 return static_cast<int8_t>(c - 'a' + 10);
905 } else if(c >= 'A' && c <= 'F') {
906 return static_cast<int8_t>(c - 'A' + 10);
907 } else {
908 return -1;
909 }
910 };
911
912 std::array<W, S> r = {0};
913
914 for(size_t i = 0; i != C; ++i) {
915 const int8_t c = hex2int(s[i]);
916 if(c >= 0) {
917 shift_left<4>(r);
918 r[0] += c;
919 }
920 }
921
922 return r;
923}
References shift_left().
Referenced by redc_p192(), redc_p224(), redc_p256(), redc_p384(), and redc_p521().
◆ high_bit()
|
inlineconstexpr |
Return the index of the highest set bit T is an unsigned integer type
- Parameters
-
n an integer value
- Returns
- index of the highest set bit in n
Definition at line 58 of file bit_ops.h.
60{
61 size_t hb = 0;
62
64 const size_t z = s * ((~ct_is_zero(n >> s)) & 1);
65 hb += z;
66 n >>= z;
67 }
68
69 hb += n;
70
71 return hb;
72}
References T.
Referenced by Botan::OID::encode_into(), random_prime(), and Botan::BigInt::top_bits_free().
◆ hkdf_expand_label()
| secure_vector< uint8_t > BOTAN_TEST_API Botan::hkdf_expand_label | ( | std::string_view | hash_fn, |
| const uint8_t | secret[], | ||
| size_t | secret_len, | ||
| std::string_view | label, | ||
| const uint8_t | hash_val[], | ||
| size_t | hash_val_len, | ||
| size_t | length ) |
HKDF-Expand-Label from TLS 1.3/QUIC
- Parameters
-
hash_fn the hash to use secret the secret bits secret_len the length of secret label the full label (no "TLS 1.3, " or "tls13 " prefix is applied) hash_val the previous hash value (used for chaining, may be empty) hash_val_len the length of hash_val length the desired output length
Definition at line 131 of file hkdf.cpp.
137 {
141
142 const uint16_t length16 = static_cast<uint16_t>(length);
143
145
146 secure_vector<uint8_t> output(length16);
147 std::vector<uint8_t> prefix(3 + label.size() + 1);
148
149 prefix[0] = get_byte<0>(length16);
150 prefix[1] = get_byte<1>(length16);
151 prefix[2] = static_cast<uint8_t>(label.size());
152
154
155 prefix[3 + label.size()] = static_cast<uint8_t>(hash_val_len);
156
157 /*
158 * We do something a little dirty here to avoid copying the hash_val,
159 * making use of the fact that Botan's KDF interface supports label+salt,
160 * and knowing that our HKDF hashes first param label then param salt.
161 */
162 hkdf.kdf(output.data(), output.size(), secret, secret_len, hash_val, hash_val_len, prefix.data(), prefix.size());
163
164 return output;
165}
Definition hkdf.h:74
References BOTAN_ARG_CHECK, cast_char_ptr_to_uint8(), copy_mem(), Botan::MessageAuthenticationCode::create_or_throw(), fmt(), get_byte(), and Botan::HKDF_Expand::kdf().
◆ holds_any_of()
template<typename... Alts, typename... Ts>
|
constexprnoexcept |
Definition at line 293 of file stl_util.h.
293 {
294 return (std::holds_alternative<Alts>(v) || ...);
295}
Referenced by Botan::TLS::Channel_Impl_13::from_peer().
◆ host_wildcard_match()
| BOTAN_TEST_API bool Botan::host_wildcard_match | ( | std::string_view | wildcard, |
| std::string_view | host ) |
Check if the given hostname is a match for the specified wildcard
Definition at line 252 of file parsing.cpp.
252 {
255
256 if(host.empty() || issued.empty()) {
257 return false;
258 }
259
260 /*
261 If there are embedded nulls in your issued name
262 Well I feel bad for you son
263 */
264 if(std::count(issued.begin(), issued.end(), char(0)) > 0) {
265 return false;
266 }
267
268 // If more than one wildcard, then issued name is invalid
269 const size_t stars = std::count(issued.begin(), issued.end(), '*');
270 if(stars > 1) {
271 return false;
272 }
273
274 // '*' is not a valid character in DNS names so should not appear on the host side
275 if(std::count(host.begin(), host.end(), '*') != 0) {
276 return false;
277 }
278
279 // Similarly a DNS name can't end in .
280 if(host[host.size() - 1] == '.') {
281 return false;
282 }
283
284 // And a host can't have an empty name component, so reject that
285 if(host.find("..") != std::string::npos) {
286 return false;
287 }
288
289 // Exact match: accept
290 if(issued == host) {
291 return true;
292 }
293
294 /*
295 Otherwise it might be a wildcard
296
297 If the issued size is strictly longer than the hostname size it
298 couldn't possibly be a match, even if the issued value is a
299 wildcard. The only exception is when the wildcard ends up empty
300 (eg www.example.com matches www*.example.com)
301 */
302 if(issued.size() > host.size() + 1) {
303 return false;
304 }
305
306 // If no * at all then not a wildcard, and so not a match
307 if(stars != 1) {
308 return false;
309 }
310
311 /*
312 Now walk through the issued string, making sure every character
313 matches. When we come to the (singular) '*', jump forward in the
314 hostname by the corresponding amount. We know exactly how much
315 space the wildcard takes because it must be exactly `len(host) -
316 len(issued) + 1 chars`.
317
318 We also verify that the '*' comes in the leftmost component, and
319 doesn't skip over any '.' in the hostname.
320 */
321 size_t dots_seen = 0;
322 size_t host_idx = 0;
323
324 for(size_t i = 0; i != issued.size(); ++i) {
325 dots_seen += (issued[i] == '.');
326
327 if(issued[i] == '*') {
328 // Fail: wildcard can only come in leftmost component
329 if(dots_seen > 0) {
330 return false;
331 }
332
333 /*
334 Since there is only one * we know the tail of the issued and
335 hostname must be an exact match. In this case advance host_idx
336 to match.
337 */
338 const size_t advance = (host.size() - issued.size() + 1);
339
340 if(host_idx + advance > host.size()) { // shouldn't happen
341 return false;
342 }
343
344 // Can't be any intervening .s that we would have skipped
345 if(std::count(host.begin() + host_idx, host.begin() + host_idx + advance, '.') != 0) {
346 return false;
347 }
348
349 host_idx += advance;
350 } else {
351 if(issued[i] != host[host_idx]) {
352 return false;
353 }
354
355 host_idx += 1;
356 }
357 }
358
359 // Wildcard issued name must have at least 3 components
360 if(dots_seen < 2) {
361 return false;
362 }
363
364 return true;
365}
References tolower_string().
Referenced by Botan::X509_Certificate::matches_dns_name().
◆ ht_sign()
| void Botan::ht_sign | ( | StrongSpan< SphincsHypertreeSignature > | out_sig, |
| const SphincsTreeNode & | message_to_sign, | ||
| const SphincsSecretSeed & | secret_seed, | ||
| XmssTreeIndexInLayer | tree_index_in_layer, | ||
| TreeNodeIndex | idx_leaf, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes ) |
FIPS 205, Algorithm 12: ht_sign.
Creates a SLH-DSA XMSS hypertree signature of message_to_sign. The signature is written into the buffer defined by out_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree is used for signing.
Definition at line 21 of file sp_hypertree.cpp.
27 {
29 BufferStuffer ht_signature(out_sig);
30
31 Sphincs_Address wots_addr(Sphincs_Address_Type::WotsHash);
32 wots_addr.set_tree_address(tree_index_in_layer).set_keypair_address(idx_leaf);
33
34 Sphincs_Address tree_addr(Sphincs_Address_Type::HashTree);
35
36 SphincsTreeNode xmss_root;
38 // The first XMSS tree signs the message, the others their underlying XMSS tree root
40
41 tree_addr.set_layer_address(layer_idx).set_tree_address(tree_index_in_layer);
42 wots_addr.copy_subtree_from(tree_addr).set_keypair_address(idx_leaf);
43
44 xmss_root = xmss_sign_and_pkgen(ht_signature.next<SphincsXmssSignature>(params.xmss_signature_bytes()),
45 node_to_xmss_sign,
46 secret_seed,
47 wots_addr,
48 tree_addr,
49 idx_leaf,
50 params,
51 hashes);
52
53 // Update the indices for the next layer.
55 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
56 }
57
58 BOTAN_ASSERT_NOMSG(ht_signature.full());
59}
Definition sp_address.h:34
uint32_t xmss_tree_height() const
Definition sp_parameters.h:135
uint32_t ht_signature_bytes() const
Definition sp_parameters.h:145
uint32_t xmss_signature_bytes() const
Definition sp_parameters.h:140
SphincsTreeNode xmss_sign_and_pkgen(StrongSpan< SphincsXmssSignature > out_sig, const SphincsTreeNode &message, const SphincsSecretSeed &secret_seed, Sphincs_Address &wots_addr, Sphincs_Address &tree_addr, std::optional< TreeNodeIndex > idx_leaf, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 10: xmss_sign.
Definition sp_xmss.cpp:19
References BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferStuffer::full(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Address::set_tree_address(), Botan::StrongSpan< T >::size(), WotsHash, xmss_sign_and_pkgen(), Botan::Sphincs_Parameters::xmss_signature_bytes(), and Botan::Sphincs_Parameters::xmss_tree_height().
◆ ht_verify()
| bool Botan::ht_verify | ( | const SphincsTreeNode & | signed_msg, |
| StrongSpan< const SphincsHypertreeSignature > | ht_sig, | ||
| const SphincsTreeNode & | pk_root, | ||
| XmssTreeIndexInLayer | tree_index_in_layer, | ||
| TreeNodeIndex | idx_leaf, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes ) |
FIPS 205, Algorithm 13: ht_verify.
Given a message signed_msg the SLH-DSA XMSS hypertree is reconstructed using a hypertree signature ht_sig. tree_index_in_layer and idx_leaf define which XMSS tree of the hypertree and which leaf of this XMSS tree was used for signing.
- Returns
- true iff the top-most reconstructed root equals
pk_root
Definition at line 61 of file sp_hypertree.cpp.
67 {
69 BufferSlicer sig_s(ht_sig);
70
71 Sphincs_Address wots_addr(Sphincs_Address_Type::WotsHash);
72 Sphincs_Address tree_addr(Sphincs_Address_Type::HashTree);
73 Sphincs_Address wots_pk_addr(Sphincs_Address_Type::WotsPublicKeyCompression);
74
76
77 // Each iteration reconstructs the root of one XMSS tree of the hypertree
79 // The first XMSS tree signs the message, the others their underlying XMSS tree root
81
82 tree_addr.set_layer_address(layer_idx);
83 tree_addr.set_tree_address(tree_index_in_layer);
84
85 wots_addr.copy_subtree_from(tree_addr);
86 wots_addr.set_keypair_address(idx_leaf);
87
88 wots_pk_addr.copy_keypair_from(wots_addr);
89
92
93 // Compute the leaf node using the WOTS public key.
95
96 // Compute the root node of this subtree.
98 params,
99 hashes,
100 leaf,
101 idx_leaf,
102 0,
104 params.xmss_tree_height(),
105 tree_addr);
106
107 // Update the indices for the next layer.
109 tree_index_in_layer = tree_index_in_layer >> params.xmss_tree_height();
110 }
111
112 BOTAN_ASSERT_NOMSG(sig_s.empty());
113
114 // Check if the root node equals the root node in the public key.
115 return reconstructed_root == pk_root;
116}
WotsPublicKey wots_public_key_from_signature(const SphincsTreeNode &hashed_message, StrongSpan< const WotsSignature > signature, Sphincs_Address &address, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 8: wots_pkFromSig.
Definition sp_wots.cpp:103
References BOTAN_ASSERT_NOMSG, compute_root(), Botan::Sphincs_Address::copy_keypair_from(), Botan::Sphincs_Address::copy_subtree_from(), Botan::Sphincs_Parameters::d(), Botan::BufferSlicer::empty(), Botan::detail::Strong_Base< T >::get(), HashTree, Botan::Sphincs_Parameters::ht_signature_bytes(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Address::set_tree_address(), Botan::StrongSpan< T >::size(), Botan::Sphincs_Hash_Functions::T(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::wots_bytes(), wots_public_key_from_signature(), WotsHash, WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().
◆ ieee1363_hash_id()
| uint8_t Botan::ieee1363_hash_id | ( | std::string_view | hash_name | ) |
Return the IEEE 1363 hash identifier
- Parameters
-
hash_name the name of the hash function
- Returns
- uint8_t code identifying the hash, or 0 if not known
Definition at line 144 of file hash_id.cpp.
144 {
146 return 0x33;
147 }
148
150 return 0x38;
151 }
153 return 0x34;
154 }
156 return 0x36;
157 }
159 return 0x35;
160 }
161
163 return 0x31;
164 }
165
167 return 0x37;
168 }
169
170 return 0;
171}
References name.
Referenced by Botan::EMSA_X931::EMSA_X931().
◆ if_work_factor()
| size_t BOTAN_TEST_API Botan::if_work_factor | ( | size_t | n_bits | ) |
Estimate work factor for integer factorization
- Parameters
-
n_bits size of modulus in bits
- Returns
- estimated security level for this modulus
Definition at line 35 of file workfactor.cpp.
35 {
36 if(bits < 512) {
37 return 0;
38 }
39
40 // RFC 3766 estimates k at .02 and o(1) to be effectively zero for sizes of interest
41
42 const double log2_k = -5.6438; // log2(.02)
43 return nfs_workfactor(bits, log2_k);
44}
Referenced by dl_work_factor(), Botan::RSA_PublicKey::estimated_strength(), and Botan::TPM_PrivateKey::estimated_strength().
◆ ignore_param()
Mark variable as unused.
Takes any number of arguments and marks all as unused, for instance BOTAN_UNUSED(a); or BOTAN_UNUSED(x, y, z);
Definition at line 111 of file assert.h.
111{}
Referenced by ignore_params().
◆ ignore_params()
template<typename... T>
|
constexpr |
Definition at line 114 of file assert.h.
References ignore_param().
◆ index_of_first_set_byte()
template<std::unsigned_integral T>
|
constexpr |
Return the index of the first byte with the high bit set
Definition at line 130 of file int_utils.h.
130 {
131 // The constant 0x010101... as a T
133 // The constant 0x808080... as a T
135 // How many bits to shift in order to get the top byte
137
138 return static_cast<size_t>((((((v & hi1) - 1) & lo1) * lo1) >> bits) - 1);
139}
References T.
◆ initialize_allocator()
| void BOTAN_UNSTABLE_API Botan::initialize_allocator | ( | ) |
Ensure the allocator is initialized
Definition at line 63 of file allocator.cpp.
63 {
64#if defined(BOTAN_HAS_LOCKING_ALLOCATOR)
65 mlock_allocator::instance();
66#endif
67}
References Botan::mlock_allocator::instance().
Referenced by Botan::Allocator_Initializer::Allocator_Initializer().
◆ intersects()
|
inline |
Definition at line 71 of file asn1_obj.h.
71 {
72 return static_cast<uint32_t>(x) & static_cast<uint32_t>(y);
73}
◆ inverse_mod()
Modular inversion. This algorithm is const time with respect to x, as long as x is less than modulus. It also avoids leaking information about the modulus, except that it does leak which of 3 categories the modulus is in: an odd integer, a power of 2, or some other even number, and if the modulus is even, leaks the power of 2 which divides the modulus.
- Parameters
-
x a positive integer modulus a positive integer
- Returns
- y st (x*y) % modulus == 1 or 0 if no such value
Definition at line 179 of file mod_inv.cpp.
179 {
180 if(mod.is_zero()) {
182 }
183 if(mod.is_negative() || n.is_negative()) {
184 throw Invalid_Argument("inverse_mod: arguments must be non-negative");
185 }
186 if(n.is_zero() || (n.is_even() && mod.is_even())) {
187 return BigInt::zero();
188 }
189
190 if(mod.is_odd()) {
191 /*
192 Fastpath for common case. This leaks if n is greater than mod or
193 not, but we don't guarantee const time behavior in that case.
194 */
195 if(n < mod) {
196 return inverse_mod_odd_modulus(n, mod);
197 } else {
199 }
200 }
201
202 // If n is even and mod is even we already returned 0
203 // If n is even and mod is odd we jumped directly to odd-modulus algo
204 BOTAN_DEBUG_ASSERT(n.is_odd());
205
207 BOTAN_ASSERT_NOMSG(mod_lz > 0);
208 const size_t mod_bits = mod.bits();
209 BOTAN_ASSERT_NOMSG(mod_bits > mod_lz);
210
211 if(mod_lz == mod_bits - 1) {
212 // In this case we are performing an inversion modulo 2^k
213 return inverse_mod_pow2(n, mod_lz);
214 }
215
216 if(mod_lz == 1) {
217 /*
218 Inversion modulo 2*o is an easier special case of CRT
219
220 This is exactly the main CRT flow below but taking advantage of
221 the fact that any odd number ^-1 modulo 2 is 1. As a result both
222 inv_2k and c can be taken to be 1, m2k is 2, and h is always
223 either 0 or 1, and its value depends only on the low bit of inv_o.
224
225 This is worth special casing because we generate RSA primes such
226 that phi(n) is of this form. However this only works for keys
227 that we generated in this way; pre-existing keys will typically
228 fall back to the general algorithm below.
229 */
230
231 const BigInt o = mod >> 1;
233 const BigInt inv_o = inverse_mod_odd_modulus(n_redc, o);
234
235 // No modular inverse in this case:
236 if(inv_o == 0) {
237 return BigInt::zero();
238 }
239
240 BigInt h = inv_o;
241 h.ct_cond_add(!inv_o.get_bit(0), o);
242 return h;
243 }
244
245 /*
246 * In this case we are performing an inversion modulo 2^k*o for
247 * some k >= 2 and some odd (not necessarily prime) integer.
248 * Compute the inversions modulo 2^k and modulo o, then combine them
249 * using CRT, which is possible because 2^k and o are relatively prime.
250 */
251
252 const BigInt o = mod >> mod_lz;
254 const BigInt inv_o = inverse_mod_odd_modulus(n_redc, o);
255 const BigInt inv_2k = inverse_mod_pow2(n, mod_lz);
256
257 // No modular inverse in this case:
258 if(inv_o == 0 || inv_2k == 0) {
259 return BigInt::zero();
260 }
261
262 const BigInt m2k = BigInt::power_of_2(mod_lz);
263 // Compute the CRT parameter
264 const BigInt c = inverse_mod_pow2(o, mod_lz);
265
266 // Compute h = c*(inv_2k-inv_o) mod 2^k
267 BigInt h = c * (inv_2k - inv_o);
268 const bool h_neg = h.is_negative();
269 h.set_sign(BigInt::Positive);
270 h.mask_bits(mod_lz);
271 const bool h_nonzero = h.is_nonzero();
272 h.ct_cond_assign(h_nonzero && h_neg, m2k - h);
273
274 // Return result inv_o + h * o
275 h *= o;
276 h += inv_o;
277 return h;
278}
References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), ct_modulo(), Botan::BigInt::get_bit(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_nonzero(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), low_zero_bits(), Botan::BigInt::mask_bits(), Botan::BigInt::Positive, Botan::BigInt::power_of_2(), Botan::BigInt::set_sign(), and Botan::BigInt::zero().
Referenced by botan_mp_mod_inverse(), Botan::RSA_PrivateKey::check_key(), Botan::Montgomery_Params::inv_mod_p(), Botan::EC_Group_Data::inverse_mod_order(), Botan::DL_Group::inverse_mod_p(), Botan::DL_Group::inverse_mod_q(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().
◆ ipv4_to_string()
| std::string BOTAN_TEST_API Botan::ipv4_to_string | ( | uint32_t | ip_addr | ) |
Convert an IPv4 address to a string
- Parameters
-
ip_addr the IPv4 address to convert
- Returns
- string representation of the IPv4 address
Definition at line 225 of file parsing.cpp.
225 {
226 uint8_t bits[4];
227 store_be(ip, bits);
228
229 std::string str;
230
231 for(size_t i = 0; i != 4; ++i) {
232 if(i > 0) {
233 str += ".";
234 }
235 str += std::to_string(bits[i]);
236 }
237
238 return str;
239}
References store_be().
Referenced by Botan::AlternativeName::contents(), Botan::AlternativeName::get_attribute(), and Botan::GeneralName::name().
◆ is_bailie_psw_probable_prime() [1/2]
| bool Botan::is_bailie_psw_probable_prime | ( | const BigInt & | n | ) |
Perform Bailie-PSW primality test
This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.
- Parameters
-
n the positive integer to test
- Returns
- true if n seems probably prime, false if n is composite
Definition at line 101 of file primality.cpp.
101 {
102 Modular_Reducer mod_n(n);
104}
Definition reducer.h:20
bool is_bailie_psw_probable_prime(const BigInt &n, const Modular_Reducer &mod_n)
Definition primality.cpp:89
References is_bailie_psw_probable_prime().
◆ is_bailie_psw_probable_prime() [2/2]
| bool BOTAN_TEST_API Botan::is_bailie_psw_probable_prime | ( | const BigInt & | n, |
| const Modular_Reducer & | mod_n ) |
Perform Bailie-PSW primality test
This is a combination of Miller-Rabin with base 2 and a Lucas test. No known composite integer passes both tests, though it is conjectured that infinitely many composite counterexamples exist.
- Parameters
-
n the positive integer to test mod_n a pre-created Modular_Reducer for n
- Returns
- true if n seems probably prime, false if n is composite
Definition at line 89 of file primality.cpp.
89 {
90 if(n == 2) {
91 return true;
93 return false;
94 }
95
96 auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
97 const auto base = BigInt::from_word(2);
99}
bool passes_miller_rabin_test(const BigInt &n, const Modular_Reducer &mod_n, const std::shared_ptr< Montgomery_Params > &monty_n, const BigInt &a)
Definition primality.cpp:106
bool is_lucas_probable_prime(const BigInt &C, const Modular_Reducer &mod_C)
Definition primality.cpp:18
References Botan::BigInt::from_word(), Botan::BigInt::is_even(), is_lucas_probable_prime(), and passes_miller_rabin_test().
Referenced by Botan::EC_Group::EC_Group(), is_bailie_psw_probable_prime(), and is_prime().
◆ is_generalizable_to() [1/2]
template<typename GeneralVariantT , typename SpecialT >
|
constexprnoexcept |
Definition at line 298 of file stl_util.h.
298 {
299 return std::is_constructible_v<GeneralVariantT, SpecialT>;
300}
Referenced by generalize_to().
◆ is_generalizable_to() [2/2]
template<typename GeneralVariantT , typename... SpecialTs>
|
constexprnoexcept |
Definition at line 303 of file stl_util.h.
303 {
304 return (std::is_constructible_v<GeneralVariantT, SpecialTs> && ...);
305}
◆ is_lucas_probable_prime()
| bool BOTAN_TEST_API Botan::is_lucas_probable_prime | ( | const BigInt & | n, |
| const Modular_Reducer & | mod_n ) |
Perform Lucas primality test
- See also
- FIPS 186-4 C.3.3
- Warning
- it is possible to construct composite integers which pass this test alone.
- Parameters
-
n the positive integer to test mod_n a pre-created Modular_Reducer for n
- Returns
- true if n seems probably prime, false if n is composite
Definition at line 18 of file primality.cpp.
18 {
19 if(C == 2 || C == 3 || C == 5 || C == 7 || C == 11 || C == 13) {
20 return true;
21 }
22
23 if(C <= 1 || C.is_even()) {
24 return false;
25 }
26
27 BigInt D = BigInt::from_word(5);
28
29 for(;;) {
30 int32_t j = jacobi(D, C);
31 if(j == 0) {
32 return false;
33 }
34
35 if(j == -1) {
36 break;
37 }
38
39 // Check 5, -7, 9, -11, 13, -15, 17, ...
40 if(D.is_negative()) {
41 D.flip_sign();
42 D += 2;
43 } else {
44 D += 2;
45 D.flip_sign();
46 }
47
49 return false;
50 }
51 }
52
55
56 BigInt U = BigInt::one();
57 BigInt V = BigInt::one();
58
59 BigInt Ut, Vt, U2, V2;
60
61 for(size_t i = 0; i != K_bits; ++i) {
63
64 Ut = mod_C.multiply(U, V);
65
66 Vt = mod_C.reduce(mod_C.square(V) + mod_C.multiply(D, mod_C.square(U)));
67 Vt.ct_cond_add(Vt.is_odd(), C);
68 Vt >>= 1;
69 Vt = mod_C.reduce(Vt);
70
71 U = Ut;
72 V = Vt;
73
74 U2 = mod_C.reduce(Ut + Vt);
75 U2.ct_cond_add(U2.is_odd(), C);
76 U2 >>= 1;
77
78 V2 = mod_C.reduce(Vt + Ut * D);
79 V2.ct_cond_add(V2.is_odd(), C);
80 V2 >>= 1;
81
82 U.ct_cond_assign(k_bit, U2);
83 V.ct_cond_assign(k_bit, V2);
84 }
85
86 return (U == 0);
87}
References Botan::BigInt::ct_cond_add(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::flip_sign(), Botan::BigInt::from_word(), Botan::BigInt::is_even(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), is_perfect_square(), jacobi(), Botan::Modular_Reducer::multiply(), Botan::BigInt::one(), Botan::Modular_Reducer::reduce(), and Botan::Modular_Reducer::square().
Referenced by is_bailie_psw_probable_prime(), is_prime(), and random_prime().
◆ is_miller_rabin_probable_prime()
| bool BOTAN_TEST_API Botan::is_miller_rabin_probable_prime | ( | const BigInt & | n, |
| const Modular_Reducer & | mod_n, | ||
| RandomNumberGenerator & | rng, | ||
| size_t | t ) |
Perform t iterations of a Miller-Rabin primality test with random bases
- Parameters
-
n the positive integer to test mod_n a pre-created Modular_Reducer for n rng a random number generator t number of tests to perform
- Returns
- result of primality test
Definition at line 150 of file primality.cpp.
153 {
155 return false;
156 }
157
158 auto monty_n = std::make_shared<Montgomery_Params>(n, mod_n);
159
160 for(size_t i = 0; i != test_iterations; ++i) {
161 const BigInt a = BigInt::random_integer(rng, BigInt::from_word(2), n);
162
163 if(!passes_miller_rabin_test(n, mod_n, monty_n, a)) {
164 return false;
165 }
166 }
167
168 // Failed to find a counterexample
169 return true;
170}
References Botan::BigInt::from_word(), Botan::BigInt::is_even(), passes_miller_rabin_test(), and Botan::BigInt::random_integer().
Referenced by generate_rsa_prime(), is_prime(), and random_prime().
◆ is_passhash9_alg_supported()
| bool Botan::is_passhash9_alg_supported | ( | uint8_t | alg_id | ) |
Check if the PRF used with PBKDF2 is supported
- Parameters
-
alg_id alg_id used in generate_passhash9()
Definition at line 128 of file passhash9.cpp.
128 {
129 if(get_pbkdf_prf(alg_id)) {
130 return true;
131 }
132 return false;
133}
◆ is_perfect_square()
Test if the positive integer x is a perfect square ie if there exists some positive integer y st y*y == x See FIPS 186-4 sec C.4
- Returns
- 0 if the integer is not a perfect square, otherwise returns the positive y st y*y == x
Definition at line 321 of file numthry.cpp.
321 {
322 if(C < 1) {
324 }
325 if(C == 1) {
326 return BigInt::one();
327 }
328
329 const size_t n = C.bits();
330 const size_t m = (n + 1) / 2;
331 const BigInt B = C + BigInt::power_of_2(m);
332
333 BigInt X = BigInt::power_of_2(m) - 1;
335
336 for(;;) {
339
340 if(X2 < B) {
341 break;
342 }
343 }
344
345 if(X2 == C) {
347 } else {
348 return BigInt::zero();
349 }
350}
References Botan::BigInt::bits(), Botan::BigInt::one(), Botan::BigInt::power_of_2(), X, and Botan::BigInt::zero().
Referenced by is_lucas_probable_prime().
◆ is_power_of_2()
|
inlineconstexpr |
Power of 2 test. T should be an unsigned integer type
- Parameters
-
arg an integer value
- Returns
- true iff arg is 2^n for some n > 0
Definition at line 45 of file bit_ops.h.
References T.
Referenced by operator%(), Botan::BigInt::operator%=(), Botan::BigInt::operator/=(), Botan::Scrypt::Scrypt(), and Botan::CTR_BE::seek().
◆ is_prime()
| bool Botan::is_prime | ( | const BigInt & | n, |
| RandomNumberGenerator & | rng, | ||
| size_t | prob = 64, | ||
| bool | is_random = false ) |
Check for primality
This uses probabilistic algorithms - there is some non-zero (but very low) probability that this function will return true even if n is actually composite.
- Parameters
-
n a positive integer to test for primality rng a random number generator prob chance of false positive is bounded by 1/2**prob is_random true if n was randomly chosen by us
- Returns
- true if all primality tests passed, otherwise false
Definition at line 355 of file numthry.cpp.
355 {
356 if(n == 2) {
357 return true;
358 }
360 return false;
361 }
362
364
365 // Fast path testing for small numbers (<= 65521)
366 if(n_bits <= 16) {
368
369 return std::binary_search(PRIMES, PRIMES + PRIME_TABLE_SIZE, num);
370 }
371
372 Modular_Reducer mod_n(n);
373
376
378 return false;
379 }
380
381 if(is_random) {
382 return true;
383 } else {
385 }
386 } else {
388 }
389}
virtual bool is_seeded() const =0
References Botan::BigInt::bits(), is_bailie_psw_probable_prime(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::RandomNumberGenerator::is_seeded(), miller_rabin_test_iterations(), PRIME_TABLE_SIZE, PRIMES, and Botan::BigInt::word_at().
Referenced by botan_mp_is_prime(), Botan::RSA_PrivateKey::check_key(), Botan::DL_Group::DL_Group(), generate_dsa_primes(), random_safe_prime(), Botan::DL_Group::verify_group(), and Botan::EC_Group::verify_group().
◆ jacobi()
Compute the Jacobi symbol. If n is prime, this is equivalent to the Legendre symbol.
- Parameters
-
a is a non-negative integer n is an odd integer > 1
- Returns
- (n / m)
Definition at line 116 of file numthry.cpp.
116 {
119 }
120
121 BigInt x = a % n;
122 BigInt y = n;
123 int32_t J = 1;
124
125 while(y > 1) {
126 x %= y;
127 if(x > y / 2) {
128 x = y - x;
129 if(y % 4 == 3) {
130 J = -J;
131 }
132 }
133 if(x.is_zero()) {
134 return 0;
135 }
136
138 x >>= shifts;
139 if(shifts % 2) {
140 word y_mod_8 = y % 8;
141 if(y_mod_8 == 3 || y_mod_8 == 5) {
142 J = -J;
143 }
144 }
145
146 if(x % 4 == 3 && y % 4 == 3) {
147 J = -J;
148 }
149 std::swap(x, y);
150 }
151 return J;
152}
References Botan::BigInt::is_even(), Botan::BigInt::is_zero(), and low_zero_bits().
Referenced by Botan::DL_Group::DL_Group(), is_lucas_probable_prime(), and sqrt_modulo_prime().
◆ keccak_absorb_padded_strings_encoding()
template<absorbing_object T, typename... Ts>
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
requires (std::constructible_from<std::span<const uint8_t>, Ts> && ...)
| size_t Botan::keccak_absorb_padded_strings_encoding | ( | T & | sink, |
| size_t | padding_mod, | ||
| Ts... | byte_strings ) |
This is a combination of the functions encode_string() and bytepad() defined in NIST SP.800-185 Section 2.3. Additionally, the result is directly streamed into the provided XOF to avoid unneccessary memory allocation or a byte vector.
- Parameters
-
sink the XOF or byte vector to absorb the byte_stringsintopadding_mod the modulus value to create a padding for (NIST calls this 'w') byte_strings a variable-length list of byte strings to be encoded and absorbed into the given xof
- Returns
- the number of bytes absorbed into the
xof
Definition at line 91 of file keccak_helpers.h.
91 {
92 BOTAN_ASSERT_NOMSG(padding_mod > 0);
93
94 // used as temporary storage for all integer encodings in this function
95 std::array<uint8_t, keccak_max_int_encoding_size()> int_encoding_buffer;
96
97 // absorbs byte strings and counts the number of absorbed bytes
98 size_t bytes_absorbed = 0;
99 auto absorb = [&](std::span<const uint8_t> bytes) {
101 sink.update(bytes);
102 } else if constexpr(appendable_object<T>) {
103 sink.insert(sink.end(), bytes.begin(), bytes.end());
104 }
105 bytes_absorbed += bytes.size();
106 };
107
108 // encodes a given string and absorbs it into the XOF straight away
109 auto encode_string_and_absorb = [&](std::span<const uint8_t> bytes) {
110 absorb(keccak_int_left_encode(int_encoding_buffer, bytes.size() * 8));
111 absorb(bytes);
112 };
113
114 // absorbs as many zero-bytes as requested into the XOF
115 auto absorb_padding = [&](size_t padding_bytes) {
116 for(size_t i = 0; i < padding_bytes; ++i) {
117 const uint8_t zero_byte = 0;
118 absorb({&zero_byte, 1});
119 }
120 };
121
122 // implementation of bytepad(encode_string(Ts) || ...) that absorbs the result
123 // staight into the given xof
124 absorb(keccak_int_left_encode(int_encoding_buffer, padding_mod));
125 (encode_string_and_absorb(byte_strings), ...);
126 absorb_padding(padding_mod - (bytes_absorbed % padding_mod));
127
128 return bytes_absorbed;
129}
Definition keccak_helpers.h:70
std::span< const uint8_t > keccak_int_left_encode(std::span< uint8_t > out, size_t x)
Definition keccak_helpers.cpp:41
constexpr size_t keccak_max_int_encoding_size()
Definition keccak_helpers.h:65
References BOTAN_ASSERT_NOMSG, keccak_int_left_encode(), and keccak_max_int_encoding_size().
◆ keccak_int_encoding_size()
| BOTAN_TEST_API size_t Botan::keccak_int_encoding_size | ( | size_t | x | ) |
- Returns
- the required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode() given an integer
x
Definition at line 54 of file keccak_helpers.cpp.
54 {
55 return int_encoding_size(x) + 1 /* the length tag */;
56}
◆ keccak_int_left_encode()
| BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_left_encode | ( | std::span< uint8_t > | buffer, |
| size_t | x ) |
Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the beginning of the string.
This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.
- Parameters
-
buffer buffer to write the left-encoding of xto. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.x the integer to be left-encoded
- Returns
- the byte span that represents the bytes written to
buffer.
Definition at line 41 of file keccak_helpers.cpp.
41 {
42 BOTAN_ASSERT_NOMSG(!out.empty());
43 out[0] = encode(out.last(out.size() - 1), x);
44 return out.first(out[0] + 1 /* the length tag */);
45}
References BOTAN_ASSERT_NOMSG.
Referenced by keccak_absorb_padded_strings_encoding().
◆ keccak_int_right_encode()
| BOTAN_TEST_API std::span< const uint8_t > Botan::keccak_int_right_encode | ( | std::span< uint8_t > | out, |
| size_t | x ) |
Integer encoding defined in NIST SP.800-185 that can be unambiguously parsed from the end of the string.
This function does not allocate any memory and requires the caller to provide a sufficiently large buffer. For a given x, this will need exactly keccak_int_encoding_size() bytes. For an arbitrary x it will generate keccak_max_int_encoding_size() bytes at most.
- Parameters
-
out buffer to write the right-encoding of xto. It is assumed that the buffer will hold at least keccak_int_encoding_size() bytes.x the integer to be right-encoded
- Returns
- the byte span that represents the bytes written to
buffer.
Definition at line 47 of file keccak_helpers.cpp.
47 {
48 const auto bytes_needed = encode(out, x);
50 out[bytes_needed] = bytes_needed;
51 return out.first(bytes_needed + 1 /* the length tag */);
52}
References BOTAN_ASSERT_NOMSG.
◆ keccak_max_int_encoding_size()
|
constexpr |
- Returns
- the maximum required bytes for encodings of keccak_int_left_encode() or keccak_int_right_encode()
Definition at line 65 of file keccak_helpers.h.
65 {
66 return sizeof(size_t) + 1 /* the length tag */;
67}
Referenced by keccak_absorb_padded_strings_encoding().
◆ Keccak_Permutation_round()
|
inline |
Definition at line 15 of file keccak_perm_round.h.
15 {
16 const uint64_t C0 = A[0] ^ A[5] ^ A[10] ^ A[15] ^ A[20];
17 const uint64_t C1 = A[1] ^ A[6] ^ A[11] ^ A[16] ^ A[21];
18 const uint64_t C2 = A[2] ^ A[7] ^ A[12] ^ A[17] ^ A[22];
19 const uint64_t C3 = A[3] ^ A[8] ^ A[13] ^ A[18] ^ A[23];
20 const uint64_t C4 = A[4] ^ A[9] ^ A[14] ^ A[19] ^ A[24];
21
22 const uint64_t D0 = rotl<1>(C0) ^ C3;
23 const uint64_t D1 = rotl<1>(C1) ^ C4;
24 const uint64_t D2 = rotl<1>(C2) ^ C0;
25 const uint64_t D3 = rotl<1>(C3) ^ C1;
26 const uint64_t D4 = rotl<1>(C4) ^ C2;
27
28 const uint64_t B00 = A[0] ^ D1;
29 const uint64_t B01 = rotl<44>(A[6] ^ D2);
30 const uint64_t B02 = rotl<43>(A[12] ^ D3);
31 const uint64_t B03 = rotl<21>(A[18] ^ D4);
32 const uint64_t B04 = rotl<14>(A[24] ^ D0);
33 T[0] = B00 ^ (~B01 & B02) ^ RC;
34 T[1] = B01 ^ (~B02 & B03);
35 T[2] = B02 ^ (~B03 & B04);
36 T[3] = B03 ^ (~B04 & B00);
37 T[4] = B04 ^ (~B00 & B01);
38
39 const uint64_t B05 = rotl<28>(A[3] ^ D4);
40 const uint64_t B06 = rotl<20>(A[9] ^ D0);
41 const uint64_t B07 = rotl<3>(A[10] ^ D1);
42 const uint64_t B08 = rotl<45>(A[16] ^ D2);
43 const uint64_t B09 = rotl<61>(A[22] ^ D3);
44 T[5] = B05 ^ (~B06 & B07);
45 T[6] = B06 ^ (~B07 & B08);
46 T[7] = B07 ^ (~B08 & B09);
47 T[8] = B08 ^ (~B09 & B05);
48 T[9] = B09 ^ (~B05 & B06);
49
50 const uint64_t B10 = rotl<1>(A[1] ^ D2);
51 const uint64_t B11 = rotl<6>(A[7] ^ D3);
52 const uint64_t B12 = rotl<25>(A[13] ^ D4);
53 const uint64_t B13 = rotl<8>(A[19] ^ D0);
54 const uint64_t B14 = rotl<18>(A[20] ^ D1);
55 T[10] = B10 ^ (~B11 & B12);
56 T[11] = B11 ^ (~B12 & B13);
57 T[12] = B12 ^ (~B13 & B14);
58 T[13] = B13 ^ (~B14 & B10);
59 T[14] = B14 ^ (~B10 & B11);
60
61 const uint64_t B15 = rotl<27>(A[4] ^ D0);
62 const uint64_t B16 = rotl<36>(A[5] ^ D1);
63 const uint64_t B17 = rotl<10>(A[11] ^ D2);
64 const uint64_t B18 = rotl<15>(A[17] ^ D3);
65 const uint64_t B19 = rotl<56>(A[23] ^ D4);
66 T[15] = B15 ^ (~B16 & B17);
67 T[16] = B16 ^ (~B17 & B18);
68 T[17] = B17 ^ (~B18 & B19);
69 T[18] = B18 ^ (~B19 & B15);
70 T[19] = B19 ^ (~B15 & B16);
71
72 const uint64_t B20 = rotl<62>(A[2] ^ D3);
73 const uint64_t B21 = rotl<55>(A[8] ^ D4);
74 const uint64_t B22 = rotl<39>(A[14] ^ D0);
75 const uint64_t B23 = rotl<41>(A[15] ^ D1);
76 const uint64_t B24 = rotl<2>(A[21] ^ D2);
77 T[20] = B20 ^ (~B21 & B22);
78 T[21] = B21 ^ (~B22 & B23);
79 T[22] = B22 ^ (~B23 & B24);
80 T[23] = B23 ^ (~B24 & B20);
81 T[24] = B24 ^ (~B20 & B21);
82}
◆ key_constraints_to_string()
|
inline |
Definition at line 31 of file pkix_types.h.
31 {
33}
◆ latin1_to_utf8()
| BOTAN_TEST_API std::string Botan::latin1_to_utf8 | ( | const uint8_t | chars[], |
| size_t | len ) |
Definition at line 89 of file charset.cpp.
89 {
90 std::string s;
91 for(size_t i = 0; i != len; ++i) {
92 const uint32_t c = static_cast<uint8_t>(chars[i]);
93 append_utf8_for(s, c);
94 }
95 return s;
96}
Referenced by Botan::ASN1_String::decode_from().
◆ lcm()
Least common multiple
- Parameters
-
x a positive integer y a positive integer
- Returns
- z, smallest integer such that z % x == 0 and z % y == 0
Definition at line 270 of file numthry.cpp.
270 {
271 if(a == b) {
272 return a;
273 }
274
275 auto ab = a * b;
276 ab.set_sign(BigInt::Positive); // ignore the signs of a & b
277 const auto g = gcd(a, b);
278 return ct_divide(ab, g);
279}
References b, ct_divide(), gcd(), and Botan::BigInt::Positive.
Referenced by Botan::RSA_PrivateKey::check_key(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and Botan::RSA_PrivateKey::RSA_PrivateKey().
◆ lex_to_gray()
Definition at line 38 of file code_based_util.h.
38 {
39 return (lex >> 1) ^ lex;
40}
Referenced by syndrome_init().
◆ lmots_compute_pubkey_from_sig()
| BOTAN_TEST_API LMOTS_K Botan::lmots_compute_pubkey_from_sig | ( | const LMOTS_Signature & | sig, |
| const LMS_Message & | msg, | ||
| const LMS_Identifier & | identifier, | ||
| LMS_Tree_Node_Idx | q ) |
Compute a public key candidate for an OTS-signature-message pair and the OTS instance parameters.
Defined in RFC 8554 4.6 - Algorithm 4b
Definition at line 327 of file lm_ots.cpp.
330 {
332
333 // Alg. 4b 3.
334
336
337 // Prefill the final hash object
338 const auto pk_hash = params.hash();
339 pk_hash->update(identifier);
340 pk_hash->update(store_be(q));
341 pk_hash->update(store_be(D_PBLC));
342
343 Chain_Generator chain_gen(identifier, q);
344 const auto hash = params.hash();
345 LMOTS_Node tmp(params.n());
346 for(uint16_t i = 0; i < params.p(); ++i) {
347 const uint8_t a = coef(Q_with_cksm, i, params);
348 chain_gen.process(*hash, i, a, params.coef_max(), sig.y(i), tmp);
349 pk_hash->update(tmp);
350 }
351 // Alg. 4b 4.
352 return pk_hash->final<LMOTS_K>();
353}
StrongSpan< const LMOTS_Node > y(uint16_t chain_idx) const
Returns the part of the signature for chain_idx.
Definition lm_ots.h:202
LMOTS_Algorithm_Type algorithm_type() const
Returns the LM-OTS algorithm type.
Definition lm_ots.h:192
References Botan::LMOTS_Signature::algorithm_type(), Botan::LMOTS_Signature::C(), Botan::LMOTS_Params::create_or_throw(), store_be(), and Botan::LMOTS_Signature::y().
◆ load_3()
|
inline |
Definition at line 19 of file ed25519_internal.h.
19 {
20 return static_cast<uint64_t>(in[0]) | (static_cast<uint64_t>(in[1]) << 8) | (static_cast<uint64_t>(in[2]) << 16);
21}
Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().
◆ load_4()
|
inline |
Definition at line 23 of file ed25519_internal.h.
23 {
24 return load_le<uint32_t>(in, 0);
25}
References load_le().
Referenced by Botan::FE_25519::from_bytes(), sc_muladd(), and sc_reduce().
◆ load_be()
template<typename OutT = detail::AutoDetect, typename... ParamTs>
|
inlineconstexpr |
Load "something" in big endian byte order See the documentation of this file for more details.
Definition at line 530 of file loadstor.h.
530 {
531 return detail::load_any<detail::Endianness::Big, OutT>(std::forward<ParamTs>(params)...);
532}
References Botan::detail::load_any().
Referenced by Botan::TLS::Datagram_Handshake_IO::add_record(), base58_check_decode(), check_passhash9(), Botan::SHA_256::compress_digest(), Botan::SHA_512::compress_digest(), Botan::SHA_512::compress_digest_bmi2(), Botan::SHA_256::compress_digest_x86_bmi2(), Botan::SHA_1::compress_n(), Botan::SM3::compress_n(), Botan::Whirlpool::compress_n(), Botan::AlternativeName::decode_from(), Botan::GeneralName::decode_from(), Botan::TLS::Session::decrypt(), Botan::CryptoBox::decrypt_bin(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(), Botan::HSS_LMS_PublicKeyInternal::from_bytes_or_throw(), Botan::HSS_Signature::from_bytes_or_throw(), Botan::LMOTS_Signature::from_bytes_or_throw(), Botan::LMS_PublicKey::from_bytes_or_throw(), Botan::LMS_Signature::from_bytes_or_throw(), Botan::HOTP::generate_hotp(), Botan::TLS::TLS_Data_Reader::get_elem(), Botan::SIMD_4x32::load_be(), nist_key_unwrap(), nist_key_unwrap_padded(), Botan::TLS::Server_Hello_12::random_signals_downgrade(), Botan::TLS::Server_Hello_13::random_signals_downgrade(), Botan::CTR_BE::seek(), ucs2_to_utf8(), and ucs4_to_utf8().
◆ load_le()
template<typename OutT = detail::AutoDetect, typename... ParamTs>
|
inlineconstexpr |
Load "something" in little endian byte order See the documentation of this file for more details.
Definition at line 521 of file loadstor.h.
521 {
522 return detail::load_any<detail::Endianness::Little, OutT>(std::forward<ParamTs>(params)...);
523}
References Botan::detail::load_any().
Referenced by Botan::Keccak_Permutation::absorb(), Botan::SIMD_16x32::BOTAN_FUNC_ISA(), Botan::SIMD_8x32::BOTAN_FUNC_ISA(), Botan::Gf448Elem::bytes_are_canonical_representation(), Botan::MD4::compress_n(), Botan::MD5::compress_n(), Botan::RIPEMD_160::compress_n(), Botan::Sodium::crypto_core_hsalsa20(), Botan::GOST_28147_89::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::FrodoMatrix::deserialize(), ed25519_verify(), Botan::GOST_28147_89::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::Dilithium_Algos::expand_A(), Botan::Gf448Elem::Gf448Elem(), load_4(), Botan::SIMD_4x32::load_le(), Botan::Kyber_Algos::load_le3(), Botan::FrodoMatrix::mul_add_as_plus_e(), Botan::FrodoMatrix::mul_add_sa_plus_e(), random_prime(), Botan::FrodoMatrix::sample(), Botan::Dilithium_Algos::sample_in_ball(), Botan::ChaCha::seek(), Botan::Salsa20::seek(), Botan::Salsa20::set_iv_bytes(), Botan::Threefish_512::set_tweak(), Botan::Sodium::sodium_free(), Botan::CRYSTALS::unpack(), and xts_update_tweak_block().
◆ load_private_key()
| std::unique_ptr< Private_Key > Botan::load_private_key | ( | const AlgorithmIdentifier & | alg_id, |
| std::span< const uint8_t > | key_bits ) |
Definition at line 272 of file pk_algs.cpp.
273 {
276 std::string_view alg_name = alg_info[0];
277
278#if defined(BOTAN_HAS_RSA)
279 if(alg_name == "RSA") {
280 return std::make_unique<RSA_PrivateKey>(alg_id, key_bits);
281 }
282#endif
283
284#if defined(BOTAN_HAS_X25519)
285 if(alg_name == "X25519" || alg_name == "Curve25519") {
286 return std::make_unique<X25519_PrivateKey>(alg_id, key_bits);
287 }
288#endif
289
290#if defined(BOTAN_HAS_X448)
291 if(alg_name == "X448") {
292 return std::make_unique<X448_PrivateKey>(alg_id, key_bits);
293 }
294#endif
295
296#if defined(BOTAN_HAS_ECDSA)
297 if(alg_name == "ECDSA") {
298 return std::make_unique<ECDSA_PrivateKey>(alg_id, key_bits);
299 }
300#endif
301
302#if defined(BOTAN_HAS_ECDH)
303 if(alg_name == "ECDH") {
304 return std::make_unique<ECDH_PrivateKey>(alg_id, key_bits);
305 }
306#endif
307
308#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
309 if(alg_name == "DH") {
310 return std::make_unique<DH_PrivateKey>(alg_id, key_bits);
311 }
312#endif
313
314#if defined(BOTAN_HAS_DSA)
315 if(alg_name == "DSA") {
316 return std::make_unique<DSA_PrivateKey>(alg_id, key_bits);
317 }
318#endif
319
320#if defined(BOTAN_HAS_FRODOKEM)
321 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
322 return std::make_unique<FrodoKEM_PrivateKey>(alg_id, key_bits);
323 }
324#endif
325
326#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
327 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
328 return std::make_unique<Kyber_PrivateKey>(alg_id, key_bits);
329 }
330#endif
331
332#if defined(BOTAN_HAS_ML_KEM)
333 if(alg_name.starts_with("ML-KEM-")) {
334 return std::make_unique<ML_KEM_PrivateKey>(alg_id, key_bits);
335 }
336#endif
337
338#if defined(BOTAN_HAS_MCELIECE)
339 if(alg_name == "McEliece") {
340 return std::make_unique<McEliece_PrivateKey>(key_bits);
341 }
342#endif
343
344#if defined(BOTAN_HAS_ECGDSA)
345 if(alg_name == "ECGDSA") {
346 return std::make_unique<ECGDSA_PrivateKey>(alg_id, key_bits);
347 }
348#endif
349
350#if defined(BOTAN_HAS_ECKCDSA)
351 if(alg_name == "ECKCDSA") {
352 return std::make_unique<ECKCDSA_PrivateKey>(alg_id, key_bits);
353 }
354#endif
355
356#if defined(BOTAN_HAS_ED25519)
357 if(alg_name == "Ed25519") {
358 return std::make_unique<Ed25519_PrivateKey>(alg_id, key_bits);
359 }
360#endif
361
362#if defined(BOTAN_HAS_ED448)
363 if(alg_name == "Ed448") {
364 return std::make_unique<Ed448_PrivateKey>(alg_id, key_bits);
365 }
366#endif
367
368#if defined(BOTAN_HAS_GOST_34_10_2001)
369 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
370 return std::make_unique<GOST_3410_PrivateKey>(alg_id, key_bits);
371 }
372#endif
373
374#if defined(BOTAN_HAS_SM2)
375 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
376 return std::make_unique<SM2_PrivateKey>(alg_id, key_bits);
377 }
378#endif
379
380#if defined(BOTAN_HAS_ELGAMAL)
381 if(alg_name == "ElGamal") {
382 return std::make_unique<ElGamal_PrivateKey>(alg_id, key_bits);
383 }
384#endif
385
386#if defined(BOTAN_HAS_XMSS_RFC8391)
387 if(alg_name == "XMSS") {
388 return std::make_unique<XMSS_PrivateKey>(key_bits);
389 }
390#endif
391
392#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
393 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
394 return std::make_unique<Dilithium_PrivateKey>(alg_id, key_bits);
395 }
396#endif
397
398#if defined(BOTAN_HAS_ML_DSA)
399 if(alg_name.starts_with("ML-DSA-")) {
400 return std::make_unique<ML_DSA_PrivateKey>(alg_id, key_bits);
401 }
402#endif
403
404#if defined(BOTAN_HAS_HSS_LMS)
405 if(alg_name == "HSS-LMS-Private-Key") {
406 return std::make_unique<HSS_LMS_PrivateKey>(key_bits);
407 }
408#endif
409
410#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
411 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
412 return std::make_unique<SphincsPlus_PrivateKey>(alg_id, key_bits);
413 }
414#endif
415
416#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
417 if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) {
418 return std::make_unique<SLH_DSA_PrivateKey>(alg_id, key_bits);
419 }
420#endif
421
423}
References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().
◆ load_public_key()
| std::unique_ptr< Public_Key > Botan::load_public_key | ( | const AlgorithmIdentifier & | alg_id, |
| std::span< const uint8_t > | key_bits ) |
Definition at line 119 of file pk_algs.cpp.
120 {
123 std::string_view alg_name = alg_info[0];
124
125#if defined(BOTAN_HAS_RSA)
126 if(alg_name == "RSA") {
127 return std::make_unique<RSA_PublicKey>(alg_id, key_bits);
128 }
129#endif
130
131#if defined(BOTAN_HAS_X25519)
132 if(alg_name == "X25519" || alg_name == "Curve25519") {
133 return std::make_unique<X25519_PublicKey>(alg_id, key_bits);
134 }
135#endif
136
137#if defined(BOTAN_HAS_X448)
138 if(alg_name == "X448") {
139 return std::make_unique<X448_PublicKey>(alg_id, key_bits);
140 }
141#endif
142
143#if defined(BOTAN_HAS_MCELIECE)
144 if(alg_name == "McEliece") {
145 return std::make_unique<McEliece_PublicKey>(key_bits);
146 }
147#endif
148
149#if defined(BOTAN_HAS_FRODOKEM)
150 if(alg_name == "FrodoKEM" || alg_name.starts_with("FrodoKEM-") || alg_name.starts_with("eFrodoKEM-")) {
151 return std::make_unique<FrodoKEM_PublicKey>(alg_id, key_bits);
152 }
153#endif
154
155#if defined(BOTAN_HAS_KYBER) || defined(BOTAN_HAS_KYBER_90S)
156 if(alg_name == "Kyber" || alg_name.starts_with("Kyber-")) {
157 return std::make_unique<Kyber_PublicKey>(alg_id, key_bits);
158 }
159#endif
160
161#if defined(BOTAN_HAS_ML_KEM)
162 if(alg_name.starts_with("ML-KEM-")) {
163 return std::make_unique<ML_KEM_PublicKey>(alg_id, key_bits);
164 }
165#endif
166
167#if defined(BOTAN_HAS_ECDSA)
168 if(alg_name == "ECDSA") {
169 return std::make_unique<ECDSA_PublicKey>(alg_id, key_bits);
170 }
171#endif
172
173#if defined(BOTAN_HAS_ECDH)
174 if(alg_name == "ECDH") {
175 return std::make_unique<ECDH_PublicKey>(alg_id, key_bits);
176 }
177#endif
178
179#if defined(BOTAN_HAS_DIFFIE_HELLMAN)
180 if(alg_name == "DH") {
181 return std::make_unique<DH_PublicKey>(alg_id, key_bits);
182 }
183#endif
184
185#if defined(BOTAN_HAS_DSA)
186 if(alg_name == "DSA") {
187 return std::make_unique<DSA_PublicKey>(alg_id, key_bits);
188 }
189#endif
190
191#if defined(BOTAN_HAS_ELGAMAL)
192 if(alg_name == "ElGamal") {
193 return std::make_unique<ElGamal_PublicKey>(alg_id, key_bits);
194 }
195#endif
196
197#if defined(BOTAN_HAS_ECGDSA)
198 if(alg_name == "ECGDSA") {
199 return std::make_unique<ECGDSA_PublicKey>(alg_id, key_bits);
200 }
201#endif
202
203#if defined(BOTAN_HAS_ECKCDSA)
204 if(alg_name == "ECKCDSA") {
205 return std::make_unique<ECKCDSA_PublicKey>(alg_id, key_bits);
206 }
207#endif
208
209#if defined(BOTAN_HAS_ED25519)
210 if(alg_name == "Ed25519") {
211 return std::make_unique<Ed25519_PublicKey>(alg_id, key_bits);
212 }
213#endif
214
215#if defined(BOTAN_HAS_ED448)
216 if(alg_name == "Ed448") {
217 return std::make_unique<Ed448_PublicKey>(alg_id, key_bits);
218 }
219#endif
220
221#if defined(BOTAN_HAS_GOST_34_10_2001)
222 if(alg_name == "GOST-34.10" || alg_name == "GOST-34.10-2012-256" || alg_name == "GOST-34.10-2012-512") {
223 return std::make_unique<GOST_3410_PublicKey>(alg_id, key_bits);
224 }
225#endif
226
227#if defined(BOTAN_HAS_SM2)
228 if(alg_name == "SM2" || alg_name == "SM2_Sig" || alg_name == "SM2_Enc") {
229 return std::make_unique<SM2_PublicKey>(alg_id, key_bits);
230 }
231#endif
232
233#if defined(BOTAN_HAS_XMSS_RFC8391)
234 if(alg_name == "XMSS") {
235 return std::make_unique<XMSS_PublicKey>(key_bits);
236 }
237#endif
238
239#if defined(BOTAN_HAS_DILITHIUM) || defined(BOTAN_HAS_DILITHIUM_AES)
240 if(alg_name == "Dilithium" || alg_name.starts_with("Dilithium-")) {
241 return std::make_unique<Dilithium_PublicKey>(alg_id, key_bits);
242 }
243#endif
244
245#if defined(BOTAN_HAS_ML_DSA)
246 if(alg_name.starts_with("ML-DSA-")) {
247 return std::make_unique<ML_DSA_PublicKey>(alg_id, key_bits);
248 }
249#endif
250
251#if defined(BOTAN_HAS_HSS_LMS)
252 if(alg_name == "HSS-LMS") {
253 return std::make_unique<HSS_LMS_PublicKey>(key_bits);
254 }
255#endif
256
257#if defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHA2) || defined(BOTAN_HAS_SPHINCS_PLUS_WITH_SHAKE)
258 if(alg_name == "SPHINCS+" || alg_name.starts_with("SphincsPlus-")) {
259 return std::make_unique<SphincsPlus_PublicKey>(alg_id, key_bits);
260 }
261#endif
262
263#if defined(BOTAN_HAS_SLH_DSA_WITH_SHA2) || defined(BOTAN_HAS_SLH_DSA_WITH_SHAKE)
264 if(alg_name.starts_with("SLH-DSA-") || alg_name.starts_with("Hash-SLH-DSA-")) {
265 return std::make_unique<SLH_DSA_PublicKey>(alg_id, key_bits);
266 }
267#endif
268
270}
References fmt(), Botan::AlgorithmIdentifier::oid(), split_on(), and Botan::OID::to_formatted_string().
Referenced by Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), and Botan::X509::load_key().
◆ lock()
template<typename T >
| secure_vector< T > Botan::lock | ( | const std::vector< T > & | in | ) |
Definition at line 70 of file secmem.h.
Referenced by Botan::Semaphore::acquire(), Botan::OID_Map::add_oid(), Botan::OID_Map::add_oid2str(), Botan::OID_Map::add_str2oid(), Botan::Memory_Pool::allocate(), Botan::Stateful_RNG::clear(), Botan::Memory_Pool::deallocate(), Botan::Stateful_RNG::force_reseed(), Botan::Stateful_RNG::initialize_with(), Botan::Stateful_RNG::is_seeded(), Botan::OID_Map::oid2str(), Botan::Thread_Pool::queue_thunk(), Botan::TPM2::PrivateKey::raw_private_key_bits(), Botan::Semaphore::release(), Botan::Stateful_RNG::reseed(), Botan::Stateful_RNG::reseed_from_rng(), Botan::Thread_Pool::shutdown(), Botan::OID_Map::str2oid(), Botan::Barrier::sync(), and Botan::Barrier::wait().
◆ low_zero_bits()
| size_t Botan::low_zero_bits | ( | const BigInt & | x | ) |
- Parameters
-
x an integer
- Returns
- count of the low zero bits in x, or, equivalently, the largest value of n such that 2^n divides x evenly. Returns zero if x is equal to zero.
Definition at line 167 of file numthry.cpp.
167 {
168 size_t low_zero = 0;
169
171
172 for(size_t i = 0; i != n.size(); ++i) {
174
175 // ctz(0) will return sizeof(word)
177
178 // if x > 0 we want to count tz_x in total but not any
179 // further words, so set the mask after the addition
180 low_zero += seen_nonempty_word.if_not_set_return(tz_x);
181
182 seen_nonempty_word |= CT::Mask<word>::expand(x);
183 }
184
185 // if we saw no words with x > 0 then n == 0 and the value we have
186 // computed is meaningless. Instead return BigInt::zero() in that case.
187 return static_cast<size_t>(seen_nonempty_word.if_set_return(low_zero));
188}
References Botan::CT::Mask< T >::cleared(), ctz(), Botan::CT::Mask< T >::expand(), Botan::BigInt::size(), and Botan::BigInt::word_at().
Referenced by inverse_mod(), jacobi(), passes_miller_rabin_test(), Botan::RSA_PrivateKey::RSA_PrivateKey(), and sqrt_modulo_prime().
◆ majority()
Definition at line 199 of file bit_ops.h.
199 {
200 /*
201 Considering each bit of a, b, c individually
202
203 If a xor b is set, then c is the deciding vote.
204
205 If a xor b is not set then either a and b are both set or both unset.
206 In either case the value of c doesn't matter, and examining b (or a)
207 allows us to determine which case we are in.
208 */
210}
Referenced by SHA2_32_F(), and SHA2_64_F().
◆ make_commoncrypto_block_cipher()
| std::unique_ptr< BlockCipher > Botan::make_commoncrypto_block_cipher | ( | std::string_view | name | ) |
Definition at line 133 of file commoncrypto_block.cpp.
133 {
134 try {
137 } catch(CommonCrypto_Error& e) {
138 return nullptr;
139 }
140}
References commoncrypto_opts_from_algo_name(), make_commoncrypto_block_cipher(), and name.
Referenced by Botan::BlockCipher::create(), and make_commoncrypto_block_cipher().
◆ make_commoncrypto_cipher_mode()
| std::unique_ptr< Cipher_Mode > Botan::make_commoncrypto_cipher_mode | ( | std::string_view | name, |
| Cipher_Dir | direction ) |
Definition at line 212 of file commoncrypto_mode.cpp.
212 {
213 try {
216 } catch(CommonCrypto_Error& e) {
217 return nullptr;
218 }
219}
CommonCryptor_Opts commoncrypto_opts_from_algo(std::string_view algo)
Definition commoncrypto_utils.cpp:96
References commoncrypto_opts_from_algo(), make_commoncrypto_cipher_mode(), and name.
Referenced by Botan::Cipher_Mode::create(), and make_commoncrypto_cipher_mode().
◆ make_commoncrypto_hash()
| std::unique_ptr< HashFunction > Botan::make_commoncrypto_hash | ( | std::string_view | name | ) |
Definition at line 80 of file commoncrypto_hash.cpp.
80 {
81#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx) \
82 std::unique_ptr<HashFunction>(new CommonCrypto_HashFunction<CC_##ctx##_CTX>({std::string(name), \
83 CC_##hash##_DIGEST_LENGTH, \
84 CC_##hash##_BLOCK_BYTES, \
85 CC_##hash##_Init, \
86 CC_##hash##_Update, \
87 CC_##hash##_Final}));
88
89#define MAKE_COMMONCRYPTO_HASH_2(name, id) MAKE_COMMONCRYPTO_HASH_3(name, id, id)
90
91#define MAKE_COMMONCRYPTO_HASH_1(id) MAKE_COMMONCRYPTO_HASH_2(#id, id)
92
93#if defined(BOTAN_HAS_SHA2_32)
98#endif
99#if defined(BOTAN_HAS_SHA2_64)
104#endif
105
106#if defined(BOTAN_HAS_SHA1)
109#endif
110
111 return nullptr;
112}
#define MAKE_COMMONCRYPTO_HASH_2(name, id)
#define MAKE_COMMONCRYPTO_HASH_3(name, hash, ctx)
References MAKE_COMMONCRYPTO_HASH_2, MAKE_COMMONCRYPTO_HASH_3, and name.
Referenced by Botan::HashFunction::create().
◆ make_compressor()
|
inline |
Definition at line 153 of file compression.h.
153 {
154 return Compression_Algorithm::create(type).release();
155}
References Botan::Compression_Algorithm::create().
◆ make_decompressor()
|
inline |
Definition at line 159 of file compression.h.
159 {
160 return Decompression_Algorithm::create(type).release();
161}
References Botan::Decompression_Algorithm::create().
◆ make_uint16()
|
inlineconstexpr |
Make a uint16_t from two bytes
- Parameters
-
i0 the first byte i1 the second byte
- Returns
- i0 || i1
Definition at line 88 of file loadstor.h.
88 {
89 return static_cast<uint16_t>((static_cast<uint16_t>(i0) << 8) | i1);
90}
Referenced by Botan::TLS::Certificate_Request_12::Certificate_Request_12(), Botan::TLS::TLS_Data_Reader::get_uint16_t(), Botan::Kyber_Modern_Symmetric_Primitives::get_XOF(), Botan::ML_KEM_Symmetric_Primitives::get_XOF(), Botan::TLS::TLS_Data_Reader::peek_uint16_t(), random_gf2m(), Botan::RTSS_Share::reconstruct(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().
◆ make_uint32()
|
inlineconstexpr |
Make a uint32_t from four bytes
- Parameters
-
i0 the first byte i1 the second byte i2 the third byte i3 the fourth byte
- Returns
- i0 || i1 || i2 || i3
Definition at line 100 of file loadstor.h.
100 {
101 return ((static_cast<uint32_t>(i0) << 24) | (static_cast<uint32_t>(i1) << 16) | (static_cast<uint32_t>(i2) << 8) |
102 (static_cast<uint32_t>(i3)));
103}
Referenced by Botan::TLS::Certificate_12::Certificate_12(), Botan::TLS::Certificate_Status::Certificate_Status(), Botan::TLS::Stream_Handshake_IO::get_next_record(), Botan::TLS::TLS_Data_Reader::get_uint24_t(), Botan::TLS::TLS_Data_Reader::get_uint32_t(), and Botan::SIMD_4x32::splat_u8().
◆ make_uint64()
|
inlineconstexpr |
Make a uint64_t from eight bytes
- Parameters
-
i0 the first byte i1 the second byte i2 the third byte i3 the fourth byte i4 the fifth byte i5 the sixth byte i6 the seventh byte i7 the eighth byte
- Returns
- i0 || i1 || i2 || i3 || i4 || i5 || i6 || i7
Definition at line 117 of file loadstor.h.
118 {
119 return ((static_cast<uint64_t>(i0) << 56) | (static_cast<uint64_t>(i1) << 48) | (static_cast<uint64_t>(i2) << 40) |
120 (static_cast<uint64_t>(i3) << 32) | (static_cast<uint64_t>(i4) << 24) | (static_cast<uint64_t>(i5) << 16) |
121 (static_cast<uint64_t>(i6) << 8) | (static_cast<uint64_t>(i7)));
122}
◆ map_remove_if()
Definition at line 70 of file stl_util.h.
70 {
71 auto i = assoc.begin();
72 while(i != assoc.end()) {
73 if(pred(i->first)) {
74 assoc.erase(i++);
75 } else {
76 i++;
77 }
78 }
79}
Referenced by Botan::TLS::Channel_Impl_12::activate_session().
◆ mceliece_decrypt() [1/3]
| secure_vector< uint8_t > Botan::mceliece_decrypt | ( | secure_vector< gf2m > & | error_pos, |
| const uint8_t * | ciphertext, | ||
| size_t | ciphertext_len, | ||
| const McEliece_PrivateKey & | key ) |
p_err_pos_len must point to the available length of error_pos on input, the function will set it to the actual number of errors returned in the error_pos array
Definition at line 148 of file goppa_code.cpp.
151 {
156 const unsigned unused_pt_bits = dimension % 8;
157 const uint8_t unused_pt_bits_mask = (1 << unused_pt_bits) - 1;
158
161 }
163
164 if(cleartext_len != bit_size_to_byte_size(dimension)) {
165 throw Invalid_Argument("mce-decryption: wrong length of cleartext buffer");
166 }
167
168 secure_vector<uint32_t> syndrome_vec(bit_size_to_32bit_size(codimension));
169 matrix_arr_mul(key.get_H_coeffs(),
170 key.get_code_length(),
171 bit_size_to_32bit_size(codimension),
172 ciphertext,
173 syndrome_vec.data(),
174 syndrome_vec.size());
175
176 secure_vector<uint8_t> syndrome_byte_vec(bit_size_to_byte_size(codimension));
177 const size_t syndrome_byte_vec_size = syndrome_byte_vec.size();
178 for(size_t i = 0; i < syndrome_byte_vec_size; i++) {
179 syndrome_byte_vec[i] = static_cast<uint8_t>(syndrome_vec[i / 4] >> (8 * (i % 4)));
180 }
181
182 syndrome_polyn = polyn_gf2m(
183 t - 1, syndrome_byte_vec.data(), bit_size_to_byte_size(codimension), key.get_goppa_polyn().get_sp_field());
184
185 syndrome_polyn.get_degree();
186 error_pos = goppa_decode(syndrome_polyn, key.get_goppa_polyn(), key.get_sqrtmod(), key.get_Linv());
187
188 const size_t nb_err = error_pos.size();
189
190 secure_vector<uint8_t> cleartext(cleartext_len);
191 copy_mem(cleartext.data(), ciphertext, cleartext_len);
192
193 for(size_t i = 0; i < nb_err; i++) {
194 gf2m current = error_pos[i];
195
196 if(current >= cleartext_len * 8) {
197 // an invalid position, this shouldn't happen
198 continue;
199 }
200 cleartext[current / 8] ^= (1 << (current % 8));
201 }
202
203 if(unused_pt_bits) {
204 cleartext[cleartext_len - 1] &= unused_pt_bits_mask;
205 }
206
207 return cleartext;
208}
const std::vector< polyn_gf2m > & get_sqrtmod() const
Definition mceliece.h:123
const polyn_gf2m & get_goppa_polyn() const
Definition mceliece_key.cpp:52
const std::vector< gf2m > & get_Linv() const
Definition mceliece.h:121
const std::vector< uint32_t > & get_H_coeffs() const
Definition mceliece.h:119
size_t get_message_word_bit_length() const
Definition mceliece_key.cpp:56
Definition polyn_gf2m.h:26
std::shared_ptr< GF2m_Field > get_sp_field() const
Definition polyn_gf2m.h:76
size_t bit_size_to_byte_size(size_t bit_size)
Definition code_based_util.h:42
References bit_size_to_32bit_size(), bit_size_to_byte_size(), copy_mem(), Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PrivateKey::get_codimension(), Botan::polyn_gf2m::get_degree(), Botan::McEliece_PrivateKey::get_dimension(), Botan::McEliece_PrivateKey::get_goppa_polyn(), Botan::McEliece_PrivateKey::get_H_coeffs(), Botan::McEliece_PrivateKey::get_Linv(), Botan::McEliece_PublicKey::get_message_word_bit_length(), Botan::polyn_gf2m::get_sp_field(), and Botan::McEliece_PrivateKey::get_sqrtmod().
◆ mceliece_decrypt() [2/3]
| void Botan::mceliece_decrypt | ( | secure_vector< uint8_t > & | plaintext, |
| secure_vector< uint8_t > & | error_mask, | ||
| const uint8_t | ciphertext[], | ||
| size_t | ciphertext_len, | ||
| const McEliece_PrivateKey & | key ) |
Definition at line 124 of file goppa_code.cpp.
128 {
129 secure_vector<gf2m> error_pos;
130 plaintext = mceliece_decrypt(error_pos, ciphertext, ciphertext_len, key);
131
133 secure_vector<uint8_t> result((code_length + 7) / 8);
134 for(auto&& pos : error_pos) {
135 if(pos > code_length) {
137 }
138 result[pos / 8] |= (1 << (pos % 8));
139 }
140
141 error_mask = result;
142}
void mceliece_decrypt(secure_vector< uint8_t > &plaintext_out, secure_vector< uint8_t > &error_mask_out, const secure_vector< uint8_t > &ciphertext, const McEliece_PrivateKey &key)
Definition goppa_code.cpp:117
References Botan::McEliece_PublicKey::get_code_length(), and mceliece_decrypt().
◆ mceliece_decrypt() [3/3]
| void Botan::mceliece_decrypt | ( | secure_vector< uint8_t > & | plaintext_out, |
| secure_vector< uint8_t > & | error_mask_out, | ||
| const secure_vector< uint8_t > & | ciphertext, | ||
| const McEliece_PrivateKey & | key ) |
Definition at line 117 of file goppa_code.cpp.
120 {
121 mceliece_decrypt(plaintext_out, error_mask_out, ciphertext.data(), ciphertext.size(), key);
122}
References mceliece_decrypt().
Referenced by Botan::McEliece_PrivateKey::check_key(), mceliece_decrypt(), and mceliece_decrypt().
◆ mceliece_encrypt()
| void Botan::mceliece_encrypt | ( | secure_vector< uint8_t > & | ciphertext_out, |
| secure_vector< uint8_t > & | error_mask_out, | ||
| const secure_vector< uint8_t > & | plaintext, | ||
| const McEliece_PublicKey & | key, | ||
| RandomNumberGenerator & | rng ) |
Definition at line 109 of file mceliece.cpp.
113 {
115
117
118 secure_vector<uint8_t> ciphertext =
120
121 ciphertext ^= error_mask;
122
123 ciphertext_out.swap(ciphertext);
124 error_mask_out.swap(error_mask);
125}
const std::vector< uint8_t > & get_public_matrix() const
Definition mceliece.h:56
References Botan::McEliece_PublicKey::get_code_length(), Botan::McEliece_PublicKey::get_public_matrix(), and Botan::McEliece_PublicKey::get_t().
Referenced by Botan::McEliece_PrivateKey::check_key().
◆ mceliece_work_factor()
| size_t Botan::mceliece_work_factor | ( | size_t | code_size, |
| size_t | t ) |
Estimate work factor for McEliece
- Returns
- estimated security level for these key parameters
Definition at line 90 of file mce_workfactor.cpp.
90 {
92
93 double min = cout_total(n, k, t, 0, 0); // correspond a p=1
94 for(size_t p = 0; p != t / 2; ++p) {
95 double lwf = best_wf(n, k + 1, t, p);
96 if(lwf < 0) {
97 break;
98 }
99
100 min = std::min(min, lwf);
101 }
102
103 return static_cast<size_t>(min);
104}
References ceil_log2().
Referenced by Botan::McEliece_PublicKey::estimated_strength().
◆ mgf1_mask() [1/2]
| void Botan::mgf1_mask | ( | HashFunction & | hash, |
| const uint8_t | in[], | ||
| size_t | in_len, | ||
| uint8_t | out[], | ||
| size_t | out_len ) |
MGF1 from PKCS #1 v2.0
- Parameters
-
hash hash function to use in input buffer in_len size of the input buffer in bytes out output buffer. The buffer is XORed with the output of MGF1. out_len size of the output buffer in bytes
Definition at line 15 of file mgf1.cpp.
15 {
16 uint32_t counter = 0;
17
18 std::vector<uint8_t> buffer(hash.output_length());
19 while(out_len) {
20 hash.update(in, in_len);
21 hash.update_be(counter);
22 hash.final(buffer.data());
23
24 const size_t xored = std::min<size_t>(buffer.size(), out_len);
25 xor_buf(out, buffer.data(), xored);
26 out += xored;
27 out_len -= xored;
28
29 ++counter;
30 }
31}
virtual size_t output_length() const =0
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341
References Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().
Referenced by mgf1_mask().
◆ mgf1_mask() [2/2]
|
inline |
Definition at line 28 of file mgf1.h.
28 {
29 mgf1_mask(hash, input.data(), input.size(), output.data(), output.size());
30}
void mgf1_mask(HashFunction &hash, const uint8_t in[], size_t in_len, uint8_t out[], size_t out_len)
Definition mgf1.cpp:15
References mgf1_mask().
◆ miller_rabin_test_iterations()
| size_t Botan::miller_rabin_test_iterations | ( | size_t | n_bits, |
| size_t | prob, | ||
| bool | random ) |
Return required number of Miller-Rabin tests in order to reach the specified probability of error.
- Parameters
-
n_bits the bit-length of the integer being tested prob chance of false positive is bounded by 1/2**prob random is set if (and only if) the integer was randomly generated by us and thus cannot have been maliciously constructed.
Definition at line 172 of file primality.cpp.
172 {
173 const size_t base = (prob + 2) / 2; // worst case 4^-t error rate
174
175 /*
176 * If the candidate prime was maliciously constructed, we can't rely
177 * on arguments based on p being random.
178 */
179 if(random == false) {
180 return base;
181 }
182
183 /*
184 * For randomly chosen numbers we can use the estimates from
185 * http://www.math.dartmouth.edu/~carlp/PDF/paper88.pdf
186 *
187 * These values are derived from the inequality for p(k,t) given on
188 * the second page.
189 */
190 if(prob <= 128) {
191 if(n_bits >= 1536) {
192 return 4; // < 2^-133
193 }
194 if(n_bits >= 1024) {
195 return 6; // < 2^-133
196 }
197 if(n_bits >= 512) {
198 return 12; // < 2^-129
199 }
200 if(n_bits >= 256) {
201 return 29; // < 2^-128
202 }
203 }
204
205 /*
206 If the user desires a smaller error probability than we have
207 precomputed error estimates for, just fall back to using the worst
208 case error rate.
209 */
210 return base;
211}
Referenced by generate_rsa_prime(), is_prime(), and random_prime().
◆ modular_inverse()
template<std::integral T, std::integral T2 = next_longer_int_t<T>>
requires (sizeof(T) <= 4)
requires (sizeof(T) <= 4)
|
consteval |
Calculate the modular multiplacative inverse of q modulo m. By default, this assumes m to be 2^bitlength of T for application in a Montgomery reduction.
Definition at line 94 of file pqcrystals_helpers.h.
References extended_euclidean_algorithm(), and T.
◆ montgomery_R()
Definition at line 44 of file pqcrystals_helpers.h.
44 {
45 using T_unsigned = std::make_unsigned_t<T>;
48}
std::conditional_t< sizeof(T)==1, uint16_t, std::conditional_t< sizeof(T)==2, uint32_t, std::conditional_t< sizeof(T)==4, uint64_t, void > > > next_longer_uint_t
Definition pqcrystals_helpers.h:28
References T.
Referenced by montgomery_R2().
◆ montgomery_R2()
Definition at line 52 of file pqcrystals_helpers.h.
52 {
55}
std::conditional_t< sizeof(T)==1, int16_t, std::conditional_t< sizeof(T)==2, int32_t, std::conditional_t< sizeof(T)==4, int64_t, void > > > next_longer_int_t
Definition pqcrystals_helpers.h:35
References montgomery_R().
◆ monty_execute()
| BigInt Botan::monty_execute | ( | const Montgomery_Exponentation_State & | precomputed_state, |
| const BigInt & | k, | ||
| size_t | max_k_bits ) |
Definition at line 151 of file monty_exp.cpp.
151 {
152 return precomputed_state.exponentiation(k, max_k_bits);
153}
References monty_execute().
Referenced by monty_execute(), monty_exp(), and passes_miller_rabin_test().
◆ monty_execute_vartime()
| BigInt Botan::monty_execute_vartime | ( | const Montgomery_Exponentation_State & | precomputed_state, |
| const BigInt & | k ) |
Definition at line 155 of file monty_exp.cpp.
155 {
156 return precomputed_state.exponentiation_vartime(k);
157}
References monty_execute_vartime().
Referenced by monty_execute_vartime(), and monty_exp_vartime().
◆ monty_exp()
|
inline |
Definition at line 41 of file monty_exp.h.
44 {
47}
BigInt monty_execute(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k, size_t max_k_bits)
Definition monty_exp.cpp:151
std::shared_ptr< const Montgomery_Exponentation_State > monty_precompute(const std::shared_ptr< const Montgomery_Params > ¶ms, const BigInt &g, size_t window_bits, bool const_time)
Definition monty_exp.cpp:146
References monty_execute(), and monty_precompute().
Referenced by power_mod().
◆ monty_exp_vartime()
|
inline |
Definition at line 49 of file monty_exp.h.
51 {
54}
BigInt monty_execute_vartime(const Montgomery_Exponentation_State &precomputed_state, const BigInt &k)
Definition monty_exp.cpp:155
References monty_execute_vartime(), and monty_precompute().
Referenced by sqrt_modulo_prime().
◆ monty_inverse()
template<WordType W>
|
inlineconstexpr |
Definition at line 832 of file mp_core.h.
832 {
833 if(a % 2 == 0) {
835 }
836
837 /*
838 * From "A New Algorithm for Inversion mod p^k" by Çetin Kaya Koç
839 * https://eprint.iacr.org/2017/411.pdf sections 5 and 7.
840 */
841
842 W b = 1;
843 W r = 0;
844
845 for(size_t i = 0; i != WordInfo<W>::bits; ++i) {
846 const W bi = b % 2;
847 r >>= 1;
848 r += bi << (WordInfo<W>::bits - 1);
849
850 b -= a * bi;
851 b >>= 1;
852 }
853
854 // Now invert in addition space
855 r = (WordInfo<W>::max - r) + 1;
856
857 return r;
858}
References b.
Referenced by Botan::Montgomery_Params::Montgomery_Params(), and Botan::Montgomery_Params::Montgomery_Params().
◆ monty_multi_exp()
| BigInt Botan::monty_multi_exp | ( | const std::shared_ptr< const Montgomery_Params > & | params_p, |
| const BigInt & | x, | ||
| const BigInt & | z1, | ||
| const BigInt & | y, | ||
| const BigInt & | z2 ) |
Return (x^z1 * y^z2) % p
Definition at line 159 of file monty_exp.cpp.
163 {
166 }
167
169
170 secure_vector<word> ws;
171
172 const Montgomery_Int one(params_p, params_p->R1(), false);
173 //const Montgomery_Int one(params_p, 1);
174
175 const Montgomery_Int x1(params_p, x_bn);
176 const Montgomery_Int x2 = x1.square(ws);
177 const Montgomery_Int x3 = x2.mul(x1, ws);
178
179 const Montgomery_Int y1(params_p, y_bn);
180 const Montgomery_Int y2 = y1.square(ws);
181 const Montgomery_Int y3 = y2.mul(y1, ws);
182
183 const Montgomery_Int y1x1 = y1.mul(x1, ws);
184 const Montgomery_Int y1x2 = y1.mul(x2, ws);
185 const Montgomery_Int y1x3 = y1.mul(x3, ws);
186
187 const Montgomery_Int y2x1 = y2.mul(x1, ws);
188 const Montgomery_Int y2x2 = y2.mul(x2, ws);
189 const Montgomery_Int y2x3 = y2.mul(x3, ws);
190
191 const Montgomery_Int y3x1 = y3.mul(x1, ws);
192 const Montgomery_Int y3x2 = y3.mul(x2, ws);
193 const Montgomery_Int y3x3 = y3.mul(x3, ws);
194
195 const Montgomery_Int* M[16] = {&one,
196 &x1, // 0001
197 &x2, // 0010
198 &x3, // 0011
199 &y1, // 0100
200 &y1x1,
201 &y1x2,
202 &y1x3,
203 &y2, // 1000
204 &y2x1,
205 &y2x2,
206 &y2x3,
207 &y3, // 1100
208 &y3x1,
209 &y3x2,
210 &y3x3};
211
212 Montgomery_Int H = one;
213
214 for(size_t i = 0; i != z_bits; i += 2) {
215 if(i > 0) {
216 H.square_this(ws);
217 H.square_this(ws);
218 }
219
222
223 const uint32_t z12 = (4 * z2_b) + z1_b;
224
225 H.mul_by(*M[z12], ws);
226 }
227
228 return H.value();
229}
uint32_t get_substring(size_t offset, size_t length) const
Definition bigint.cpp:227
References Botan::BigInt::bits(), Botan::BigInt::get_substring(), Botan::BigInt::is_negative(), monty_multi_exp(), Botan::Montgomery_Int::mul(), Botan::Montgomery_Int::mul_by(), round_up(), Botan::Montgomery_Int::square(), Botan::Montgomery_Int::square_this(), and Botan::Montgomery_Int::value().
Referenced by monty_multi_exp(), and Botan::DL_Group::multi_exponentiate().
◆ monty_precompute()
| std::shared_ptr< const Montgomery_Exponentation_State > Botan::monty_precompute | ( | const std::shared_ptr< const Montgomery_Params > & | params, |
| const BigInt & | g, | ||
| size_t | window_bits, | ||
| bool | const_time ) |
Definition at line 146 of file monty_exp.cpp.
147 {
148 return std::make_shared<const Montgomery_Exponentation_State>(params, g, window_bits, const_time);
149}
References monty_precompute().
Referenced by monty_exp(), monty_exp_vartime(), monty_precompute(), and passes_miller_rabin_test().
◆ mul64x64_128()
|
inlineconstexpr |
Perform a 64x64->128 bit multiplication
Definition at line 23 of file mul128.h.
23 {
24 if(!std::is_constant_evaluated()) {
25#if defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_X86_64)
26 *lo = _umul128(a, b, hi);
27 return;
28
29#elif defined(BOTAN_BUILD_COMPILER_IS_MSVC) && defined(BOTAN_TARGET_ARCH_IS_ARM64)
30 *lo = a * b;
31 *hi = __umulh(a, b);
32 return;
33#endif
34 }
35
36#if defined(BOTAN_TARGET_HAS_NATIVE_UINT128)
37 const uint128_t r = static_cast<uint128_t>(a) * b;
38 *hi = (r >> 64) & 0xFFFFFFFFFFFFFFFF;
39 *lo = (r) & 0xFFFFFFFFFFFFFFFF;
40#else
41
42 /*
43 * Do a 64x64->128 multiply using four 32x32->64 multiplies plus
44 * some adds and shifts.
45 */
46 const size_t HWORD_BITS = 32;
47 const uint32_t HWORD_MASK = 0xFFFFFFFF;
48
49 const uint32_t a_hi = (a >> HWORD_BITS);
50 const uint32_t a_lo = (a & HWORD_MASK);
51 const uint32_t b_hi = (b >> HWORD_BITS);
52 const uint32_t b_lo = (b & HWORD_MASK);
53
54 const uint64_t x0 = static_cast<uint64_t>(a_hi) * b_hi;
55 const uint64_t x1 = static_cast<uint64_t>(a_lo) * b_hi;
56 const uint64_t x2 = static_cast<uint64_t>(a_hi) * b_lo;
57 const uint64_t x3 = static_cast<uint64_t>(a_lo) * b_lo;
58
59 // this cannot overflow as (2^32-1)^2 + 2^32-1 + 2^32-1 = 2^64-1
60 const uint64_t middle = x2 + (x3 >> HWORD_BITS) + (x1 & HWORD_MASK);
61
62 // likewise these cannot overflow
63 *hi = x0 + (middle >> HWORD_BITS) + (x1 >> HWORD_BITS);
64 *lo = (middle << HWORD_BITS) + (x3 & HWORD_MASK);
65#endif
66}
References b.
Referenced by operator*().
◆ multi_exponentiate()
| EC_Point Botan::multi_exponentiate | ( | const EC_Point & | p1, |
| const BigInt & | z1, | ||
| const EC_Point & | p2, | ||
| const BigInt & | z2 ) |
ECC point multiexponentiation - not constant time!
- Parameters
-
p1 a point z1 a scalar p2 a point z2 a scalar
- Returns
- (p1 * z1 + p2 * z2)
Definition at line 30 of file point_mul.cpp.
References Botan::EC_Point_Multi_Point_Precompute::multi_exp().
◆ nist_key_unwrap()
| secure_vector< uint8_t > Botan::nist_key_unwrap | ( | const uint8_t | input[], |
| size_t | input_len, | ||
| const BlockCipher & | bc ) |
- Parameters
-
input the value to be decrypted, output of nist_key_wrap input_len length of input bc a keyed 128-bit block cipher that will be used to decrypt input
- Returns
- input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.
Definition at line 116 of file nist_keywrap.cpp.
116 {
119 }
120
121 if(input_len < 16 || input_len % 8 != 0) {
122 throw Invalid_Argument("Bad input size for NIST key unwrap");
123 }
124
125 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
126
127 uint64_t ICV_out = 0;
128 secure_vector<uint8_t> R;
129
130 if(input_len == 16) {
131 secure_vector<uint8_t> block(input, input + input_len);
132 bc.decrypt(block);
133
134 ICV_out = load_be<uint64_t>(block.data(), 0);
135 R.resize(8);
136 copy_mem(R.data(), block.data() + 8, 8);
137 } else {
138 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
139 }
140
141 if(ICV_out != ICV) {
142 throw Invalid_Authentication_Tag("NIST key unwrap failed");
143 }
144
145 return R;
146}
void decrypt(const uint8_t in[], uint8_t out[]) const
Definition block_cipher.h:84
virtual size_t block_size() const =0
References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be().
Referenced by botan_nist_kw_dec(), and rfc3394_keyunwrap().
◆ nist_key_unwrap_padded()
| secure_vector< uint8_t > Botan::nist_key_unwrap_padded | ( | const uint8_t | input[], |
| size_t | input_len, | ||
| const BlockCipher & | bc ) |
- Parameters
-
input the value to be decrypted, output of nist_key_wrap input_len length of input bc a keyed 128-bit block cipher that will be used to decrypt input
- Returns
- input decrypted under NIST key wrap algorithm Throws an exception if decryption fails.
Definition at line 169 of file nist_keywrap.cpp.
169 {
172 }
173
174 if(input_len < 16 || input_len % 8 != 0) {
175 throw Invalid_Argument("Bad input size for NIST key unwrap");
176 }
177
178 uint64_t ICV_out = 0;
179 secure_vector<uint8_t> R;
180
181 if(input_len == 16) {
182 secure_vector<uint8_t> block(input, input + input_len);
183 bc.decrypt(block);
184
185 ICV_out = load_be<uint64_t>(block.data(), 0);
186 R.resize(8);
187 copy_mem(R.data(), block.data() + 8, 8);
188 } else {
189 R = raw_nist_key_unwrap(input, input_len, bc, ICV_out);
190 }
191
192 if((ICV_out >> 32) != 0xA65959A6) {
193 throw Invalid_Authentication_Tag("NIST key unwrap failed");
194 }
195
196 const size_t len = (ICV_out & 0xFFFFFFFF);
197
198 if(R.size() < 8 || len > R.size() || len <= R.size() - 8) {
199 throw Invalid_Authentication_Tag("NIST key unwrap failed");
200 }
201
202 const size_t padding = R.size() - len;
203
204 for(size_t i = 0; i != padding; ++i) {
205 if(R[R.size() - i - 1] != 0) {
206 throw Invalid_Authentication_Tag("NIST key unwrap failed");
207 }
208 }
209
210 R.resize(R.size() - padding);
211
212 return R;
213}
References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::decrypt(), and load_be().
Referenced by botan_nist_kw_dec(), Botan::Encrypted_PSK_Database::get(), and Botan::Encrypted_PSK_Database::list_names().
◆ nist_key_wrap()
| std::vector< uint8_t > Botan::nist_key_wrap | ( | const uint8_t | input[], |
| size_t | input_len, | ||
| const BlockCipher & | bc ) |
Key wrap. See RFC 3394 and NIST SP800-38F
- Parameters
-
input the value to be encrypted input_len length of input, must be a multiple of 8 bc a keyed 128-bit block cipher that will be used to encrypt input
- Returns
- input encrypted under NIST key wrap algorithm
Definition at line 90 of file nist_keywrap.cpp.
90 {
93 }
94
95 if(input_len % 8 != 0) {
96 throw Invalid_Argument("Bad input size for NIST key wrap");
97 }
98
99 const uint64_t ICV = 0xA6A6A6A6A6A6A6A6;
100
101 if(input_len == 8) {
102 /*
103 * Special case for small inputs: if input == 8 bytes just use ECB
104 * (see RFC 3394 Section 2)
105 */
106 std::vector<uint8_t> block(16);
107 store_be(ICV, block.data());
108 copy_mem(block.data() + 8, input, input_len);
109 bc.encrypt(block);
110 return block;
111 } else {
112 return raw_nist_key_wrap(input, input_len, bc, ICV);
113 }
114}
References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().
Referenced by botan_nist_kw_enc(), and rfc3394_keywrap().
◆ nist_key_wrap_padded()
| std::vector< uint8_t > Botan::nist_key_wrap_padded | ( | const uint8_t | input[], |
| size_t | input_len, | ||
| const BlockCipher & | bc ) |
KWP (key wrap with padding). See RFC 5649 and NIST SP800-38F
- Parameters
-
input the value to be encrypted input_len length of input bc a keyed 128-bit block cipher that will be used to encrypt input
- Returns
- input encrypted under NIST key wrap algorithm
Definition at line 148 of file nist_keywrap.cpp.
148 {
151 }
152
153 const uint64_t ICV = 0xA65959A600000000 | static_cast<uint32_t>(input_len);
154
155 if(input_len <= 8) {
156 /*
157 * Special case for small inputs: if input <= 8 bytes just use ECB
158 */
159 std::vector<uint8_t> block(16);
160 store_be(ICV, block.data());
161 copy_mem(block.data() + 8, input, input_len);
162 bc.encrypt(block);
163 return block;
164 } else {
165 return raw_nist_key_wrap(input, input_len, bc, ICV);
166 }
167}
References Botan::BlockCipher::block_size(), copy_mem(), Botan::BlockCipher::encrypt(), and store_be().
Referenced by botan_nist_kw_enc(), Botan::Encrypted_PSK_Database::get(), Botan::Encrypted_PSK_Database::remove(), and Botan::Encrypted_PSK_Database::set().
◆ oaep_find_delim()
| BOTAN_FUZZER_API CT::Option< size_t > Botan::oaep_find_delim | ( | std::span< const uint8_t > | input, |
| std::span< const uint8_t > | phash ) |
Definition at line 102 of file oaep.cpp.
102 {
103 // Too short to be valid, reject immediately
104 if(input.size() < 1 + 2 * phash.size()) {
105 return {};
106 }
107
108 size_t delim_idx = 2 * phash.size();
109 CT::Mask<uint8_t> waiting_for_delim = CT::Mask<uint8_t>::set();
110 CT::Mask<uint8_t> bad_input_m = CT::Mask<uint8_t>::cleared();
111
112 for(uint8_t ib : input.subspan(2 * phash.size())) {
113 const auto zero_m = CT::Mask<uint8_t>::is_zero(ib);
114 const auto one_m = CT::Mask<uint8_t>::is_equal(ib, 1);
115
116 const auto add_m = waiting_for_delim & zero_m;
117
118 bad_input_m |= waiting_for_delim & ~(zero_m | one_m);
119
120 delim_idx += add_m.if_set_return(1);
121
122 waiting_for_delim &= zero_m;
123 }
124
125 // If we never saw any non-zero byte, then it's not valid input
126 bad_input_m |= waiting_for_delim;
127
128 // If the P hash is wrong, then it's not valid
129 bad_input_m |= CT::is_not_equal(&input[phash.size()], phash.data(), phash.size());
130
131 delim_idx += 1;
132
133 const auto accept = !(bad_input_m.as_choice());
134
135 return CT::Option(delim_idx, accept);
136}
References Botan::CT::Mask< T >::as_choice(), Botan::CT::Mask< T >::cleared(), Botan::CT::Mask< T >::is_equal(), Botan::CT::is_not_equal(), Botan::CT::Mask< T >::is_zero(), and Botan::CT::Mask< T >::set().
◆ operator!=() [1/11]
| bool Botan::operator!= | ( | const AlgorithmIdentifier & | a1, |
| const AlgorithmIdentifier & | a2 ) |
Definition at line 69 of file alg_id.cpp.
69 {
70 return !(a1 == a2);
71}
◆ operator!=() [2/11]
Definition at line 264 of file asn1_time.cpp.
264 {
266}
int32_t cmp(const ASN1_Time &other) const
Compare this time against another.
Definition asn1_time.cpp:110
References Botan::ASN1_Time::cmp().
◆ operator!=() [3/11]
◆ operator!=() [4/11]
|
inline |
◆ operator!=() [5/11]
Test two CRL entries for inequality in at least one field.
Definition at line 58 of file crl_ent.cpp.
58 {
59 return !(a1 == a2);
60}
◆ operator!=() [6/11]
Definition at line 641 of file ec_group.h.
641 {
642 return !(lhs == rhs);
643}
◆ operator!=() [7/11]
| bool Botan::operator!= | ( | const OctetString & | x, |
| const OctetString & | y ) |
Compare two strings
- Parameters
-
x an octet string y an octet string
- Returns
- if x is not equal to y
Definition at line 92 of file symkey.cpp.
92 {
93 return !(s1 == s2);
94}
◆ operator!=() [8/11]
◆ operator!=() [9/11]
template<typename T , typename U >
|
inline |
◆ operator!=() [10/11]
| bool Botan::operator!= | ( | const X509_Certificate & | cert1, |
| const X509_Certificate & | cert2 ) |
Check two certificates for inequality
- Parameters
-
cert1 The first certificate cert2 The second certificate
- Returns
- true if the arguments represent different certificates, false if they are binary identical
Definition at line 681 of file x509cert.cpp.
681 {
682 return !(cert1 == cert2);
683}
◆ operator!=() [11/11]
Definition at line 256 of file x509_dn.cpp.
256 {
257 return !(dn1 == dn2);
258}
◆ operator%() [1/2]
Definition at line 122 of file big_ops3.cpp.
122 {
125 }
127 throw Invalid_Argument("BigInt::operator% modulus must be > 0");
128 }
130 return n;
131 }
132
135 }
136
137 BigInt q, r;
138 vartime_divide(n, mod, q, r);
139 return r;
140}
void vartime_divide(const BigInt &x, const BigInt &y_arg, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:155
References Botan::BigInt::from_word(), Botan::BigInt::is_negative(), Botan::BigInt::is_positive(), Botan::BigInt::is_zero(), Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().
◆ operator%() [2/2]
| word Botan::operator% | ( | const BigInt & | n, |
| word | mod ) |
Definition at line 145 of file big_ops3.cpp.
145 {
146 if(mod == 0) {
148 }
149
150 if(mod == 1) {
151 return 0;
152 }
153
154 word remainder = 0;
155
157 remainder = (n.word_at(0) & (mod - 1));
158 } else {
160 for(size_t i = sw; i > 0; --i) {
162 }
163 }
164
166 return mod - remainder;
167 }
168 return remainder;
169}
constexpr auto bigint_modop_vartime(W n1, W n0, W d) -> W
Definition mp_core.h:813
References bigint_modop_vartime(), is_power_of_2(), Botan::BigInt::Negative, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::word_at().
◆ operator&() [1/4]
|
inline |
◆ operator&() [2/4]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 400 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator&() [3/4]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 395 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator&() [4/4]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 389 of file strong_type.h.
References b.
◆ operator&=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 528 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator&=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 522 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator*() [1/11]
◆ operator*() [2/11]
Definition at line 46 of file big_ops3.cpp.
46 {
49
51
52 if(x_sw == 1 && y_sw) {
54 } else if(y_sw == 1 && x_sw) {
56 } else if(x_sw && y_sw) {
57 secure_vector<word> workspace(z.size());
58
60 z.size(),
61 x._data(),
62 x.size(),
63 x_sw,
64 y._data(),
65 y.size(),
66 y_sw,
67 workspace.data(),
68 workspace.size());
69 }
70
72
73 return z;
74}
void bigint_mul(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, const word y[], size_t y_size, size_t y_sw, word workspace[], size_t ws_size)
Definition mp_karat.cpp:282
References Botan::BigInt::_data(), bigint_linmul3(), bigint_mul(), Botan::BigInt::cond_flip_sign(), Botan::BigInt::mutable_data(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::size(), Botan::BigInt::with_capacity(), and Botan::BigInt::word_at().
◆ operator*() [3/11]
Definition at line 79 of file big_ops3.cpp.
79 {
81
82 BigInt z = BigInt::with_capacity(x_sw + 1);
83
84 if(x_sw && y) {
87 }
88
89 return z;
90}
References Botan::BigInt::_data(), bigint_linmul3(), Botan::BigInt::mutable_data(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().
◆ operator*() [4/11]
template<std::unsigned_integral T>
|
inlineconstexpr |
Definition at line 100 of file donna128.h.
100 {
102
103 uint64_t lo = 0, hi = 0;
106}
constexpr void mul64x64_128(uint64_t a, uint64_t b, uint64_t *lo, uint64_t *hi)
Definition mul128.h:23
References BOTAN_ARG_CHECK, Botan::donna128::hi(), Botan::donna128::lo(), and mul64x64_128().
◆ operator*() [5/11]
Definition at line 416 of file ec_point.h.
References Botan::EC_Point::mul().
◆ operator*() [6/11]
| Ed448Point Botan::operator* | ( | const Scalar448 & | lhs, |
| const Ed448Point & | rhs ) |
Syntax sugar for scalar multiplication.
Definition at line 220 of file ed448_internal.cpp.
220 {
222}
Ed448Point scalar_mul(const Scalar448 &scalar) const
Scalar multiplication.
Definition ed448_internal.cpp:190
References Botan::Ed448Point::scalar_mul().
◆ operator*() [7/11]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 349 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator*() [8/11]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 344 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator*() [9/11]
template<std::unsigned_integral T>
|
inlineconstexpr |
Definition at line 109 of file donna128.h.
109 {
110 return x * y;
111}
◆ operator*() [10/11]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 338 of file strong_type.h.
References b.
◆ operator*() [11/11]
◆ operator*=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 489 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator*=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 483 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator+() [1/10]
Definition at line 1082 of file bigint.h.
References Botan::BigInt::_data(), Botan::BigInt::add2(), Botan::BigInt::sig_words(), and Botan::BigInt::sign().
◆ operator+() [2/10]
Definition at line 1086 of file bigint.h.
1086 {
1087 return BigInt::add2(x, &y, 1, BigInt::Positive);
1088}
References Botan::BigInt::add2(), and Botan::BigInt::Positive.
◆ operator+() [3/10]
Definition at line 113 of file donna128.h.
◆ operator+() [4/10]
Definition at line 119 of file donna128.h.
◆ operator+() [5/10]
Definition at line 406 of file ec_point.h.
◆ operator+() [6/10]
| OctetString Botan::operator+ | ( | const OctetString & | x, |
| const OctetString & | y ) |
Concatenate two strings
- Parameters
-
x an octet string y an octet string
- Returns
- x concatenated with y
Definition at line 99 of file symkey.cpp.
References Botan::OctetString::bits_of(), and OctetString.
◆ operator+() [7/10]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 315 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator+() [8/10]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 310 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator+() [9/10]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 304 of file strong_type.h.
References b.
◆ operator+() [10/10]
◆ operator++() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 580 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
◆ operator++() [2/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 573 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
Referenced by generate_dsa_primes().
◆ operator+=() [1/6]
◆ operator+=() [2/6]
◆ operator+=() [3/6]
◆ operator+=() [4/6]
◆ operator+=() [5/6]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 463 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator+=() [6/6]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 457 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator-() [1/7]
Definition at line 1094 of file bigint.h.
1094 {
1096}
References Botan::BigInt::_data(), Botan::BigInt::add2(), Botan::BigInt::reverse_sign(), and Botan::BigInt::sig_words().
◆ operator-() [2/7]
Definition at line 1098 of file bigint.h.
1098 {
1099 return BigInt::add2(x, &y, 1, BigInt::Negative);
1100}
References Botan::BigInt::add2(), and Botan::BigInt::Negative.
◆ operator-() [3/7]
◆ operator-() [4/7]
Definition at line 411 of file ec_point.h.
◆ operator-() [5/7]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 332 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator-() [6/7]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 327 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator-() [7/7]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 321 of file strong_type.h.
References b.
◆ operator--() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 593 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
◆ operator--() [2/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 586 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
◆ operator-=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 476 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator-=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 470 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator/() [1/5]
Definition at line 95 of file big_ops3.cpp.
95 {
98 }
99
100 BigInt q, r;
101 vartime_divide(x, y, q, r);
102 return q;
103}
References Botan::BigInt::sig_words(), vartime_divide(), and Botan::BigInt::word_at().
◆ operator/() [2/5]
Definition at line 108 of file big_ops3.cpp.
108 {
109 if(y == 0) {
111 }
112
113 BigInt q;
114 word r;
115 ct_divide_word(x, y, q, r);
116 return q;
117}
References ct_divide_word().
◆ operator/() [3/5]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 366 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator/() [4/5]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 361 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator/() [5/5]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 355 of file strong_type.h.
References b.
◆ operator/=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 502 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator/=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 496 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator<() [1/5]
Definition at line 276 of file asn1_time.cpp.
References Botan::ASN1_Time::cmp().
◆ operator<() [2/5]
Definition at line 1135 of file bigint.h.
1135 {
1137}
References b, and Botan::BigInt::is_less_than().
◆ operator<() [3/5]
|
inline |
Definition at line 1159 of file bigint.h.
References b, and Botan::BigInt::cmp_word().
◆ operator<() [4/5]
Compare two OIDs.
- Returns
- true if a is lexicographically smaller than b
Definition at line 158 of file asn1_oid.cpp.
158 {
161
162 return std::lexicographical_compare(oid1.begin(), oid1.end(), oid2.begin(), oid2.end());
163}
const std::vector< uint32_t > & get_components() const
Definition asn1_obj.h:309
References b, and Botan::OID::get_components().
◆ operator<() [5/5]
Definition at line 263 of file x509_dn.cpp.
263 {
266
267 // If they are not the same size, choose the smaller as the "lessor"
268 if(attr1.size() < attr2.size()) {
269 return true;
270 }
271 if(attr1.size() > attr2.size()) {
272 return false;
273 }
274
275 // We know they are the same # of elements, now compare the OIDs:
276 auto p1 = attr1.begin();
277 auto p2 = attr2.begin();
278
279 while(p1 != attr1.end() && p2 != attr2.end()) {
280 if(p1->first != p2->first) {
281 return (p1->first < p2->first);
282 }
283
284 ++p1;
285 ++p2;
286 }
287
288 // We know this is true because maps have the same size
289 BOTAN_ASSERT_NOMSG(p1 == attr1.end());
290 BOTAN_ASSERT_NOMSG(p2 == attr2.end());
291
292 // Now we know all elements have the same OIDs, compare
293 // their string values:
294
295 p1 = attr1.begin();
296 p2 = attr2.begin();
297 while(p1 != attr1.end() && p2 != attr2.end()) {
298 BOTAN_DEBUG_ASSERT(p1->first == p2->first);
299
300 // They may be binary different but same by X.500 rules, check this
301 if(!x500_name_cmp(p1->second, p2->second)) {
302 // If they are not (by X.500) the same string, pick the
303 // lexicographic first as the lessor
304 return (p1->second < p2->second);
305 }
306
307 ++p1;
308 ++p2;
309 }
310
311 // if we reach here, then the DNs should be identical
312 BOTAN_DEBUG_ASSERT(dn1 == dn2);
313 return false;
314}
std::multimap< OID, std::string > get_attributes() const
Definition x509_dn.cpp:112
References BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, and Botan::X509_DN::get_attributes().
◆ operator<<() [1/12]
Definition at line 174 of file big_ops3.cpp.
174 {
176
178 BigInt y = BigInt::with_capacity(new_size);
180 y.set_sign(x.sign());
181 return y;
182}
constexpr void bigint_shl2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:510
References Botan::BigInt::_data(), bigint_shl2(), BOTAN_MP_WORD_BITS, Botan::BigInt::sig_words(), Botan::BigInt::sign(), and Botan::BigInt::with_capacity().
◆ operator<<() [2/12]
| int Botan::operator<< | ( | int | out, |
| Pipe & | pipe ) |
Stream output operator; dumps the results from pipe's default message to the output stream.
- Parameters
-
out file descriptor for an open output stream pipe the pipe
Definition at line 18 of file fd_unix.cpp.
18 {
22 size_t position = 0;
23 while(got) {
24 ssize_t ret = ::write(fd, &buffer[position], got);
25 if(ret < 0) {
27 }
28
29 position += static_cast<size_t>(ret);
30 got -= static_cast<size_t>(ret);
31 }
32 }
33 return fd;
34}
size_t remaining(message_id msg=DEFAULT_MESSAGE) const
Definition pipe_rw.cpp:124
Definition exceptn.h:288
References BOTAN_DEFAULT_BUFFER_SIZE, Botan::Pipe::read(), and Botan::Pipe::remaining().
◆ operator<<() [3/12]
| std::ostream & Botan::operator<< | ( | std::ostream & | os, |
| const GeneralName & | gn ) |
Definition at line 260 of file name_constraint.cpp.
260 {
262 return os;
263}
References Botan::GeneralName::name(), and Botan::GeneralName::type().
◆ operator<<() [4/12]
| std::ostream & Botan::operator<< | ( | std::ostream & | os, |
| const GeneralSubtree & | gs ) |
Definition at line 284 of file name_constraint.cpp.
References Botan::GeneralSubtree::base().
◆ operator<<() [5/12]
Definition at line 266 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
◆ operator<<() [6/12]
|
inline |
Definition at line 322 of file asn1_obj.h.
References Botan::OID::to_string().
◆ operator<<() [7/12]
| std::ostream & Botan::operator<< | ( | std::ostream & | out, |
| const X509_DN & | dn ) |
Definition at line 408 of file x509_dn.cpp.
408 {
410
411 for(size_t i = 0; i != info.size(); ++i) {
412 out << to_short_form(info[i].first) << "=\"";
413 for(char c : info[i].second.value()) {
414 if(c == '\\' || c == '\"') {
415 out << "\\";
416 }
417 out << c;
418 }
419 out << "\"";
420
421 if(i + 1 < info.size()) {
422 out << ",";
423 }
424 }
425 return out;
426}
const std::vector< std::pair< OID, ASN1_String > > & dn_info() const
Definition pkix_types.h:73
References Botan::X509_DN::dn_info().
◆ operator<<() [8/12]
| std::ostream & Botan::operator<< | ( | std::ostream & | out, |
| Pipe & | pipe ) |
Stream output operator; dumps the results from pipe's default message to the output stream.
- Parameters
-
out an output stream pipe the pipe
Definition at line 19 of file pipe_io.cpp.
19 {
23 stream.write(cast_uint8_ptr_to_char(buffer.data()), got);
24 }
25 if(!stream.good()) {
26 throw Stream_IO_Error("Pipe output operator (iostream) has failed");
27 }
28 return stream;
29}
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:277
References BOTAN_DEFAULT_BUFFER_SIZE, cast_uint8_ptr_to_char(), Botan::Pipe::read(), and Botan::Pipe::remaining().
◆ operator<<() [9/12]
| std::ostream & Botan::operator<< | ( | std::ostream & | stream, |
| const BigInt & | n ) |
Definition at line 17 of file big_io.cpp.
17 {
18 const auto stream_flags = stream.flags();
19 // NOLINTNEXTLINE(*-non-zero-enum-to-bool-conversion)
20 if(stream_flags & std::ios::oct) {
22 }
23
24 // NOLINTNEXTLINE(*-non-zero-enum-to-bool-conversion)
25 const size_t base = (stream_flags & std::ios::hex) ? 16 : 10;
26
27 if(base == 10) {
28 stream << n.to_dec_string();
29 } else {
30 stream << n.to_hex_string();
31 }
32
33 if(!stream.good()) {
34 throw Stream_IO_Error("BigInt output operator has failed");
35 }
36 return stream;
37}
References Botan::BigInt::to_dec_string(), and Botan::BigInt::to_hex_string().
◆ operator<<() [10/12]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 451 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator<<() [11/12]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 446 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator<<() [12/12]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 440 of file strong_type.h.
References b.
◆ operator<<=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 567 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator<<=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 561 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator<=() [1/3]
Definition at line 268 of file asn1_time.cpp.
References Botan::ASN1_Time::cmp().
◆ operator<=() [2/3]
Definition at line 1127 of file bigint.h.
References b, and Botan::BigInt::cmp().
◆ operator<=() [3/3]
|
inline |
Definition at line 1151 of file bigint.h.
References b, and Botan::BigInt::cmp_word().
◆ operator<=>() [1/3]
Definition at line 278 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
◆ operator<=>() [2/3]
template<std::integral T1, std::integral T2, typename... Tags>
| auto Botan::operator<=> | ( | Strong< T1, Tags... > | a, |
| T2 | b ) |
Definition at line 288 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator<=>() [3/3]
template<std::integral T1, std::integral T2, typename... Tags>
| auto Botan::operator<=> | ( | T1 | a, |
| Strong< T2, Tags... > | b ) |
◆ operator==() [1/11]
| bool Botan::operator== | ( | const AlgorithmIdentifier & | a1, |
| const AlgorithmIdentifier & | a2 ) |
Definition at line 54 of file alg_id.cpp.
54 {
56 return false;
57 }
58
59 /*
60 * Treat NULL and empty as equivalent
61 */
63 return true;
64 }
65
67}
bool parameters_are_null_or_empty() const
Definition asn1_obj.h:478
const std::vector< uint8_t > & parameters() const
Definition asn1_obj.h:466
References Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), and Botan::AlgorithmIdentifier::parameters_are_null_or_empty().
◆ operator==() [2/11]
Definition at line 260 of file asn1_time.cpp.
References Botan::ASN1_Time::cmp().
◆ operator==() [3/11]
Definition at line 1119 of file bigint.h.
References b, and Botan::BigInt::is_equal().
◆ operator==() [4/11]
|
inline |
Definition at line 1143 of file bigint.h.
References b, and Botan::BigInt::cmp_word().
◆ operator==() [5/11]
Test two CRL entries for equality in all fields.
Definition at line 42 of file crl_ent.cpp.
42 {
44 return false;
45 }
47 return false;
48 }
50 return false;
51 }
52 return true;
53}
const std::vector< uint8_t > & serial_number() const
Definition crl_ent.cpp:110
References Botan::CRL_Entry::expire_time(), Botan::CRL_Entry::reason_code(), and Botan::CRL_Entry::serial_number().
◆ operator==() [6/11]
| bool Botan::operator== | ( | const OctetString & | x, |
| const OctetString & | y ) |
Compare two strings
- Parameters
-
x an octet string y an octet string
- Returns
- if x is equal to y
Definition at line 85 of file symkey.cpp.
85 {
86 return (s1.bits_of() == s2.bits_of());
87}
References Botan::OctetString::bits_of().
◆ operator==() [7/11]
template<typename T , typename U >
|
inline |
◆ operator==() [8/11]
Definition at line 272 of file strong_type.h.
References Botan::detail::Strong_Base< T >::get().
◆ operator==() [9/11]
Definition at line 220 of file x509_dn.cpp.
220 {
223
224 if(attr1.size() != attr2.size()) {
225 return false;
226 }
227
228 auto p1 = attr1.begin();
229 auto p2 = attr2.begin();
230
231 while(true) {
232 if(p1 == attr1.end() && p2 == attr2.end()) {
233 break;
234 }
235 if(p1 == attr1.end()) {
236 return false;
237 }
238 if(p2 == attr2.end()) {
239 return false;
240 }
241 if(p1->first != p2->first) {
242 return false;
243 }
244 if(!x500_name_cmp(p1->second, p2->second)) {
245 return false;
246 }
247 ++p1;
248 ++p2;
249 }
250 return true;
251}
References Botan::X509_DN::get_attributes().
◆ operator==() [10/11]
template<std::integral T1, std::integral T2, typename... Tags>
| auto Botan::operator== | ( | Strong< T1, Tags... > | a, |
| T2 | b ) |
Definition at line 298 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator==() [11/11]
template<std::integral T1, std::integral T2, typename... Tags>
| auto Botan::operator== | ( | T1 | a, |
| Strong< T2, Tags... > | b ) |
◆ operator>() [1/3]
Definition at line 280 of file asn1_time.cpp.
References Botan::ASN1_Time::cmp().
◆ operator>() [2/3]
◆ operator>() [3/3]
|
inline |
Definition at line 1163 of file bigint.h.
References b, and Botan::BigInt::cmp_word().
◆ operator>=() [1/3]
Definition at line 272 of file asn1_time.cpp.
References Botan::ASN1_Time::cmp().
◆ operator>=() [2/3]
Definition at line 1131 of file bigint.h.
References b, and Botan::BigInt::cmp().
◆ operator>=() [3/3]
|
inline |
Definition at line 1155 of file bigint.h.
References b, and Botan::BigInt::cmp_word().
◆ operator>>() [1/8]
Definition at line 187 of file big_ops3.cpp.
187 {
190
191 if(shift_words >= x_sw) {
192 return BigInt::zero();
193 }
194
195 BigInt y = BigInt::with_capacity(x_sw - shift_words);
196 bigint_shr2(y.mutable_data(), x._data(), x_sw, shift);
197
199 y.set_sign(BigInt::Positive);
200 } else {
201 y.set_sign(x.sign());
202 }
203
204 return y;
205}
References Botan::BigInt::_data(), bigint_shr2(), BOTAN_MP_WORD_BITS, Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::sign(), Botan::BigInt::with_capacity(), and Botan::BigInt::zero().
◆ operator>>() [2/8]
| int Botan::operator>> | ( | int | in, |
| Pipe & | pipe ) |
File descriptor input operator; dumps the remaining bytes of input to the (assumed open) pipe message.
- Parameters
-
in file descriptor for an open input stream pipe the pipe
Definition at line 39 of file fd_unix.cpp.
39 {
41 while(true) {
42 ssize_t ret = ::read(fd, buffer.data(), buffer.size());
43 if(ret < 0) {
45 } else if(ret == 0) {
46 break;
47 }
49 }
50 return fd;
51}
References BOTAN_DEFAULT_BUFFER_SIZE, and Botan::Pipe::write().
◆ operator>>() [3/8]
| std::istream & Botan::operator>> | ( | std::istream & | in, |
| Pipe & | pipe ) |
Stream input operator; dumps the remaining bytes of input to the (assumed open) pipe message.
- Parameters
-
in the input stream pipe the pipe
Definition at line 34 of file pipe_io.cpp.
34 {
36 while(stream.good()) {
37 stream.read(cast_uint8_ptr_to_char(buffer.data()), buffer.size());
38 const size_t got = static_cast<size_t>(stream.gcount());
39 pipe.write(buffer.data(), got);
40 }
41 if(stream.bad() || (stream.fail() && !stream.eof())) {
42 throw Stream_IO_Error("Pipe input operator (iostream) has failed");
43 }
44 return stream;
45}
References BOTAN_DEFAULT_BUFFER_SIZE, cast_uint8_ptr_to_char(), and Botan::Pipe::write().
◆ operator>>() [4/8]
| std::istream & Botan::operator>> | ( | std::istream & | in, |
| X509_DN & | dn ) |
Definition at line 428 of file x509_dn.cpp.
428 {
429 in >> std::noskipws;
430 do {
431 std::string key;
432 std::string val;
433 char c;
434
435 while(in.good()) {
436 in >> c;
437
438 if(std::isspace(c) && key.empty()) {
439 continue;
440 } else if(!std::isspace(c)) {
441 key.push_back(c);
442 break;
443 } else {
444 break;
445 }
446 }
447
448 while(in.good()) {
449 in >> c;
450
451 if(!std::isspace(c) && c != '=') {
452 key.push_back(c);
453 } else if(c == '=') {
454 break;
455 } else {
456 throw Invalid_Argument("Ill-formed X.509 DN");
457 }
458 }
459
460 bool in_quotes = false;
461 while(in.good()) {
462 in >> c;
463
464 if(std::isspace(c)) {
465 if(!in_quotes && !val.empty()) {
466 break;
467 } else if(in_quotes) {
468 val.push_back(' ');
469 }
470 } else if(c == '"') {
471 in_quotes = !in_quotes;
472 } else if(c == '\\') {
473 if(in.good()) {
474 in >> c;
475 }
476 val.push_back(c);
477 } else if(c == ',' && !in_quotes) {
478 break;
479 } else {
480 val.push_back(c);
481 }
482 }
483
484 if(!key.empty() && !val.empty()) {
485 dn.add_attribute(X509_DN::deref_info_field(key), val);
486 } else {
487 break;
488 }
489 } while(in.good());
490 return in;
491}
void add_attribute(std::string_view key, std::string_view val)
Definition x509_dn.cpp:93
References Botan::X509_DN::add_attribute(), and Botan::X509_DN::deref_info_field().
◆ operator>>() [5/8]
| std::istream & Botan::operator>> | ( | std::istream & | stream, |
| BigInt & | n ) |
Definition at line 42 of file big_io.cpp.
42 {
43 std::string str;
44 std::getline(stream, str);
45 if(stream.bad() || (stream.fail() && !stream.eof())) {
47 }
48 n = BigInt(str);
49 return stream;
50}
◆ operator>>() [6/8]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 434 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator>>() [7/8]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 429 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator>>() [8/8]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 423 of file strong_type.h.
References b.
◆ operator>>=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 554 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator>>=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 548 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator^() [1/4]
| OctetString Botan::operator^ | ( | const OctetString & | x, |
| const OctetString & | y ) |
XOR two strings
- Parameters
-
x an octet string y an octet string
- Returns
- x XORed with y
Definition at line 109 of file symkey.cpp.
109 {
110 secure_vector<uint8_t> out(std::max(k1.length(), k2.length()));
111
112 copy_mem(out.data(), k1.begin(), k1.length());
113 xor_buf(out.data(), k2.begin(), k2.length());
115}
References Botan::OctetString::begin(), copy_mem(), Botan::OctetString::length(), OctetString, and xor_buf().
◆ operator^() [2/4]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 383 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator^() [3/4]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 378 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator^() [4/4]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 372 of file strong_type.h.
References b.
◆ operator^=() [1/3]
template<typename Alloc , typename Alloc2 >
| std::vector< uint8_t, Alloc > & Botan::operator^= | ( | std::vector< uint8_t, Alloc > & | out, |
| const std::vector< uint8_t, Alloc2 > & | in ) |
◆ operator^=() [2/3]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 515 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator^=() [3/3]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 509 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator|() [1/10]
|
inline |
Definition at line 79 of file asn1_obj.h.
79 {
81}
◆ operator|() [2/10]
|
inline |
Definition at line 87 of file asn1_obj.h.
87 {
88 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
89}
◆ operator|() [3/10]
|
inline |
Definition at line 83 of file asn1_obj.h.
83 {
84 return static_cast<uint32_t>(x) | static_cast<uint32_t>(y);
85}
◆ operator|() [4/10]
Definition at line 75 of file asn1_obj.h.
75 {
77}
◆ operator|() [5/10]
Definition at line 125 of file donna128.h.
References Botan::donna128::hi(), and Botan::donna128::lo().
◆ operator|() [6/10]
Definition at line 129 of file donna128.h.
References Botan::donna128::hi(), and Botan::donna128::lo().
◆ operator|() [7/10]
|
inline |
◆ operator|() [8/10]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 417 of file strong_type.h.
References b, Botan::detail::Strong_Base< T >::get(), and T.
◆ operator|() [9/10]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 412 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator|() [10/10]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 406 of file strong_type.h.
References b.
◆ operator|=() [1/2]
template<std::integral T, typename... Tags>
|
constexpr |
Definition at line 541 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ operator|=() [2/2]
template<std::integral T1, std::integral T2, typename... Tags>
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
requires (detail::has_capability<EnableArithmeticWithPlainNumber, Tags...>)
|
constexpr |
Definition at line 535 of file strong_type.h.
References b, and Botan::detail::Strong_Base< T >::get().
◆ OS2ECP() [1/3]
| std::pair< BigInt, BigInt > BOTAN_UNSTABLE_API Botan::OS2ECP | ( | const uint8_t | data[], |
| size_t | data_len, | ||
| const BigInt & | curve_p, | ||
| const BigInt & | curve_a, | ||
| const BigInt & | curve_b ) |
Perform point decoding Use EC_Group::OS2ECP instead
- Parameters
-
data the encoded point data_len length of data in bytes curve_p the curve equation prime curve_a the curve equation a parameter curve_b the curve equation b parameter
Definition at line 665 of file ec_point.cpp.
666 {
667 if(data_len <= 1) {
669 }
670
671 const uint8_t pc = data[0];
672
673 BigInt x, y;
674
675 if(pc == 2 || pc == 3) {
676 //compressed form
677 x = BigInt::decode(&data[1], data_len - 1);
678
679 const bool y_mod_2 = ((pc & 0x01) == 1);
680 y = decompress_point(y_mod_2, x, curve_p, curve_a, curve_b);
681 } else if(pc == 4) {
682 const size_t l = (data_len - 1) / 2;
683
684 // uncompressed form
685 x = BigInt::decode(&data[1], l);
686 y = BigInt::decode(&data[l + 1], l);
687 } else if(pc == 6 || pc == 7) {
688 const size_t l = (data_len - 1) / 2;
689
690 // hybrid form
691 x = BigInt::decode(&data[1], l);
692 y = BigInt::decode(&data[l + 1], l);
693
694 const bool y_mod_2 = ((pc & 0x01) == 1);
695
696 if(decompress_point(y_mod_2, x, curve_p, curve_a, curve_b) != y) {
697 throw Decoding_Error("OS2ECP: Decoding error in hybrid format");
698 }
699 } else {
700 throw Invalid_Argument("OS2ECP: Unknown format type " + std::to_string(pc));
701 }
702
703 return std::make_pair(x, y);
704}
References Botan::BigInt::decode().
◆ OS2ECP() [2/3]
Perform point decoding Use EC_Group::OS2ECP instead
Definition at line 648 of file ec_point.cpp.
648 {
649 // Should we really be doing this?
650 if(data_len <= 1) {
652 }
653
654 std::pair<BigInt, BigInt> xy = OS2ECP(data, data_len, curve.get_p(), curve.get_a(), curve.get_b());
655
656 EC_Point point(curve, xy.first, xy.second);
657
658 if(!point.on_the_curve()) {
659 throw Decoding_Error("OS2ECP: Decoded point was not on the curve");
660 }
661
662 return point;
663}
References Botan::CurveGFp::get_a(), Botan::CurveGFp::get_b(), Botan::CurveGFp::get_p(), Botan::EC_Point::on_the_curve(), and OS2ECP().
Referenced by Botan::EC_AffinePoint_Data_BN::EC_AffinePoint_Data_BN(), OS2ECP(), OS2ECP(), and Botan::EC_Group_Data::point_deserialize().
◆ OS2ECP() [3/3]
| EC_Point BOTAN_UNSTABLE_API Botan::OS2ECP | ( | std::span< const uint8_t > | data, |
| const CurveGFp & | curve ) |
Definition at line 706 of file ec_point.cpp.
706 {
708}
EC_Point OS2ECP(const uint8_t data[], size_t data_len, const CurveGFp &curve)
Definition ec_point.cpp:648
References OS2ECP().
◆ out_opt()
|
nodiscardconstexprnoexcept |
Definition at line 447 of file stl_util.h.
447 {
448 class out_opt_t {
449 public:
450 constexpr ~out_opt_t() noexcept { m_opt = m_raw; }
451
452 constexpr out_opt_t(std::optional<T>& outopt) noexcept : m_opt(outopt) {}
453
454 out_opt_t(const out_opt_t&) = delete;
455 out_opt_t(out_opt_t&&) = delete;
456 out_opt_t& operator=(const out_opt_t&) = delete;
457 out_opt_t& operator=(out_opt_t&&) = delete;
458
460
461 private:
462 std::optional<T>& m_opt;
463 T m_raw;
464 };
465
466 return out_opt_t{outopt};
467}
References T.
◆ out_ptr()
Definition at line 420 of file stl_util.h.
420 {
421 class out_ptr_t {
422 public:
423 constexpr ~out_ptr_t() noexcept {
424 m_ptr.reset(m_rawptr);
425 m_rawptr = nullptr;
426 }
427
429
430 out_ptr_t(const out_ptr_t&) = delete;
431 out_ptr_t(out_ptr_t&&) = delete;
432 out_ptr_t& operator=(const out_ptr_t&) = delete;
433 out_ptr_t& operator=(out_ptr_t&&) = delete;
434
435 [[nodiscard]] constexpr operator typename T::element_type **() && noexcept { return &m_rawptr; }
436
437 private:
438 T& m_ptr;
439 typename T::element_type* m_rawptr;
440 };
441
442 return out_ptr_t{outptr};
443}
References T.
Referenced by Botan::TPM2::Object::_public_info(), base_decode(), Botan::TPM2::PrivateKey::create_transient_from_template(), Botan::TPM2::HashFunction::final_with_ticket(), hex_decode(), Botan::TPM2::Signature_Operation::sign(), Botan::TLS::Extensions::take(), and Botan::TPM2::Session::tpm_nonce().
◆ overloaded()
template<class... Ts>
| Botan::overloaded | ( | Ts... | ) | -> overloaded< Ts... > |
◆ parse_algorithm_name()
| std::vector< std::string > Botan::parse_algorithm_name | ( | std::string_view | scan_name | ) |
Parse a SCAN-style algorithm name
- Parameters
-
scan_name the name
- Returns
- the name components
Definition at line 57 of file parsing.cpp.
57 {
58 if(namex.find('(') == std::string::npos && namex.find(')') == std::string::npos) {
59 return {std::string(namex)};
60 }
61
62 std::string name(namex);
63 std::string substring;
64 std::vector<std::string> elems;
65 size_t level = 0;
66
69
71 char c = *i;
72
73 if(c == '(') {
74 ++level;
75 }
76 if(c == ')') {
78 if(elems.size() == 1) {
79 elems.push_back(substring.substr(1));
80 } else {
81 elems.push_back(substring);
82 }
83 return elems;
84 }
85
87 throw Invalid_Algorithm_Name(namex);
88 }
89 --level;
90 }
91
92 if(c == ',' && level == 1) {
93 if(elems.size() == 1) {
94 elems.push_back(substring.substr(1));
95 } else {
96 elems.push_back(substring);
97 }
98 substring.clear();
99 } else {
100 substring += c;
101 }
102 }
103
104 if(!substring.empty()) {
105 throw Invalid_Algorithm_Name(namex);
106 }
107
108 return elems;
109}
References name.
Referenced by Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), and Botan::EME::create().
◆ passes_miller_rabin_test()
| bool Botan::passes_miller_rabin_test | ( | const BigInt & | n, |
| const Modular_Reducer & | mod_n, | ||
| const std::shared_ptr< Montgomery_Params > & | monty_n, | ||
| const BigInt & | a ) |
Perform a single Miller-Rabin test with specified base
- Parameters
-
n the positive integer to test mod_n a pre-created Modular_Reducer for n monty_n Montgomery parameters for n a the base to check
- Returns
- result of primality test
Definition at line 106 of file primality.cpp.
109 {
111 return false;
112 }
113
114 BOTAN_ASSERT_NOMSG(n > 1);
115
116 const BigInt n_minus_1 = n - 1;
117 const size_t s = low_zero_bits(n_minus_1);
118 const BigInt nm1_s = n_minus_1 >> s;
120
121 const size_t powm_window = 4;
122
123 auto powm_a_n = monty_precompute(monty_n, a, powm_window);
124
125 BigInt y = monty_execute(*powm_a_n, nm1_s, n_bits);
126
127 if(y == 1 || y == n_minus_1) {
128 return true;
129 }
130
131 for(size_t i = 1; i != s; ++i) {
132 y = mod_n.square(y);
133
134 if(y == 1) { // found a non-trivial square root
135 return false;
136 }
137
138 /*
139 -1 is the trivial square root of unity, so ``a`` is not a
140 witness for this number - give up
141 */
142 if(y == n_minus_1) {
143 return true;
144 }
145 }
146
147 return false;
148}
References Botan::BigInt::bits(), BOTAN_ASSERT_NOMSG, Botan::BigInt::is_even(), low_zero_bits(), monty_execute(), monty_precompute(), and Botan::Modular_Reducer::square().
Referenced by is_bailie_psw_probable_prime(), and is_miller_rabin_probable_prime().
◆ pbes2_decrypt()
| secure_vector< uint8_t > Botan::pbes2_decrypt | ( | std::span< const uint8_t > | key_bits, |
| std::string_view | passphrase, | ||
| const std::vector< uint8_t > & | params ) |
Decrypt a PKCS #5 v2.0 encrypted stream
- Parameters
-
key_bits the input passphrase the passphrase to use for decryption params the PBES2 parameters
Definition at line 280 of file pbes2.cpp.
282 {
283 AlgorithmIdentifier kdf_algo, enc_algo;
284
286
289 if(cipher_spec.size() != 2 || !known_pbes_cipher_mode(cipher_spec[1])) {
291 }
292
293 secure_vector<uint8_t> iv;
294 BER_Decoder(enc_algo.parameters()).decode(iv, ASN1_Type::OctetString).verify_end();
295
296 auto dec = Cipher_Mode::create(cipher, Cipher_Dir::Decryption);
297 if(!dec) {
298 throw Decoding_Error(fmt("PBE-PKCS5 cannot decrypt no cipher '{}'", cipher));
299 }
300
301 dec->set_key(derive_key(passphrase, kdf_algo, dec->key_spec().maximum_keylength()));
302
303 dec->start(iv);
304
305 secure_vector<uint8_t> buf(key_bits.begin(), key_bits.end());
306 dec->finish(buf);
307
308 return buf;
309}
Definition asn1_obj.h:449
Definition ber_dec.h:22
References Botan::Cipher_Mode::create(), Botan::BER_Decoder::decode(), Decryption, Botan::BER_Decoder::end_cons(), fmt(), Botan::OID::human_name_or_empty(), OctetString, Botan::AlgorithmIdentifier::oid(), Botan::AlgorithmIdentifier::parameters(), split_on(), Botan::BER_Decoder::start_sequence(), and Botan::BER_Decoder::verify_end().
◆ pbes2_encrypt()
| std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt | ( | std::span< const uint8_t > | key_bits, |
| std::string_view | passphrase, | ||
| std::chrono::milliseconds | msec, | ||
| std::string_view | cipher, | ||
| std::string_view | digest, | ||
| RandomNumberGenerator & | rng ) |
Encrypt with PBES2 from PKCS #5 v2.0
- Parameters
-
key_bits the input passphrase the passphrase to use for encryption msec how many milliseconds to run PBKDF2 cipher specifies the block cipher to use to encrypt digest specifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)") rng a random number generator
Definition at line 242 of file pbes2.cpp.
247 {
248 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
249 return pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
250 // return value msec_in_iterations_out discarded
251}
◆ pbes2_encrypt_iter()
| std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_iter | ( | std::span< const uint8_t > | key_bits, |
| std::string_view | passphrase, | ||
| size_t | iterations, | ||
| std::string_view | cipher, | ||
| std::string_view | digest, | ||
| RandomNumberGenerator & | rng ) |
Encrypt with PBES2 from PKCS #5 v2.0
- Parameters
-
key_bits the input passphrase the passphrase to use for encryption iterations how many iterations to run PBKDF2 cipher specifies the block cipher to use to encrypt digest specifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)") rng a random number generator
Definition at line 271 of file pbes2.cpp.
276 {
277 return pbes2_encrypt_shared(key_bits, passphrase, nullptr, pbkdf_iter, cipher, digest, rng);
278}
Referenced by Botan::PKCS8::BER_encode_encrypted_pbkdf_iter().
◆ pbes2_encrypt_msec()
| std::pair< AlgorithmIdentifier, std::vector< uint8_t > > Botan::pbes2_encrypt_msec | ( | std::span< const uint8_t > | key_bits, |
| std::string_view | passphrase, | ||
| std::chrono::milliseconds | msec, | ||
| size_t * | out_iterations_if_nonnull, | ||
| std::string_view | cipher, | ||
| std::string_view | digest, | ||
| RandomNumberGenerator & | rng ) |
Encrypt with PBES2 from PKCS #5 v2.0
- Parameters
-
key_bits the input passphrase the passphrase to use for encryption msec how many milliseconds to run PBKDF2 out_iterations_if_nonnull if not null, set to the number of PBKDF iterations used cipher specifies the block cipher to use to encrypt digest specifies the PRF to use with PBKDF2 (eg "HMAC(SHA-1)") rng a random number generator
Definition at line 253 of file pbes2.cpp.
259 {
260 size_t msec_in_iterations_out = static_cast<size_t>(msec.count());
261
262 auto ret = pbes2_encrypt_shared(key_bits, passphrase, &msec_in_iterations_out, 0, cipher, digest, rng);
263
264 if(out_iterations_if_nonnull) {
265 *out_iterations_if_nonnull = msec_in_iterations_out;
266 }
267
268 return ret;
269}
Referenced by Botan::PKCS8::BER_encode(), and Botan::PKCS8::BER_encode_encrypted_pbkdf_msec().
◆ pbkdf2() [1/2]
| void Botan::pbkdf2 | ( | MessageAuthenticationCode & | prf, |
| uint8_t | out[], | ||
| size_t | out_len, | ||
| const uint8_t | salt[], | ||
| size_t | salt_len, | ||
| size_t | iterations ) |
Perform PBKDF2. The prf is assumed to be keyed already.
Definition at line 97 of file pbkdf2.cpp.
102 {
103 if(iterations == 0) {
105 }
106
107 clear_mem(out, out_len);
108
109 if(out_len == 0) {
110 return;
111 }
112
114 BOTAN_ASSERT_NOMSG(prf_sz > 0);
115
116 secure_vector<uint8_t> U(prf_sz);
117
118 uint32_t counter = 1;
119 while(out_len) {
120 const size_t prf_output = std::min<size_t>(prf_sz, out_len);
121
122 prf.update(salt, salt_len);
123 prf.update_be(counter++);
124 prf.final(U.data());
125
126 xor_buf(out, U.data(), prf_output);
127
128 for(size_t i = 1; i != iterations; ++i) {
129 prf.update(U);
130 prf.final(U.data());
131 xor_buf(out, U.data(), prf_output);
132 }
133
134 out_len -= prf_output;
135 out += prf_output;
136 }
137}
References BOTAN_ASSERT_NOMSG, clear_mem(), Botan::Buffered_Computation::final(), Botan::Buffered_Computation::output_length(), Botan::Buffered_Computation::update(), Botan::Buffered_Computation::update_be(), and xor_buf().
◆ pbkdf2() [2/2]
| size_t Botan::pbkdf2 | ( | MessageAuthenticationCode & | prf, |
| uint8_t | out[], | ||
| size_t | out_len, | ||
| std::string_view | password, | ||
| const uint8_t | salt[], | ||
| size_t | salt_len, | ||
| size_t | iterations, | ||
| std::chrono::milliseconds | msec ) |
Definition at line 78 of file pbkdf2.cpp.
85 {
86 if(iterations == 0) {
87 iterations = tune_pbkdf2(prf, out_len, msec);
88 }
89
90 PBKDF2 pbkdf2(prf, iterations);
91
92 pbkdf2.derive_key(out, out_len, password.data(), password.size(), salt, salt_len);
93
94 return iterations;
95}
References pbkdf2().
Referenced by Botan::PBKDF2::derive_key(), Botan::Scrypt::derive_key(), Botan::PKCS5_PBKDF2::pbkdf(), and pbkdf2().
◆ pkcs_hash_id()
| std::vector< uint8_t > BOTAN_TEST_API Botan::pkcs_hash_id | ( | std::string_view | hash_name | ) |
Return the PKCS #1 hash identifier
- See also
- RFC 3447 section 9.2
- Parameters
-
hash_name the name of the hash function
- Returns
- uint8_t sequence identifying the hash
- Exceptions
-
Invalid_Argument if the hash has no known PKCS #1 hash id
Definition at line 78 of file hash_id.cpp.
78 {
79 // Special case for SSL/TLS RSA signatures
81 return std::vector<uint8_t>();
82 }
83
84 // If you add a value to this function, also update test_hash_id.cpp
85
87 return std::vector<uint8_t>(MD5_PKCS_ID, MD5_PKCS_ID + sizeof(MD5_PKCS_ID));
88 }
89
91 return std::vector<uint8_t>(RIPEMD_160_PKCS_ID, RIPEMD_160_PKCS_ID + sizeof(RIPEMD_160_PKCS_ID));
92 }
93
95 return std::vector<uint8_t>(SHA_1_PKCS_ID, SHA_1_PKCS_ID + sizeof(SHA_1_PKCS_ID));
96 }
97
99 return std::vector<uint8_t>(SHA_224_PKCS_ID, SHA_224_PKCS_ID + sizeof(SHA_224_PKCS_ID));
100 }
101
103 return std::vector<uint8_t>(SHA_256_PKCS_ID, SHA_256_PKCS_ID + sizeof(SHA_256_PKCS_ID));
104 }
105
107 return std::vector<uint8_t>(SHA_384_PKCS_ID, SHA_384_PKCS_ID + sizeof(SHA_384_PKCS_ID));
108 }
109
111 return std::vector<uint8_t>(SHA_512_PKCS_ID, SHA_512_PKCS_ID + sizeof(SHA_512_PKCS_ID));
112 }
113
115 return std::vector<uint8_t>(SHA_512_256_PKCS_ID, SHA_512_256_PKCS_ID + sizeof(SHA_512_256_PKCS_ID));
116 }
117
119 return std::vector<uint8_t>(SHA3_224_PKCS_ID, SHA3_224_PKCS_ID + sizeof(SHA3_224_PKCS_ID));
120 }
121
123 return std::vector<uint8_t>(SHA3_256_PKCS_ID, SHA3_256_PKCS_ID + sizeof(SHA3_256_PKCS_ID));
124 }
125
127 return std::vector<uint8_t>(SHA3_384_PKCS_ID, SHA3_384_PKCS_ID + sizeof(SHA3_384_PKCS_ID));
128 }
129
131 return std::vector<uint8_t>(SHA3_512_PKCS_ID, SHA3_512_PKCS_ID + sizeof(SHA3_512_PKCS_ID));
132 }
133
135 return std::vector<uint8_t>(SM3_PKCS_ID, SM3_PKCS_ID + sizeof(SM3_PKCS_ID));
136 }
137
139}
References name.
Referenced by botan_pkcs_hash_id(), Botan::EMSA_PKCS1v15::EMSA_PKCS1v15(), and Botan::EMSA_PKCS1v15_Raw::EMSA_PKCS1v15_Raw().
◆ poly_double_n() [1/2]
|
inline |
Definition at line 26 of file poly_dbl.h.
References poly_double_n().
◆ poly_double_n() [2/2]
| void BOTAN_TEST_API Botan::poly_double_n | ( | uint8_t | out[], |
| const uint8_t | in[], | ||
| size_t | n ) |
Polynomial doubling in GF(2^n)
Definition at line 81 of file poly_dbl.cpp.
81 {
82 switch(n) {
83 case 8:
84 return poly_double<1, MinWeightPolynomial::P64>(out, in);
85 case 16:
86 return poly_double<2, MinWeightPolynomial::P128>(out, in);
87 case 24:
88 return poly_double<3, MinWeightPolynomial::P192>(out, in);
89 case 32:
90 return poly_double<4, MinWeightPolynomial::P256>(out, in);
91 case 64:
92 return poly_double<8, MinWeightPolynomial::P512>(out, in);
93 case 128:
94 return poly_double<16, MinWeightPolynomial::P1024>(out, in);
95 default:
97 }
98}
Referenced by poly_double_n(), and Botan::SIV_Mode::S2V().
◆ poly_double_n_le()
| void BOTAN_TEST_API Botan::poly_double_n_le | ( | uint8_t | out[], |
| const uint8_t | in[], | ||
| size_t | n ) |
Definition at line 100 of file poly_dbl.cpp.
100 {
101 switch(n) {
102 case 8:
103 return poly_double_le<1, MinWeightPolynomial::P64>(out, in);
104 case 16:
105 return poly_double_le<2, MinWeightPolynomial::P128>(out, in);
106 case 24:
107 return poly_double_le<3, MinWeightPolynomial::P192>(out, in);
108 case 32:
109 return poly_double_le<4, MinWeightPolynomial::P256>(out, in);
110 case 64:
111 return poly_double_le<8, MinWeightPolynomial::P512>(out, in);
112 case 128:
113 return poly_double_le<16, MinWeightPolynomial::P1024>(out, in);
114 default:
116 }
117}
Referenced by Botan::XTS_Mode::update_tweak(), and xts_update_tweak_block().
◆ poly_double_supported_size()
|
inline |
Returns true iff poly_double_n is implemented for this size.
Definition at line 22 of file poly_dbl.h.
22 {
23 return (n == 8 || n == 16 || n == 24 || n == 32 || n == 64 || n == 128);
24}
Referenced by Botan::CMAC::CMAC(), and Botan::XTS_Mode::XTS_Mode().
◆ power_mod()
Modular exponentation
- Parameters
-
b an integer base x a positive exponent m a positive modulus
- Returns
- (b^x) % m
Definition at line 284 of file numthry.cpp.
284 {
285 if(mod.is_negative() || mod == 1) {
286 return BigInt::zero();
287 }
288
289 if(base.is_zero() || mod.is_zero()) {
290 if(exp.is_zero()) {
291 return BigInt::one();
292 }
293 return BigInt::zero();
294 }
295
296 Modular_Reducer reduce_mod(mod);
297
298 const size_t exp_bits = exp.bits();
299
300 if(mod.is_odd()) {
301 auto monty_params = std::make_shared<Montgomery_Params>(mod, reduce_mod);
303 }
304
305 /*
306 Support for even modulus is just a convenience and not considered
307 cryptographically important, so this implementation is slow ...
308 */
309 BigInt accum = BigInt::one();
310 BigInt g = reduce_mod.reduce(base);
311 BigInt t;
312
313 for(size_t i = 0; i != exp_bits; ++i) {
314 t = reduce_mod.multiply(g, accum);
315 g = reduce_mod.square(g);
316 accum.ct_cond_assign(exp.get_bit(i), t);
317 }
318 return accum;
319}
BigInt monty_exp(const std::shared_ptr< const Montgomery_Params > ¶ms_p, const BigInt &g, const BigInt &k, size_t max_k_bits)
Definition monty_exp.h:41
References Botan::BigInt::bits(), Botan::BigInt::ct_cond_assign(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::BigInt::is_odd(), Botan::BigInt::is_zero(), monty_exp(), Botan::Modular_Reducer::multiply(), Botan::BigInt::one(), Botan::Modular_Reducer::reduce(), Botan::Modular_Reducer::square(), and Botan::BigInt::zero().
Referenced by botan_mp_powmod().
◆ prefetch_array_raw()
|
noexcept |
Prefetch an array
This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.
Definition at line 14 of file prefetch.cpp.
14 {
15#if defined(__cpp_lib_hardware_interference_size)
16 const size_t cache_line_size = std::hardware_destructive_interference_size;
17#else
18 // We arbitrarily use a 64 byte cache line, which is by far the most
19 // common size.
20 //
21 // Runtime detection adds too much overhead to this function.
22 const size_t cache_line_size = 64;
23#endif
24
25 const uint8_t* array = static_cast<const uint8_t*>(arrayv);
26
27 volatile uint64_t combiner = 1;
28
29 for(size_t idx = 0; idx < bytes; idx += cache_line_size) {
30#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_prefetch)
31 // we have no way of knowing if the compiler will emit anything here
32 __builtin_prefetch(&array[idx]);
33#endif
34
35 combiner = combiner | array[idx];
36 }
37
38 /*
39 * The combiner variable is initialized with 1, and we accumulate using OR, so
40 * now combiner must be a value other than zero. This being the case we will
41 * always return zero here. Hopefully the compiler will not figure this out.
42 */
43 return ct_is_zero(combiner);
44}
References ct_is_zero().
Referenced by prefetch_arrays().
◆ prefetch_arrays()
Prefetch several arrays
This function returns a uint64_t which is accumulated from values read from the array. This may help confuse the compiler sufficiently to not elide otherwise "useless" reads. The return value will always be zero.
Definition at line 34 of file prefetch.h.
36{
38}
uint64_t prefetch_array_raw(size_t bytes, const void *arrayv) noexcept
Definition prefetch.cpp:14
References prefetch_array_raw(), and T.
Referenced by Botan::SEED::decrypt_n(), and Botan::SEED::encrypt_n().
◆ prime_p192()
| const BigInt & Botan::prime_p192 | ( | ) |
◆ prime_p224()
| const BigInt & Botan::prime_p224 | ( | ) |
◆ prime_p256()
| const BigInt & Botan::prime_p256 | ( | ) |
◆ prime_p384()
| const BigInt & Botan::prime_p384 | ( | ) |
Return the P-384 prime
Definition at line 395 of file nistp_redc.cpp.
395 {
397 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF");
398 return p384;
399}
◆ prime_p521()
| const BigInt & Botan::prime_p521 | ( | ) |
Return the P-521 prime
Definition at line 15 of file nistp_redc.cpp.
15 {
17 "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
18 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
19
20 return p521;
21}
◆ probe_provider_private_key()
| std::vector< std::string > Botan::probe_provider_private_key | ( | std::string_view | alg_name, |
| const std::vector< std::string > & | possible ) |
Definition at line 695 of file pk_algs.cpp.
696 {
697 std::vector<std::string> providers;
698
699 for(auto&& prov : possible) {
700 if(prov == "base") {
701 providers.push_back(prov);
702 }
703 }
704
705 BOTAN_UNUSED(alg_name);
706
707 return providers;
708}
References BOTAN_UNUSED.
◆ probe_providers_of()
template<typename T >
| std::vector< std::string > Botan::probe_providers_of | ( | std::string_view | algo_spec, |
| const std::vector< std::string > & | possible = {"base"} ) |
Definition at line 105 of file scan_name.h.
106 {"base"}) {
107 std::vector<std::string> providers;
108 for(auto&& prov : possible) {
109 auto o = T::create(algo_spec, prov);
110 if(o) {
111 providers.push_back(prov); // available
112 }
113 }
114 return providers;
115}
Referenced by Botan::BlockCipher::providers(), Botan::HashFunction::providers(), Botan::KDF::providers(), Botan::MessageAuthenticationCode::providers(), Botan::PasswordHashFamily::providers(), Botan::PBKDF::providers(), Botan::StreamCipher::providers(), and Botan::XOF::providers().
◆ random_code_element()
| gf2m Botan::random_code_element | ( | uint16_t | code_length, |
| RandomNumberGenerator & | rng ) |
Definition at line 80 of file polyn_gf2m.cpp.
80 {
81 if(code_length == 0) {
83 }
84 const unsigned nlz = nlz_16bit(code_length - 1);
85 const gf2m mask = (1 << (16 - nlz)) - 1;
86
87 gf2m result;
88
89 do {
90 result = random_gf2m(rng);
91 result &= mask;
92 } while(result >= code_length); // rejection sampling
93
94 return result;
95}
References random_gf2m().
Referenced by Botan::polyn_gf2m::polyn_gf2m().
◆ random_gf2m()
| gf2m Botan::random_gf2m | ( | RandomNumberGenerator & | rng | ) |
Definition at line 74 of file polyn_gf2m.cpp.
References b, make_uint16(), and Botan::RandomNumberGenerator::randomize().
Referenced by random_code_element().
◆ random_prime()
| BigInt Botan::random_prime | ( | RandomNumberGenerator & | rng, |
| size_t | bits, | ||
| const BigInt & | coprime = BigInt::from_u64(0), | ||
| size_t | equiv = 1, | ||
| size_t | equiv_mod = 2, | ||
| size_t | prob = 128 ) |
Randomly generate a prime suitable for discrete logarithm parameters
- Parameters
-
rng a random number generator bits how large the resulting prime should be in bits coprime a positive integer that (prime - 1) should be coprime to equiv a non-negative number that the result should be equivalent to modulo equiv_mod equiv_mod the modulus equiv should be checked against prob use test so false positive is bounded by 1/2**prob
- Returns
- random prime with the specified criteria
Definition at line 97 of file make_prm.cpp.
98 {
99 if(bits <= 1) {
100 throw Invalid_Argument("random_prime: Can't make a prime of " + std::to_string(bits) + " bits");
101 }
102 if(coprime.is_negative() || (!coprime.is_zero() && coprime.is_even()) || coprime.bits() >= bits) {
103 throw Invalid_Argument("random_prime: invalid coprime");
104 }
105 if(modulo == 0 || modulo >= 100000) {
106 throw Invalid_Argument("random_prime: Invalid modulo value");
107 }
108
109 equiv %= modulo;
110
111 if(equiv == 0) {
112 throw Invalid_Argument("random_prime Invalid value for equiv/modulo");
113 }
114
115 // Handle small values:
116
117 if(bits <= 16) {
118 if(equiv != 1 || modulo != 2 || coprime != 0) {
119 throw Not_Implemented("random_prime equiv/modulo/coprime options not usable for small primes");
120 }
121
122 if(bits == 2) {
124 } else if(bits == 3) {
126 } else if(bits == 4) {
128 } else {
129 for(;;) {
130 // This is slightly biased, but for small primes it does not seem to matter
131 uint8_t b[4] = {0};
132 rng.randomize(b, 4);
135
137 return BigInt::from_word(small_prime);
138 }
139 }
140 }
141 }
142
143 const size_t MAX_ATTEMPTS = 32 * 1024;
144
146
147 while(true) {
148 BigInt p(rng, bits);
149
150 // Force lowest and two top bits on
151 p.set_bit(bits - 1);
152 p.set_bit(bits - 2);
153 p.set_bit(0);
154
155 // Force p to be equal to equiv mod modulo
156 p += (modulo - (p % modulo)) + equiv;
157
158 Prime_Sieve sieve(p, bits, modulo, true);
159
160 for(size_t attempt = 0; attempt <= MAX_ATTEMPTS; ++attempt) {
161 p += modulo;
162
163 if(!sieve.next()) {
164 continue;
165 }
166
167 // here p can be even if modulo is odd, continue on in that case
168 if(p.is_even()) {
169 continue;
170 }
171
172 BOTAN_DEBUG_ASSERT(no_small_multiples(p, sieve));
173
174 Modular_Reducer mod_p(p);
175
176 if(coprime > 1) {
177 /*
178 First do a single M-R iteration to quickly elimate most non-primes,
179 before doing the coprimality check which is expensive
180 */
182 continue;
183 }
184
185 /*
186 * Check if p - 1 and coprime are relatively prime, using gcd.
187 * The gcd computation is const-time
188 */
190 continue;
191 }
192 }
193
194 if(p.bits() > bits) {
195 break;
196 }
197
199 continue;
200 }
201
203 continue;
204 }
205
206 return p;
207 }
208 }
209}
References b, Botan::BigInt::bits(), BOTAN_DEBUG_ASSERT, Botan::BigInt::from_word(), gcd(), high_bit(), Botan::BigInt::is_even(), is_lucas_probable_prime(), is_miller_rabin_probable_prime(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), load_le(), miller_rabin_test_iterations(), Botan::RandomNumberGenerator::next_byte(), PRIME_TABLE_SIZE, PRIMES, Botan::RandomNumberGenerator::randomize(), and Botan::BigInt::set_bit().
Referenced by Botan::DL_Group::DL_Group(), and random_safe_prime().
◆ random_safe_prime()
| BigInt Botan::random_safe_prime | ( | RandomNumberGenerator & | rng, |
| size_t | bits ) |
Return a 'safe' prime, of the form p=2*q+1 with q prime
- Parameters
-
rng a random number generator bits is how long the resulting prime should be
- Returns
- prime randomly chosen from safe primes of length bits
Definition at line 294 of file make_prm.cpp.
294 {
295 if(bits <= 64) {
296 throw Invalid_Argument("random_safe_prime: Can't make a prime of " + std::to_string(bits) + " bits");
297 }
298
299 const size_t error_bound = 128;
300
301 BigInt q, p;
302 for(;;) {
303 /*
304 Generate q == 2 (mod 3), since otherwise [in the case of q == 1 (mod 3)],
305 2*q+1 == 3 (mod 3) and so certainly not prime.
306 */
307 q = random_prime(rng, bits - 1, BigInt::zero(), 2, 3, error_bound);
308 p = (q << 1) + 1;
309
310 if(is_prime(p, rng, error_bound, true)) {
311 return p;
312 }
313 }
314}
References is_prime(), random_prime(), and Botan::BigInt::zero().
Referenced by Botan::DL_Group::DL_Group().
◆ read_cfg()
| std::map< std::string, std::string > Botan::read_cfg | ( | std::istream & | is | ) |
Definition at line 34 of file read_cfg.cpp.
34 {
35 std::map<std::string, std::string> kv;
36 size_t line = 0;
37
38 while(is.good()) {
39 std::string s;
40
41 std::getline(is, s);
42
43 ++line;
44
45 if(s.empty() || s[0] == '#') {
46 continue;
47 }
48
49 s = clean_ws(s.substr(0, s.find('#')));
50
51 if(s.empty()) {
52 continue;
53 }
54
55 auto eq = s.find('=');
56
57 if(eq == std::string::npos || eq == 0 || eq == s.size() - 1) {
58 throw Decoding_Error("Bad read_cfg input '" + s + "' on line " + std::to_string(line));
59 }
60
61 const std::string key = clean_ws(s.substr(0, eq));
62 const std::string val = clean_ws(s.substr(eq + 1, std::string::npos));
63
64 kv[key] = val;
65 }
66
67 return kv;
68}
Referenced by Botan::TLS::Text_Policy::Text_Policy().
◆ read_kv()
| std::map< std::string, std::string > Botan::read_kv | ( | std::string_view | kv | ) |
Accepts key value pairs deliminated by commas:
"" (returns empty map) "K=V" (returns map {'K': 'V'}) "K1=V1,K2=V2" "K1=V1,K2=V2,K3=V3" "K1=V1,K2=V2,K3=a_value\,with\,commas_and_\=equals"
Values may be empty, keys must be non-empty and unique. Duplicate keys cause an exception.
Within both key and value, comma and equals can be escaped with backslash. Backslash can also be escaped.
Definition at line 13 of file read_kv.cpp.
13 {
14 std::map<std::string, std::string> m;
15 if(kv.empty()) {
16 return m;
17 }
18
19 std::vector<std::string> parts;
20
21 try {
22 parts = split_on(kv, ',');
23 } catch(std::exception&) {
24 throw Invalid_Argument("Bad KV spec");
25 }
26
27 bool escaped = false;
28 bool reading_key = true;
29 std::string cur_key;
30 std::string cur_val;
31
32 for(char c : kv) {
33 if(c == '\\' && !escaped) {
34 escaped = true;
35 } else if(c == ',' && !escaped) {
36 if(cur_key.empty()) {
37 throw Invalid_Argument("Bad KV spec empty key");
38 }
39
40 if(m.find(cur_key) != m.end()) {
41 throw Invalid_Argument("Bad KV spec duplicated key");
42 }
43 m[cur_key] = cur_val;
44 cur_key = "";
45 cur_val = "";
46 reading_key = true;
47 } else if(c == '=' && !escaped) {
48 if(reading_key == false) {
49 throw Invalid_Argument("Bad KV spec unexpected equals sign");
50 }
51 reading_key = false;
52 } else {
53 if(reading_key) {
54 cur_key += c;
55 } else {
56 cur_val += c;
57 }
58
59 if(escaped) {
60 escaped = false;
61 }
62 }
63 }
64
65 if(!cur_key.empty()) {
66 if(reading_key == false) {
67 if(m.find(cur_key) != m.end()) {
68 throw Invalid_Argument("Bad KV spec duplicated key");
69 }
70 m[cur_key] = cur_val;
71 } else {
72 throw Invalid_Argument("Bad KV spec incomplete string");
73 }
74 }
75
76 return m;
77}
References split_on().
◆ redc_crandall()
template<WordType W, size_t N, W C>
|
constexpr |
Reduce z modulo p = 2**B - C where C is small
z is assumed to be at most (p-1)**2
For details on the algorithm see
- Handbook of Applied Cryptography, Algorithm 14.47
- Guide to Elliptic Curve Cryptography, Algorithm 2.54 and Note 2.55
Definition at line 1122 of file mp_core.h.
1122 {
1123 static_assert(N >= 2);
1124
1125 std::array<W, N> hi = {};
1126
1127 // hi = hi * c + lo
1128
1129 W carry = 0;
1130 for(size_t i = 0; i != N; ++i) {
1131 hi[i] = word_madd3(z[i + N], C, z[i], &carry);
1132 }
1133
1134 // hi += carry * C
1135 word carry_c[2] = {0};
1136 carry_c[0] = word_madd2(carry, C, &carry_c[1]);
1137
1139
1140 constexpr auto P = crandall_p<W, N, C>();
1141
1142 std::array<W, N> r = {};
1143 bigint_monty_maybe_sub<N, W>(r.data(), carry, hi.data(), P.data());
1144
1145 return r;
1146}
References bigint_add2_nc(), bigint_monty_maybe_sub(), carry(), crandall_p(), word_madd2(), and word_madd3().
◆ redc_mul()
|
inline |
Definition at line 58 of file ed25519_internal.h.
58 {
59 s1 += X * 666643;
60 s2 += X * 470296;
61 s3 += X * 654183;
62 s4 -= X * 997805;
63 s5 += X * 136657;
64 s6 -= X * 683901;
65 X = 0;
66}
References X.
Referenced by sc_muladd(), and sc_reduce().
◆ redc_p192()
| void Botan::redc_p192 | ( | BigInt & | x, |
| secure_vector< word > & | ws ) |
Reduce an input modulo P-192
Input value x must be between 0 and p**2
Definition at line 102 of file nistp_redc.cpp.
102 {
104
105 BOTAN_UNUSED(ws);
106
108
109 x.grow_to(2 * p192_limbs);
110 word* xw = x.mutable_data();
111
124
125 const uint64_t S0 = X00 + X06 + X10;
126 const uint64_t S1 = X01 + X07 + X11;
127 const uint64_t S2 = X02 + X06 + X08 + X10;
128 const uint64_t S3 = X03 + X07 + X09 + X11;
129 const uint64_t S4 = X04 + X08 + X10;
130 const uint64_t S5 = X05 + X09 + X11;
131
132 uint64_t S = 0;
133 uint32_t R0 = 0, R1 = 0;
134
135 S += S0;
136 R0 = static_cast<uint32_t>(S);
137 S >>= 32;
138
139 S += S1;
140 R1 = static_cast<uint32_t>(S);
141 S >>= 32;
142
143 set_words(xw, 0, R0, R1);
144
145 S += S2;
146 R0 = static_cast<uint32_t>(S);
147 S >>= 32;
148
149 S += S3;
150 R1 = static_cast<uint32_t>(S);
151 S >>= 32;
152
153 set_words(xw, 2, R0, R1);
154
155 S += S4;
156 R0 = static_cast<uint32_t>(S);
157 S >>= 32;
158
159 S += S5;
160 R1 = static_cast<uint32_t>(S);
161 S >>= 32;
162
163 set_words(xw, 4, R0, R1);
164
165 // No underflow possible
166
167 /*
168 This is a table of (i*P-192) % 2**192 for i in 1...3
169 */
170 static const constinit std::array<word, p192_limbs> p192_mults[3] = {
171 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"),
172 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFFFFFFFFFE"),
173 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFFFFFFFFFFFFFFFD"),
174 };
175
176 CT::unpoison(S);
178
180 x.mask_bits(192);
181 word borrow = bigint_sub2(x.mutable_data(), p192_limbs + 1, p192_mults[S].data(), p192_limbs);
182 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
183 bigint_cnd_add(borrow, x.mutable_data(), p192_limbs + 1, p192_mults[0].data(), p192_limbs);
184}
constexpr uint32_t get_uint32(const W xw[], size_t i)
Definition pcurves_solinas.h:33
References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, get_uint32(), Botan::BigInt::grow_to(), hex_to_words(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().
◆ redc_p224()
| void Botan::redc_p224 | ( | BigInt & | x, |
| secure_vector< word > & | ws ) |
Reduce an input modulo P-224
Input value x must be between 0 and p**2
Definition at line 191 of file nistp_redc.cpp.
191 {
193
195
196 BOTAN_UNUSED(ws);
197
198 x.grow_to(2 * p224_limbs);
199 word* xw = x.mutable_data();
200
215
216 // One full copy of P224 is added, so the result is always positive
217
218 const int64_t S0 = 0x00000001 + X00 - X07 - X11;
219 const int64_t S1 = 0x00000000 + X01 - X08 - X12;
220 const int64_t S2 = 0x00000000 + X02 - X09 - X13;
221 const int64_t S3 = 0xFFFFFFFF + X03 + X07 + X11 - X10;
222 const int64_t S4 = 0xFFFFFFFF + X04 + X08 + X12 - X11;
223 const int64_t S5 = 0xFFFFFFFF + X05 + X09 + X13 - X12;
224 const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13;
225
226 int64_t S = 0;
227 uint32_t R0 = 0, R1 = 0;
228
229 S += S0;
230 R0 = static_cast<uint32_t>(S);
231 S >>= 32;
232
233 S += S1;
234 R1 = static_cast<uint32_t>(S);
235 S >>= 32;
236
237 set_words(xw, 0, R0, R1);
238
239 S += S2;
240 R0 = static_cast<uint32_t>(S);
241 S >>= 32;
242
243 S += S3;
244 R1 = static_cast<uint32_t>(S);
245 S >>= 32;
246
247 set_words(xw, 2, R0, R1);
248
249 S += S4;
250 R0 = static_cast<uint32_t>(S);
251 S >>= 32;
252
253 S += S5;
254 R1 = static_cast<uint32_t>(S);
255 S >>= 32;
256
257 set_words(xw, 4, R0, R1);
258
259 S += S6;
260 R0 = static_cast<uint32_t>(S);
261 S >>= 32;
262
263 set_words(xw, 6, R0, 0);
264
265 static const constinit std::array<word, p224_limbs> p224_mults[3] = {
266 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001"),
267 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE000000000000000000000002"),
268 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD000000000000000000000003"),
269 };
270
271 CT::unpoison(S);
273
275 x.mask_bits(224);
276 word borrow = bigint_sub2(x.mutable_data(), p224_limbs + 1, p224_mults[S].data(), p224_limbs);
277 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
278 bigint_cnd_add(borrow, x.mutable_data(), p224_limbs + 1, p224_mults[0].data(), p224_limbs);
279}
References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, get_uint32(), Botan::BigInt::grow_to(), hex_to_words(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().
◆ redc_p256()
| void Botan::redc_p256 | ( | BigInt & | x, |
| secure_vector< word > & | ws ) |
Reduce an input modulo P-256
Input value x must be between 0 and p**2
Definition at line 286 of file nistp_redc.cpp.
286 {
288
290
291 BOTAN_UNUSED(ws);
292
293 x.grow_to(2 * p256_limbs);
294 word* xw = x.mutable_data();
295
312
313 // Adds 6 * P-256 to prevent underflow
314 const int64_t S0 = 0xFFFFFFFA + X00 + X08 + X09 - (X11 + X12 + X13) - X14;
315 const int64_t S1 = 0xFFFFFFFF + X01 + X09 + X10 - X12 - (X13 + X14 + X15);
316 const int64_t S2 = 0xFFFFFFFF + X02 + X10 + X11 - (X13 + X14 + X15);
317 const int64_t S3 = 0x00000005 + X03 + (X11 + X12) * 2 + X13 - X15 - X08 - X09;
318 const int64_t S4 = 0x00000000 + X04 + (X12 + X13) * 2 + X14 - X09 - X10;
319 const int64_t S5 = 0x00000000 + X05 + (X13 + X14) * 2 + X15 - X10 - X11;
320 const int64_t S6 = 0x00000006 + X06 + X13 + X14 * 3 + X15 * 2 - X08 - X09;
321 const int64_t S7 = 0xFFFFFFFA + X07 + X15 * 3 + X08 - X10 - (X11 + X12 + X13);
322
323 int64_t S = 0;
324
325 uint32_t R0 = 0, R1 = 0;
326
327 S += S0;
328 R0 = static_cast<uint32_t>(S);
329 S >>= 32;
330
331 S += S1;
332 R1 = static_cast<uint32_t>(S);
333 S >>= 32;
334
335 set_words(xw, 0, R0, R1);
336
337 S += S2;
338 R0 = static_cast<uint32_t>(S);
339 S >>= 32;
340
341 S += S3;
342 R1 = static_cast<uint32_t>(S);
343 S >>= 32;
344
345 set_words(xw, 2, R0, R1);
346
347 S += S4;
348 R0 = static_cast<uint32_t>(S);
349 S >>= 32;
350
351 S += S5;
352 R1 = static_cast<uint32_t>(S);
353 S >>= 32;
354
355 set_words(xw, 4, R0, R1);
356
357 S += S6;
358 R0 = static_cast<uint32_t>(S);
359 S >>= 32;
360
361 S += S7;
362 R1 = static_cast<uint32_t>(S);
363 S >>= 32;
364 set_words(xw, 6, R0, R1);
365
366 S += 5; // the top digits of 6*P-256
367
368 /*
369 This is a table of (i*P-256) % 2**256 for i in 1...10
370 */
371 static const constinit std::array<word, p256_limbs> p256_mults[11] = {
372 hex_to_words<word>("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"),
373 hex_to_words<word>("FFFFFFFE00000002000000000000000000000001FFFFFFFFFFFFFFFFFFFFFFFE"),
374 hex_to_words<word>("FFFFFFFD00000003000000000000000000000002FFFFFFFFFFFFFFFFFFFFFFFD"),
375 hex_to_words<word>("FFFFFFFC00000004000000000000000000000003FFFFFFFFFFFFFFFFFFFFFFFC"),
376 hex_to_words<word>("FFFFFFFB00000005000000000000000000000004FFFFFFFFFFFFFFFFFFFFFFFB"),
377 hex_to_words<word>("FFFFFFFA00000006000000000000000000000005FFFFFFFFFFFFFFFFFFFFFFFA"),
378 hex_to_words<word>("FFFFFFF900000007000000000000000000000006FFFFFFFFFFFFFFFFFFFFFFF9"),
379 hex_to_words<word>("FFFFFFF800000008000000000000000000000007FFFFFFFFFFFFFFFFFFFFFFF8"),
380 hex_to_words<word>("FFFFFFF700000009000000000000000000000008FFFFFFFFFFFFFFFFFFFFFFF7"),
381 hex_to_words<word>("FFFFFFF60000000A000000000000000000000009FFFFFFFFFFFFFFFFFFFFFFF6"),
382 hex_to_words<word>("FFFFFFF50000000B00000000000000000000000AFFFFFFFFFFFFFFFFFFFFFFF5"),
383 };
384
385 CT::unpoison(S);
387
389 x.mask_bits(256);
390 word borrow = bigint_sub2(x.mutable_data(), p256_limbs + 1, p256_mults[S].data(), p256_limbs);
391 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
392 bigint_cnd_add(borrow, x.mutable_data(), p256_limbs + 1, p256_mults[0].data(), p256_limbs);
393}
References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, get_uint32(), Botan::BigInt::grow_to(), hex_to_words(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().
◆ redc_p384()
| void Botan::redc_p384 | ( | BigInt & | x, |
| secure_vector< word > & | ws ) |
Reduce an input modulo P-384
Input value x must be between 0 and p**2
Definition at line 401 of file nistp_redc.cpp.
401 {
403
404 BOTAN_UNUSED(ws);
405
407
408 x.grow_to(2 * p384_limbs);
409 word* xw = x.mutable_data();
410
435
436 // One copy of P-384 is added to prevent underflow
437 const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23;
438 const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20;
439 const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21;
440 const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23;
441 const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21 * 2 + X22 - X15 - X23 * 2;
442 const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22 * 2 + X23 - X16;
443 const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23 * 2 - X17;
444 const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18;
445 const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19;
446 const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20;
447 const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21;
448 const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22;
449
450 int64_t S = 0;
451
452 uint32_t R0 = 0, R1 = 0;
453
454 S += S0;
455 R0 = static_cast<uint32_t>(S);
456 S >>= 32;
457
458 S += S1;
459 R1 = static_cast<uint32_t>(S);
460 S >>= 32;
461
462 set_words(xw, 0, R0, R1);
463
464 S += S2;
465 R0 = static_cast<uint32_t>(S);
466 S >>= 32;
467
468 S += S3;
469 R1 = static_cast<uint32_t>(S);
470 S >>= 32;
471
472 set_words(xw, 2, R0, R1);
473
474 S += S4;
475 R0 = static_cast<uint32_t>(S);
476 S >>= 32;
477
478 S += S5;
479 R1 = static_cast<uint32_t>(S);
480 S >>= 32;
481
482 set_words(xw, 4, R0, R1);
483
484 S += S6;
485 R0 = static_cast<uint32_t>(S);
486 S >>= 32;
487
488 S += S7;
489 R1 = static_cast<uint32_t>(S);
490 S >>= 32;
491
492 set_words(xw, 6, R0, R1);
493
494 S += S8;
495 R0 = static_cast<uint32_t>(S);
496 S >>= 32;
497
498 S += S9;
499 R1 = static_cast<uint32_t>(S);
500 S >>= 32;
501
502 set_words(xw, 8, R0, R1);
503
504 S += SA;
505 R0 = static_cast<uint32_t>(S);
506 S >>= 32;
507
508 S += SB;
509 R1 = static_cast<uint32_t>(S);
510 S >>= 32;
511
512 set_words(xw, 10, R0, R1);
513
514 /*
515 This is a table of (i*P-384) % 2**384 for i in 1...4
516 */
517 static const constinit std::array<word, p384_limbs> p384_mults[5] = {
518 hex_to_words<word>(
519 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"),
520 hex_to_words<word>(
521 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFE0000000000000001FFFFFFFE"),
522 hex_to_words<word>(
523 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFFFFFFFD0000000000000002FFFFFFFD"),
524 hex_to_words<word>(
525 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFFFFFFFC0000000000000003FFFFFFFC"),
526 hex_to_words<word>(
527 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAFFFFFFFB0000000000000004FFFFFFFB"),
528 };
529
530 CT::unpoison(S);
532
534 x.mask_bits(384);
535 word borrow = bigint_sub2(x.mutable_data(), p384_limbs + 1, p384_mults[S].data(), p384_limbs);
536 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
537 bigint_cnd_add(borrow, x.mutable_data(), p384_limbs + 1, p384_mults[0].data(), p384_limbs);
538}
References bigint_cnd_add(), bigint_sub2(), BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, BOTAN_UNUSED, get_uint32(), Botan::BigInt::grow_to(), hex_to_words(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::CT::unpoison().
◆ redc_p521()
| void Botan::redc_p521 | ( | BigInt & | x, |
| secure_vector< word > & | ws ) |
Reduce an input modulo P-521
Input value x must be between 0 and p**2
Definition at line 23 of file nistp_redc.cpp.
23 {
25
28 const size_t p_words = p_full_words + 1;
29
30 static const constinit auto p521_words = hex_to_words<word>(
31 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
32 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
33
34 if(ws.size() < p_words + 1) {
35 ws.resize(p_words + 1);
36 }
37
38 clear_mem(ws.data(), ws.size());
40
41 x.mask_bits(521);
42 x.grow_to(p_words);
43
44 // Word-level carry will be zero
47
49
50 /*
51 * Check if we need to reduce modulo P
52 * There are two possible cases:
53 * - The result overflowed past 521 bits, in which case bit 522 will be set
54 * - The result is exactly 2**521 - 1
55 */
56 const auto bit_522_set = CT::Mask<word>::expand(top_word >> p_top_bits);
57
58 const word max = WordInfo<word>::max;
59 word and_512 = max;
60 for(size_t i = 0; i != p_full_words; ++i) {
61 and_512 &= x.word_at(i);
62 }
63 const auto all_512_low_bits_set = CT::Mask<word>::is_equal(and_512, max);
64 const auto has_p521_top_word = CT::Mask<word>::is_equal(top_word, 0x1FF);
65 const auto is_p521 = all_512_low_bits_set & has_p521_top_word;
66
67 const auto needs_reduction = is_p521 | bit_522_set;
68
70}
References Botan::BigInt::_data(), bigint_add3_nc(), bigint_cnd_sub(), bigint_shr2(), BOTAN_ASSERT_EQUAL, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, carry(), clear_mem(), Botan::CT::Mask< T >::expand(), Botan::BigInt::grow_to(), hex_to_words(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_positive(), Botan::BigInt::mask_bits(), Botan::BigInt::mutable_data(), Botan::BigInt::size(), and Botan::BigInt::word_at().
◆ reduce()
template<typename RetT , typename KeyT , typename ReducerT >
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
requires std::is_convertible_v<ReducerT, std::function<RetT(RetT, const KeyT&)>>
| RetT Botan::reduce | ( | const std::vector< KeyT > & | keys, |
| RetT | acc, | ||
| ReducerT | reducer ) |
Reduce the values of keys into an accumulator initialized with acc using the reducer function reducer.
The reducer is a function taking the accumulator and a single key to return the new accumulator. Keys are consecutively reduced into the accumulator.
- Returns
- the accumulator containing the reduction of
keys
Definition at line 47 of file stl_util.h.
49{
50 for(const KeyT& key : keys) {
51 acc = reducer(std::move(acc), key);
52 }
53 return acc;
54}
Referenced by Botan::TLS::Hybrid_KEM_PrivateKey::check_key(), Botan::TLS::Hybrid_KEM_PublicKey::check_key(), Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), Botan::Modular_Reducer::multiply(), Botan::TLS::Hybrid_KEM_PublicKey::raw_public_key_bits(), and Botan::Modular_Reducer::square().
◆ reverse_bytes()
template<std::unsigned_integral T>
requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8)
requires (sizeof(T) == 1 || sizeof(T) == 2 || sizeof(T) == 4 || sizeof(T) == 8)
|
inlineconstexpr |
Swap the byte order of an unsigned integer
Definition at line 24 of file bswap.h.
24 {
26 return x;
28#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap16)
30#else
32#endif
34#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap32)
36#else
37 // MSVC at least recognizes this as a bswap
38 return static_cast<T>(((x & 0x000000FF) << 24) | ((x & 0x0000FF00) << 8) | ((x & 0x00FF0000) >> 8) |
39 ((x & 0xFF000000) >> 24));
40#endif
42#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_bswap64)
44#else
45 uint32_t hi = static_cast<uint32_t>(x >> 32);
46 uint32_t lo = static_cast<uint32_t>(x);
47
48 hi = reverse_bytes(hi);
49 lo = reverse_bytes(lo);
50
52#endif
53 }
54}
References reverse_bytes(), and T.
Referenced by Botan::detail::load_any(), reverse_bytes(), and Botan::detail::store_any().
◆ rfc3394_keyunwrap()
| secure_vector< uint8_t > Botan::rfc3394_keyunwrap | ( | const secure_vector< uint8_t > & | key, |
| const SymmetricKey & | kek ) |
Decrypt a key under a key encryption key using the algorithm described in RFC 3394
- Parameters
-
key the encrypted key to decrypt kek the key encryption key
- Returns
- key decrypted under kek
Definition at line 26 of file rfc3394.cpp.
26 {
27 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
28
29 BOTAN_ARG_CHECK(key.size() >= 16 && key.size() % 8 == 0, "Bad input key size for NIST key unwrap");
30
32 auto aes = BlockCipher::create_or_throw(cipher_name);
33 aes->set_key(kek);
34
36}
secure_vector< uint8_t > nist_key_unwrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)
Definition nist_keywrap.cpp:116
References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_unwrap(), and Botan::OctetString::size().
◆ rfc3394_keywrap()
| secure_vector< uint8_t > Botan::rfc3394_keywrap | ( | const secure_vector< uint8_t > & | key, |
| const SymmetricKey & | kek ) |
Encrypt a key under a key encryption key using the algorithm described in RFC 3394
- Parameters
-
key the plaintext key to encrypt kek the key encryption key
- Returns
- key encrypted under kek
Definition at line 15 of file rfc3394.cpp.
15 {
16 BOTAN_ARG_CHECK(kek.size() == 16 || kek.size() == 24 || kek.size() == 32, "Invalid KEK length for NIST key wrap");
17
19 auto aes = BlockCipher::create_or_throw(cipher_name);
20 aes->set_key(kek);
21
22 std::vector<uint8_t> wrapped = nist_key_wrap(key.data(), key.size(), *aes);
24}
std::vector< uint8_t > nist_key_wrap(const uint8_t input[], size_t input_len, const BlockCipher &bc)
Definition nist_keywrap.cpp:90
References BOTAN_ARG_CHECK, Botan::BlockCipher::create_or_throw(), nist_key_wrap(), and Botan::OctetString::size().
◆ RFC4880_decode_count()
| size_t Botan::RFC4880_decode_count | ( | uint8_t | encoded_iter | ) |
Decode the iteration count from RFC 4880 encoding
Definition at line 61 of file rfc4880.cpp.
61 {
62 return OPENPGP_S2K_ITERS[iter];
63}
Referenced by Botan::OpenPGP_S2K::decode_count(), and RFC4880_round_iterations().
◆ RFC4880_encode_count()
| uint8_t Botan::RFC4880_encode_count | ( | size_t | iterations | ) |
RFC 4880 encodes the iteration count to a single-byte value
Definition at line 47 of file rfc4880.cpp.
47 {
48 if(desired_iterations <= OPENPGP_S2K_ITERS[0]) {
49 return 0;
50 }
51
52 if(desired_iterations >= OPENPGP_S2K_ITERS[255]) {
53 return 255;
54 }
55
56 const uint32_t* i = std::lower_bound(OPENPGP_S2K_ITERS, OPENPGP_S2K_ITERS + 256, desired_iterations);
57
58 return static_cast<uint8_t>(i - OPENPGP_S2K_ITERS);
59}
Referenced by Botan::OpenPGP_S2K::encode_count(), and RFC4880_round_iterations().
◆ RFC4880_round_iterations()
|
inline |
Round an arbitrary iteration count to next largest iteration count supported by RFC4880 encoding.
Definition at line 32 of file rfc4880.h.
References RFC4880_decode_count(), and RFC4880_encode_count().
Referenced by Botan::RFC4880_S2K_Family::tune().
◆ rho()
SHA-2 Sigma style function
Definition at line 51 of file rotate.h.
51 {
52 return rotr<R1>(x) ^ rotr<R2>(x) ^ rotr<R3>(x);
53}
References rotr().
Referenced by Botan::Dilithium_Algos::decode_public_key(), Botan::Dilithium_Algos::encode_public_key(), Botan::Dilithium_Algos::expand_A(), Botan::Dilithium_Algos::expand_keypair(), Botan::Kyber_Algos::expand_keypair(), Botan::Dilithium_Symmetric_Primitives_Base::H(), SHA2_32_F(), and SHA2_64_F().
◆ root()
Compute the root of elem in the field.
The root of a in GF(p) is computed as r = a^((p+1)/4) mod p. Note that the root is not unique, i.e. r and p-r are both roots.
- Returns
- GfPElem The root of this element.
Definition at line 354 of file curve448_gf.cpp.
354 {
355 Gf448Elem res(1);
356
357 // (P-3)/4 is an 445 bit integer with one zero bits at 222. All others are one.
358 for(int16_t t = 445; t >= 0; --t) {
359 gf_square(res.words(), res.words());
360 if(t != 222) {
361 gf_mul(res.words(), res.words(), elem.words());
362 }
363 }
364
365 return res;
366}
Definition curve448_gf.h:35
std::span< uint64_t, WORDS_448 > words()
Accessor to the internal words of the GF element.
Definition curve448_gf.h:109
References Botan::Gf448Elem::words().
Referenced by Botan::Ed448Point::decode(), Botan::Sphincs_Hash_Functions::H_msg(), Botan::XMSS_Hash::h_msg(), Botan::XMSS_Hash::h_msg_init(), Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey(), and xmss_gen_root().
◆ rotl() [1/4]
template<size_t R>
|
inline |
Definition at line 310 of file simd_avx512.h.
310 {
311 return input.rotl<R>();
312}
◆ rotl() [2/4]
◆ rotl() [3/4]
Definition at line 289 of file simd_avx2.h.
289 {
290 return input.rotl<R>();
291}
◆ rotl() [4/4]
Bit rotation left by a compile-time constant amount
- Parameters
-
input the input word
- Returns
- input rotated left by ROT bits
Definition at line 21 of file rotate.h.
References T.
Referenced by Botan::SIMD_16x32::BOTAN_FUNC_ISA(), Botan::SIMD_8x32::BOTAN_FUNC_ISA(), Botan::SHA_1::compress_n(), Botan::Noekeon::decrypt_n(), Botan::Threefish_F::e_round(), Botan::Noekeon::encrypt_n(), Botan::GOST_28147_89::GOST_28147_89(), Keccak_Permutation_round(), and Botan::Serpent_F::transform().
◆ rotl_var()
◆ rotr() [1/4]
template<size_t R>
|
inline |
Definition at line 315 of file simd_avx512.h.
315 {
316 return input.rotr<R>();
317}
◆ rotr() [2/4]
◆ rotr() [3/4]
Definition at line 294 of file simd_avx2.h.
294 {
295 return input.rotr<R>();
296}
◆ rotr() [4/4]
Bit rotation right by a compile-time constant amount
- Parameters
-
input the input word
- Returns
- input rotated right by ROT bits
Definition at line 33 of file rotate.h.
References T.
Referenced by Botan::SIMD_16x32::BOTAN_FUNC_ISA(), Botan::SIMD_16x32::BOTAN_FUNC_ISA(), Botan::SIMD_8x32::BOTAN_FUNC_ISA(), Botan::SIMD_8x32::BOTAN_FUNC_ISA(), Botan::Threefish_F::d_round(), Botan::Noekeon::decrypt_n(), Botan::Noekeon::encrypt_n(), Botan::Serpent_F::i_transform(), rho(), and sigma().
◆ rotr_var()
◆ round_up()
|
inlineconstexpr |
Integer rounding
Returns an integer z such that n <= z <= n + align_to and z % align_to == 0
- Parameters
-
n an integer align_to the alignment boundary
- Returns
- n rounded up to a multiple of align_to
Definition at line 25 of file rounding.h.
25 {
26 // Arguably returning n in this case would also be sensible
28
29 if(n % align_to > 0) {
30 const size_t adj = align_to - (n % align_to);
32 n += adj;
33 }
34 return n;
35}
References BOTAN_ARG_CHECK.
Referenced by Botan::BigInt::bytes(), Botan::EC_Point_Base_Point_Precompute::EC_Point_Base_Point_Precompute(), monty_multi_exp(), Botan::EC_Point_Base_Point_Precompute::mul(), Botan::EC_Point_Var_Point_Precompute::mul(), Botan::EC_Point_Multi_Point_Precompute::multi_exp(), Botan::CBC_Encryption::output_length(), Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::output_length(), Botan::BigInt::randomize(), and Botan::TLS::TLS_CBC_HMAC_AEAD_Encryption::set_associated_data_n().
◆ runtime_version_check()
| std::string Botan::runtime_version_check | ( | uint32_t | major, |
| uint32_t | minor, | ||
| uint32_t | patch ) |
Usable for checking that the DLL version loaded at runtime exactly matches the compile-time version. Call using BOTAN_VERSION_* macro values, like so:
std::string runtime_version_check(uint32_t major, uint32_t minor, uint32_t patch)
Definition version.cpp:94
It will return an empty string if the versions match, or otherwise an error message indicating the discrepancy. This only is useful in dynamic libraries, where it is possible to compile and run against different versions.
Definition at line 94 of file version.cpp.
References fmt(), short_version_cstr(), version_major(), version_minor(), and version_patch().
◆ same_mem()
Memory comparison, input insensitive
- Parameters
-
p1 a pointer to an array p2 a pointer to another array n the number of Ts in p1 and p2
- Returns
- true iff p1[i] == p2[i] forall i in [0...n)
Definition at line 299 of file mem_ops.h.
299 {
301
302 for(size_t i = 0; i != n; ++i) {
303 difference = difference | (p1[i] ^ p2[i]);
304 }
305
306 return difference == 0;
307}
References T.
◆ SBoxD0()
| BOTAN_FORCE_INLINE void Botan::SBoxD0 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 139 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD1()
| BOTAN_FORCE_INLINE void Botan::SBoxD1 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 154 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD2()
| BOTAN_FORCE_INLINE void Botan::SBoxD2 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 169 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD3()
| BOTAN_FORCE_INLINE void Botan::SBoxD3 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 184 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD4()
| BOTAN_FORCE_INLINE void Botan::SBoxD4 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 200 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD5()
| BOTAN_FORCE_INLINE void Botan::SBoxD5 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 216 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD6()
| BOTAN_FORCE_INLINE void Botan::SBoxD6 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 232 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxD7()
| BOTAN_FORCE_INLINE void Botan::SBoxD7 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 248 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::decrypt_n().
◆ SBoxE0()
| BOTAN_FORCE_INLINE void Botan::SBoxE0 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 13 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE1()
| BOTAN_FORCE_INLINE void Botan::SBoxE1 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 28 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE2()
| BOTAN_FORCE_INLINE void Botan::SBoxE2 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 43 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE3()
| BOTAN_FORCE_INLINE void Botan::SBoxE3 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 59 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE4()
| BOTAN_FORCE_INLINE void Botan::SBoxE4 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 75 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE5()
| BOTAN_FORCE_INLINE void Botan::SBoxE5 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 91 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE6()
| BOTAN_FORCE_INLINE void Botan::SBoxE6 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 107 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ SBoxE7()
| BOTAN_FORCE_INLINE void Botan::SBoxE7 | ( | SIMD_16x32 & | a, |
| SIMD_16x32 & | b, | ||
| SIMD_16x32 & | c, | ||
| SIMD_16x32 & | d ) |
Definition at line 123 of file serpent_avx512.cpp.
References b.
Referenced by Botan::Serpent::encrypt_n().
◆ sc_muladd()
| void Botan::sc_muladd | ( | uint8_t * | s, |
| const uint8_t * | a, | ||
| const uint8_t * | b, | ||
| const uint8_t * | c ) |
Definition at line 26 of file sc_muladd.cpp.
26 {
27 const int32_t MASK = 0x1fffff;
28
65
66 int64_t s0 = c0 + a0 * b0;
67 int64_t s1 = c1 + a0 * b1 + a1 * b0;
68 int64_t s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
69 int64_t s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
70 int64_t s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
71 int64_t s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
72 int64_t s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
73 int64_t s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
74 int64_t s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
75 int64_t s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
76 int64_t s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 +
77 a9 * b1 + a10 * b0;
78 int64_t s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 +
79 a9 * b2 + a10 * b1 + a11 * b0;
80 int64_t s12 =
81 a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
82 int64_t s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
83 int64_t s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
84 int64_t s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
85 int64_t s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
86 int64_t s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
87 int64_t s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
88 int64_t s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
89 int64_t s20 = a9 * b11 + a10 * b10 + a11 * b9;
90 int64_t s21 = a10 * b11 + a11 * b10;
91 int64_t s22 = a11 * b11;
92 int64_t s23 = 0;
93
94 carry<21>(s0, s1);
95 carry<21>(s2, s3);
96 carry<21>(s4, s5);
97 carry<21>(s6, s7);
98 carry<21>(s8, s9);
99 carry<21>(s10, s11);
100 carry<21>(s12, s13);
101 carry<21>(s14, s15);
102 carry<21>(s16, s17);
103 carry<21>(s18, s19);
104 carry<21>(s20, s21);
105 carry<21>(s22, s23);
106
107 carry<21>(s1, s2);
108 carry<21>(s3, s4);
109 carry<21>(s5, s6);
110 carry<21>(s7, s8);
111 carry<21>(s9, s10);
112 carry<21>(s11, s12);
113 carry<21>(s13, s14);
114 carry<21>(s15, s16);
115 carry<21>(s17, s18);
116 carry<21>(s19, s20);
117 carry<21>(s21, s22);
118
119 redc_mul(s11, s12, s13, s14, s15, s16, s23);
120 redc_mul(s10, s11, s12, s13, s14, s15, s22);
121 redc_mul(s9, s10, s11, s12, s13, s14, s21);
122 redc_mul(s8, s9, s10, s11, s12, s13, s20);
123 redc_mul(s7, s8, s9, s10, s11, s12, s19);
124 redc_mul(s6, s7, s8, s9, s10, s11, s18);
125
126 carry<21>(s6, s7);
127 carry<21>(s8, s9);
128 carry<21>(s10, s11);
129 carry<21>(s12, s13);
130 carry<21>(s14, s15);
131 carry<21>(s16, s17);
132
133 carry<21>(s7, s8);
134 carry<21>(s9, s10);
135 carry<21>(s11, s12);
136 carry<21>(s13, s14);
137 carry<21>(s15, s16);
138
139 redc_mul(s5, s6, s7, s8, s9, s10, s17);
140 redc_mul(s4, s5, s6, s7, s8, s9, s16);
141 redc_mul(s3, s4, s5, s6, s7, s8, s15);
142 redc_mul(s2, s3, s4, s5, s6, s7, s14);
143 redc_mul(s1, s2, s3, s4, s5, s6, s13);
144 redc_mul(s0, s1, s2, s3, s4, s5, s12);
145
146 carry<21>(s0, s1);
147 carry<21>(s2, s3);
148 carry<21>(s4, s5);
149 carry<21>(s6, s7);
150 carry<21>(s8, s9);
151 carry<21>(s10, s11);
152
153 carry<21>(s1, s2);
154 carry<21>(s3, s4);
155 carry<21>(s5, s6);
156 carry<21>(s7, s8);
157 carry<21>(s9, s10);
158 carry<21>(s11, s12);
159
160 redc_mul(s0, s1, s2, s3, s4, s5, s12);
161
162 carry0<21>(s0, s1);
163 carry0<21>(s1, s2);
164 carry0<21>(s2, s3);
165 carry0<21>(s3, s4);
166 carry0<21>(s4, s5);
167 carry0<21>(s5, s6);
168 carry0<21>(s6, s7);
169 carry0<21>(s7, s8);
170 carry0<21>(s8, s9);
171 carry0<21>(s9, s10);
172 carry0<21>(s10, s11);
173 carry0<21>(s11, s12);
174
175 redc_mul(s0, s1, s2, s3, s4, s5, s12);
176
177 carry0<21>(s0, s1);
178 carry0<21>(s1, s2);
179 carry0<21>(s2, s3);
180 carry0<21>(s3, s4);
181 carry0<21>(s4, s5);
182 carry0<21>(s5, s6);
183 carry0<21>(s6, s7);
184 carry0<21>(s7, s8);
185 carry0<21>(s8, s9);
186 carry0<21>(s9, s10);
187 carry0<21>(s10, s11);
188
189 s[0] = static_cast<uint8_t>(s0 >> 0);
190 s[1] = static_cast<uint8_t>(s0 >> 8);
191 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
192 s[3] = static_cast<uint8_t>(s1 >> 3);
193 s[4] = static_cast<uint8_t>(s1 >> 11);
194 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
195 s[6] = static_cast<uint8_t>(s2 >> 6);
196 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
197 s[8] = static_cast<uint8_t>(s3 >> 1);
198 s[9] = static_cast<uint8_t>(s3 >> 9);
199 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
200 s[11] = static_cast<uint8_t>(s4 >> 4);
201 s[12] = static_cast<uint8_t>(s4 >> 12);
202 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
203 s[14] = static_cast<uint8_t>(s5 >> 7);
204 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
205 s[16] = static_cast<uint8_t>(s6 >> 2);
206 s[17] = static_cast<uint8_t>(s6 >> 10);
207 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
208 s[19] = static_cast<uint8_t>(s7 >> 5);
209 s[20] = static_cast<uint8_t>(s7 >> 13);
210 s[21] = static_cast<uint8_t>(s8 >> 0);
211 s[22] = static_cast<uint8_t>(s8 >> 8);
212 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
213 s[24] = static_cast<uint8_t>(s9 >> 3);
214 s[25] = static_cast<uint8_t>(s9 >> 11);
215 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
216 s[27] = static_cast<uint8_t>(s10 >> 6);
217 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
218 s[29] = static_cast<uint8_t>(s11 >> 1);
219 s[30] = static_cast<uint8_t>(s11 >> 9);
220 s[31] = static_cast<uint8_t>(s11 >> 17);
221}
void redc_mul(int64_t &s1, int64_t &s2, int64_t &s3, int64_t &s4, int64_t &s5, int64_t &s6, int64_t &X)
Definition ed25519_internal.h:58
References b, carry(), carry0(), load_3(), load_4(), and redc_mul().
Referenced by ed25519_sign().
◆ sc_reduce()
| void Botan::sc_reduce | ( | uint8_t * | s | ) |
Definition at line 25 of file sc_reduce.cpp.
25 {
26 const uint32_t MASK = 0x1fffff;
27
28 int64_t s0 = MASK & load_3(s);
29 int64_t s1 = MASK & (load_4(s + 2) >> 5);
30 int64_t s2 = MASK & (load_3(s + 5) >> 2);
31 int64_t s3 = MASK & (load_4(s + 7) >> 7);
32 int64_t s4 = MASK & (load_4(s + 10) >> 4);
33 int64_t s5 = MASK & (load_3(s + 13) >> 1);
34 int64_t s6 = MASK & (load_4(s + 15) >> 6);
35 int64_t s7 = MASK & (load_3(s + 18) >> 3);
36 int64_t s8 = MASK & load_3(s + 21);
37 int64_t s9 = MASK & (load_4(s + 23) >> 5);
38 int64_t s10 = MASK & (load_3(s + 26) >> 2);
39 int64_t s11 = MASK & (load_4(s + 28) >> 7);
40 int64_t s12 = MASK & (load_4(s + 31) >> 4);
41 int64_t s13 = MASK & (load_3(s + 34) >> 1);
42 int64_t s14 = MASK & (load_4(s + 36) >> 6);
43 int64_t s15 = MASK & (load_3(s + 39) >> 3);
44 int64_t s16 = MASK & load_3(s + 42);
45 int64_t s17 = MASK & (load_4(s + 44) >> 5);
46 int64_t s18 = MASK & (load_3(s + 47) >> 2);
47 int64_t s19 = MASK & (load_4(s + 49) >> 7);
48 int64_t s20 = MASK & (load_4(s + 52) >> 4);
49 int64_t s21 = MASK & (load_3(s + 55) >> 1);
50 int64_t s22 = MASK & (load_4(s + 57) >> 6);
51 int64_t s23 = (load_4(s + 60) >> 3);
52
53 redc_mul(s11, s12, s13, s14, s15, s16, s23);
54 redc_mul(s10, s11, s12, s13, s14, s15, s22);
55 redc_mul(s9, s10, s11, s12, s13, s14, s21);
56 redc_mul(s8, s9, s10, s11, s12, s13, s20);
57 redc_mul(s7, s8, s9, s10, s11, s12, s19);
58 redc_mul(s6, s7, s8, s9, s10, s11, s18);
59
60 carry<21>(s6, s7);
61 carry<21>(s8, s9);
62 carry<21>(s10, s11);
63 carry<21>(s12, s13);
64 carry<21>(s14, s15);
65 carry<21>(s16, s17);
66
67 carry<21>(s7, s8);
68 carry<21>(s9, s10);
69 carry<21>(s11, s12);
70 carry<21>(s13, s14);
71 carry<21>(s15, s16);
72
73 redc_mul(s5, s6, s7, s8, s9, s10, s17);
74 redc_mul(s4, s5, s6, s7, s8, s9, s16);
75 redc_mul(s3, s4, s5, s6, s7, s8, s15);
76 redc_mul(s2, s3, s4, s5, s6, s7, s14);
77 redc_mul(s1, s2, s3, s4, s5, s6, s13);
78 redc_mul(s0, s1, s2, s3, s4, s5, s12);
79
80 carry<21>(s0, s1);
81 carry<21>(s2, s3);
82 carry<21>(s4, s5);
83 carry<21>(s6, s7);
84 carry<21>(s8, s9);
85 carry<21>(s10, s11);
86
87 carry<21>(s1, s2);
88 carry<21>(s3, s4);
89 carry<21>(s5, s6);
90 carry<21>(s7, s8);
91 carry<21>(s9, s10);
92 carry<21>(s11, s12);
93
94 redc_mul(s0, s1, s2, s3, s4, s5, s12);
95
96 carry0<21>(s0, s1);
97 carry0<21>(s1, s2);
98 carry0<21>(s2, s3);
99 carry0<21>(s3, s4);
100 carry0<21>(s4, s5);
101 carry0<21>(s5, s6);
102 carry0<21>(s6, s7);
103 carry0<21>(s7, s8);
104 carry0<21>(s8, s9);
105 carry0<21>(s9, s10);
106 carry0<21>(s10, s11);
107 carry0<21>(s11, s12);
108
109 redc_mul(s0, s1, s2, s3, s4, s5, s12);
110
111 carry0<21>(s0, s1);
112 carry0<21>(s1, s2);
113 carry0<21>(s2, s3);
114 carry0<21>(s3, s4);
115 carry0<21>(s4, s5);
116 carry0<21>(s5, s6);
117 carry0<21>(s6, s7);
118 carry0<21>(s7, s8);
119 carry0<21>(s8, s9);
120 carry0<21>(s9, s10);
121 carry0<21>(s10, s11);
122 carry0<21>(s11, s12);
123
124 s[0] = static_cast<uint8_t>(s0 >> 0);
125 s[1] = static_cast<uint8_t>(s0 >> 8);
126 s[2] = static_cast<uint8_t>((s0 >> 16) | (s1 << 5));
127 s[3] = static_cast<uint8_t>(s1 >> 3);
128 s[4] = static_cast<uint8_t>(s1 >> 11);
129 s[5] = static_cast<uint8_t>((s1 >> 19) | (s2 << 2));
130 s[6] = static_cast<uint8_t>(s2 >> 6);
131 s[7] = static_cast<uint8_t>((s2 >> 14) | (s3 << 7));
132 s[8] = static_cast<uint8_t>(s3 >> 1);
133 s[9] = static_cast<uint8_t>(s3 >> 9);
134 s[10] = static_cast<uint8_t>((s3 >> 17) | (s4 << 4));
135 s[11] = static_cast<uint8_t>(s4 >> 4);
136 s[12] = static_cast<uint8_t>(s4 >> 12);
137 s[13] = static_cast<uint8_t>((s4 >> 20) | (s5 << 1));
138 s[14] = static_cast<uint8_t>(s5 >> 7);
139 s[15] = static_cast<uint8_t>((s5 >> 15) | (s6 << 6));
140 s[16] = static_cast<uint8_t>(s6 >> 2);
141 s[17] = static_cast<uint8_t>(s6 >> 10);
142 s[18] = static_cast<uint8_t>((s6 >> 18) | (s7 << 3));
143 s[19] = static_cast<uint8_t>(s7 >> 5);
144 s[20] = static_cast<uint8_t>(s7 >> 13);
145 s[21] = static_cast<uint8_t>(s8 >> 0);
146 s[22] = static_cast<uint8_t>(s8 >> 8);
147 s[23] = static_cast<uint8_t>((s8 >> 16) | (s9 << 5));
148 s[24] = static_cast<uint8_t>(s9 >> 3);
149 s[25] = static_cast<uint8_t>(s9 >> 11);
150 s[26] = static_cast<uint8_t>((s9 >> 19) | (s10 << 2));
151 s[27] = static_cast<uint8_t>(s10 >> 6);
152 s[28] = static_cast<uint8_t>((s10 >> 14) | (s11 << 7));
153 s[29] = static_cast<uint8_t>(s11 >> 1);
154 s[30] = static_cast<uint8_t>(s11 >> 9);
155 s[31] = static_cast<uint8_t>(s11 >> 17);
156}
References carry(), carry0(), load_3(), load_4(), and redc_mul().
Referenced by ed25519_sign(), and ed25519_verify().
◆ scrypt() [1/2]
|
inline |
Scrypt key derivation function (RFC 7914)
- Parameters
-
output the output will be placed here output_len length of output password the user password password_len length of password salt the salt salt_len length of salt N the CPU/Memory cost parameter, must be power of 2 r the block size parameter p the parallelization parameter
Suitable parameters for most uses would be N = 32768, r = 8, p = 1
Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory
Definition at line 86 of file scrypt.h.
94 {
95 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
96 auto pwdhash = pwdhash_fam->from_params(N, r, p);
97 pwdhash->derive_key(output, output_len, password, password_len, salt, salt_len);
98}
◆ scrypt() [2/2]
|
inline |
Scrypt key derivation function (RFC 7914) Before 2.8 this function was the primary interface for scrypt
- Parameters
-
output the output will be placed here output_len length of output password the user password salt the salt salt_len length of salt N the CPU/Memory cost parameter, must be power of 2 r the block size parameter p the parallelization parameter
Suitable parameters for most uses would be N = 32768, r = 8, p = 1
Scrypt uses approximately (p + N + 1) * 128 * r bytes of memory
Definition at line 118 of file scrypt.h.
125 {
126 auto pwdhash_fam = PasswordHashFamily::create_or_throw("Scrypt");
127 auto pwdhash = pwdhash_fam->from_params(N, r, p);
128 pwdhash->derive_key(output, output_len, password.data(), password.size(), salt, salt_len);
129}
◆ secure_scrub_memory() [1/2]
| void Botan::secure_scrub_memory | ( | ranges::contiguous_output_range auto && | data | ) |
Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory.
- Parameters
-
data the data region to be scrubbed
Definition at line 57 of file mem_ops.h.
References secure_scrub_memory(), and Botan::ranges::size_bytes().
◆ secure_scrub_memory() [2/2]
| void Botan::secure_scrub_memory | ( | void * | ptr, |
| size_t | n ) |
Scrub memory contents in a way that a compiler should not elide, using some system specific technique. Note that this function might not zero the memory (for example, in some hypothetical implementation it might combine the memory contents with the output of a system PRNG), but if you can detect any difference in behavior at runtime then the clearing is side-effecting and you can just use clear_mem.
Use this function to scrub memory just before deallocating it, or on a stack buffer before returning from the function.
- Parameters
-
ptr a pointer to memory to scrub n the number of bytes pointed to by ptr
Definition at line 83 of file os_utils.cpp.
83 {
84#if defined(BOTAN_TARGET_OS_HAS_RTLSECUREZEROMEMORY)
85 ::RtlSecureZeroMemory(ptr, n);
86
87#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_BZERO)
88 ::explicit_bzero(ptr, n);
89
90#elif defined(BOTAN_TARGET_OS_HAS_EXPLICIT_MEMSET)
91 (void)::explicit_memset(ptr, 0, n);
92
93#elif defined(BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO) && (BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO == 1)
94 /*
95 Call memset through a static volatile pointer, which the compiler
96 should not elide. This construct should be safe in conforming
97 compilers, but who knows. I did confirm that on x86-64 GCC 6.1 and
98 Clang 3.8 both create code that saves the memset address in the
99 data segment and unconditionally loads and jumps to that address.
100 */
101 static void* (*const volatile memset_ptr)(void*, int, size_t) = std::memset;
102 (memset_ptr)(ptr, 0, n);
103#else
104
105 volatile uint8_t* p = reinterpret_cast<volatile uint8_t*>(ptr);
106
107 for(size_t i = 0; i != n; ++i)
108 p[i] = 0;
109#endif
110}
Referenced by botan_scrub_mem(), Botan::Kuznyechik::clear(), deallocate_memory(), Botan::OS::free_locked_pages(), Botan::GHASH::ghash_update(), secure_scrub_memory(), Botan::Sodium::sodium_free(), Botan::Sodium::sodium_memzero(), Botan::AlignmentBuffer< T, BLOCK_SIZE, FINAL_BLOCK_STRATEGY >::~AlignmentBuffer(), Botan::BLAKE2s::~BLAKE2s(), and Botan::FE_25519::~FE_25519().
◆ set_mem()
|
inlineconstexpr |
◆ SHA2_32_F()
| BOTAN_FORCE_INLINE void Botan::SHA2_32_F | ( | uint32_t | A, |
| uint32_t | B, | ||
| uint32_t | C, | ||
| uint32_t & | D, | ||
| uint32_t | E, | ||
| uint32_t | F, | ||
| uint32_t | G, | ||
| uint32_t & | H, | ||
| uint32_t & | M1, | ||
| uint32_t | M2, | ||
| uint32_t | M3, | ||
| uint32_t | M4, | ||
| uint32_t | magic ) |
Definition at line 19 of file sha2_32_f.h.
31 {
32 uint32_t A_rho = rho<2, 13, 22>(A);
33 uint32_t E_rho = rho<6, 11, 25>(E);
34 uint32_t M2_sigma = sigma<17, 19, 10>(M2);
35 uint32_t M4_sigma = sigma<7, 18, 3>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}
References choose(), majority(), rho(), and sigma().
Referenced by Botan::SHA_256::compress_digest(), and Botan::SHA_256::compress_digest_x86_bmi2().
◆ SHA2_64_F()
| BOTAN_FORCE_INLINE void Botan::SHA2_64_F | ( | uint64_t | A, |
| uint64_t | B, | ||
| uint64_t | C, | ||
| uint64_t & | D, | ||
| uint64_t | E, | ||
| uint64_t | F, | ||
| uint64_t | G, | ||
| uint64_t & | H, | ||
| uint64_t & | M1, | ||
| uint64_t | M2, | ||
| uint64_t | M3, | ||
| uint64_t | M4, | ||
| uint64_t | magic ) |
Definition at line 19 of file sha2_64_f.h.
31 {
32 const uint64_t E_rho = rho<14, 18, 41>(E);
33 const uint64_t A_rho = rho<28, 34, 39>(A);
34 const uint64_t M2_sigma = sigma<19, 61, 6>(M2);
35 const uint64_t M4_sigma = sigma<1, 8, 7>(M4);
36 H += magic + E_rho + choose(E, F, G) + M1;
37 D += H;
38 H += A_rho + majority(A, B, C);
39 M1 += M2_sigma + M3 + M4_sigma;
40}
References choose(), majority(), rho(), and sigma().
Referenced by Botan::SHA_512::compress_digest(), and Botan::SHA_512::compress_digest_bmi2().
◆ shift_left()
template<size_t S, WordType W, size_t N>
|
inlineconstexpr |
Definition at line 861 of file mp_core.h.
861 {
862 static_assert(S < WordInfo<W>::bits, "Shift too large");
863
864 W carry = 0;
865 for(size_t i = 0; i != N; ++i) {
866 const W w = x[i];
867 x[i] = (w << S) | carry;
869 }
870
871 return carry;
872}
References carry().
Referenced by hex_to_words().
◆ shift_right()
template<size_t S, WordType W, size_t N>
|
inlineconstexpr |
◆ shl() [1/3]
template<size_t S>
|
inline |
Definition at line 321 of file simd_avx512.h.
321 {
322 return input.shl<S>();
323}
◆ shl() [2/3]
◆ shl() [3/3]
Definition at line 300 of file simd_avx2.h.
300 {
301 return input.shl<S>();
302}
◆ short_version_cstr()
| const char * Botan::short_version_cstr | ( | ) |
Same as version_short_string except returning a pointer to the string.
Definition at line 25 of file version.cpp.
References BOTAN_VERSION_MAJOR, BOTAN_VERSION_MINOR, BOTAN_VERSION_PATCH, and STR.
Referenced by runtime_version_check(), and short_version_string().
◆ short_version_string()
| std::string Botan::short_version_string | ( | ) |
Return a version string of the form "MAJOR.MINOR.PATCH" where each of the values is an integer.
Definition at line 71 of file version.cpp.
References short_version_cstr().
◆ sigma()
SHA-2 Sigma style function
Definition at line 43 of file rotate.h.
43 {
44 return rotr<R1>(x) ^ rotr<R2>(x) ^ (x >> S);
45}
References rotr().
Referenced by Botan::Kyber_Algos::expand_keypair(), SHA2_32_F(), and SHA2_64_F().
◆ sign_message()
| BOTAN_TEST_API std::array< uint8_t, 114 > Botan::sign_message | ( | std::span< const uint8_t, ED448_LEN > | sk, |
| std::span< const uint8_t, ED448_LEN > | pk, | ||
| bool | f, | ||
| std::span< const uint8_t > | context, | ||
| std::span< const uint8_t > | msg ) |
Sign a message using a keypair (RFC 8032 5.2.6)
- Parameters
-
sk the secret key pk the public key f the prehash flag (true iff using Ed448ph) context the context string msg the message to sign
- Returns
- the signature
Definition at line 237 of file ed448_internal.cpp.
241 {
242 // 5.2.6. Signature Generation
243 // The inputs to the signing procedure is the private key, a 57-octet
244 // string, a flag F, which is 0 for Ed448, 1 for Ed448ph, context C of
245 // at most 255 octets, and a message M of arbitrary size.
246 // 1. Hash the private key, 57 octets, using SHAKE256(x, 114). Let h
247 // denote the resulting digest. Construct the secret scalar s from
248 // the first half of the digest, and the corresponding public key A,
249 // as described in the previous section. Let prefix denote the
250 // second half of the hash digest, h[57],...,h[113].
252 shake_xof.update(sk);
254 std::array<uint8_t, ED448_LEN> prefix;
255 shake_xof.output(prefix);
256 // 2. Compute SHAKE256(dom4(F, C) || prefix || PH(M), 114), where M is
257 // the message to be signed, F is 1 for Ed448ph, 0 for Ed448, and C
258 // is the context to use. Interpret the 114-octet digest as a
259 // little-endian integer r.
261 // 3. Compute the point [r]B. For efficiency, do this by first
262 // reducing r modulo L, the group order of B. Let the string R be
263 // the encoding of this point.
264 const auto big_r = (r * Ed448Point::base_point()).encode();
265 // 4. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and
266 // interpret the 114-octet digest as a little-endian integer k.
268 // 5. Compute S = (r + k * s) mod L. For efficiency, again reduce k
269 // modulo L first.
270 const auto big_s = r + k * s; //r_plus_ks_mod_L(r, k, s);
271 // 6. Form the signature of the concatenation of R (57 octets) and the
272 // little-endian encoding of S (57 octets; the ten most significant
273 // bits of the final octets are always zero).
274 std::array<uint8_t, 2 * ED448_LEN> sig;
275 BufferStuffer stuf(sig);
276 stuf.append(big_r);
277 stuf.append(big_s.to_bytes<ED448_LEN>());
279
280 return sig;
281}
References Botan::BufferStuffer::append(), Botan::Ed448Point::base_point(), BOTAN_ASSERT, ED448_LEN, and Botan::BufferStuffer::full().
Referenced by Botan::PK_Signer::sign_message().
◆ significant_bytes()
|
inlineconstexpr |
Return the number of significant bytes in n
- Parameters
-
n an integer value
- Returns
- number of significant bytes in n
Definition at line 80 of file bit_ops.h.
82{
84
85 for(size_t s = 8 * sizeof(n) / 2; s >= 8; s /= 2) {
86 const size_t z = s * (~ct_is_zero(n >> s) & 1);
87 b += z / 8;
88 n >>= z;
89 }
90
91 b += (n != 0);
92
93 return b;
94}
References b.
◆ sm2_compute_za()
| std::vector< uint8_t > Botan::sm2_compute_za | ( | HashFunction & | hash, |
| std::string_view | user_id, | ||
| const EC_Group & | group, | ||
| const EC_Point & | point ) |
Definition at line 244 of file sm2.cpp.
247 {
250}
Definition ec_apoint.h:29
std::vector< uint8_t > sm2_compute_za(HashFunction &hash, std::string_view user_id, const EC_Group &group, const EC_Point &point)
Definition sm2.cpp:244
References sm2_compute_za().
Referenced by botan_pubkey_sm2_compute_za(), and sm2_compute_za().
◆ split_on()
| BOTAN_TEST_API std::vector< std::string > Botan::split_on | ( | std::string_view | str, |
| char | delim ) |
Split a string
- Parameters
-
str the input string delim the delimitor
- Returns
- string split by delim
Definition at line 111 of file parsing.cpp.
111 {
112 std::vector<std::string> elems;
113 if(str.empty()) {
114 return elems;
115 }
116
117 std::string substr;
118 for(auto i = str.begin(); i != str.end(); ++i) {
119 if(*i == delim) {
120 if(!substr.empty()) {
121 elems.push_back(substr);
122 }
123 substr.clear();
124 } else {
125 substr += *i;
126 }
127 }
128
129 if(substr.empty()) {
131 }
132 elems.push_back(substr);
133
134 return elems;
135}
References fmt().
Referenced by argon2_check_pwhash(), Botan::AEAD_Mode::create(), Botan::Cipher_Mode::create(), Botan::PKCS11::MechanismWrapper::create_ecdh_mechanism(), create_private_key(), Botan::TLS::Text_Policy::get_list(), load_private_key(), load_public_key(), pbes2_decrypt(), Botan::TLS::Text_Policy::read_cert_type_list(), Botan::TLS::Text_Policy::read_group_list(), read_kv(), Botan::PK_Ops::Verification_with_Hash::Verification_with_Hash(), and Botan::X509_Cert_Options::X509_Cert_Options().
◆ sqrt_modulo_prime()
Compute the square root of x modulo a prime using the Tonelli-Shanks algorithm. This algorithm is primarily used for EC point decompression which takes only public inputs, as a consequence it is not written to be constant-time and may leak side-channel information about its arguments.
- Parameters
-
x the input p the prime modulus
- Returns
- y such that (y*y)p == x, or -1 if no such integer
Definition at line 26 of file numthry.cpp.
26 {
30
31 // some very easy cases
32 if(p == 2 || a <= 1) {
33 return a;
34 }
35
37
38 if(jacobi(a, p) != 1) { // not a quadratic residue
39 return BigInt::from_s32(-1);
40 }
41
42 Modular_Reducer mod_p(p);
43 auto monty_p = std::make_shared<Montgomery_Params>(p, mod_p);
44
45 // If p == 3 (mod 4) there is a simple solution
46 if(p % 4 == 3) {
48 }
49
50 // Otherwise we have to use Shanks-Tonelli
52 BigInt q = p >> s;
53
54 q -= 1;
55 q >>= 1;
56
57 BigInt r = monty_exp_vartime(monty_p, a, q);
58 BigInt n = mod_p.multiply(a, mod_p.square(r));
59 r = mod_p.multiply(r, a);
60
61 if(n == 1) {
62 return r;
63 }
64
65 // find random quadratic nonresidue z
66 word z = 2;
67 for(;;) {
69 break;
70 }
71
72 z += 1; // try next z
73
74 /*
75 * The expected number of tests to find a non-residue modulo a
76 * prime is 2. If we have not found one after 256 then almost
77 * certainly we have been given a non-prime p.
78 */
79 if(z >= 256) {
80 return BigInt::from_s32(-1);
81 }
82 }
83
84 BigInt c = monty_exp_vartime(monty_p, BigInt::from_word(z), (q << 1) + 1);
85
86 while(n > 1) {
87 q = n;
88
89 size_t i = 0;
90 while(q != 1) {
91 q = mod_p.square(q);
92 ++i;
93
94 if(i >= s) {
95 return BigInt::from_s32(-1);
96 }
97 }
98
100 c = monty_exp_vartime(monty_p, c, BigInt::power_of_2(s - i - 1));
101 r = mod_p.multiply(r, c);
102 c = mod_p.square(c);
103 n = mod_p.multiply(n, c);
104
105 // s decreases as the algorithm proceeds
106 BOTAN_ASSERT_NOMSG(s >= i);
107 s = i;
108 }
109
110 return r;
111}
BigInt monty_exp_vartime(const std::shared_ptr< const Montgomery_Params > ¶ms_p, const BigInt &g, const BigInt &k)
Definition monty_exp.h:49
References BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::BigInt::from_s32(), Botan::BigInt::from_word(), Botan::BigInt::is_odd(), jacobi(), low_zero_bits(), monty_exp_vartime(), Botan::Modular_Reducer::multiply(), Botan::BigInt::power_of_2(), and Botan::Modular_Reducer::square().
◆ square() [1/2]
- Parameters
-
x an integer
- Returns
- (x*x)
Definition at line 157 of file numthry.cpp.
References Botan::BigInt::square().
Referenced by Botan::Modular_Reducer::cube(), Botan::Ed448Point::decode(), Botan::Ed448Point::double_point(), Botan::Ed448Point::operator+(), Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_square(), Botan::Modular_Reducer::square(), and x448().
◆ square() [2/2]
Computes elem^2. Faster than operator*.
Definition at line 348 of file curve448_gf.cpp.
References Botan::Gf448Elem::words().
◆ srp6_client_agree() [1/2]
| std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree | ( | std::string_view | username, |
| std::string_view | password, | ||
| const DL_Group & | group, | ||
| std::string_view | hash_id, | ||
| const std::vector< uint8_t > & | salt, | ||
| const BigInt & | B, | ||
| size_t | a_bits, | ||
| RandomNumberGenerator & | rng ) |
SRP6a Client side
- Parameters
-
username the username we are attempting login for password the password we are attempting to use group specifies the shared SRP group hash_id specifies a secure hash function salt is the salt value sent by the server B is the server's public value a_bits size of secret exponent in bits rng is a random number generator
- Returns
- (A,K) the client public key and the shared secret key
Definition at line 78 of file srp6.cpp.
85 {
87
90
92
93 if(B <= 0 || B >= p) {
95 }
96
97 auto hash_fn = HashFunction::create_or_throw(hash_id);
99 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
100 }
101
102 const BigInt k = hash_seq(*hash_fn, p_bytes, p, g);
103
104 const BigInt a(rng, a_bits);
105
107
108 const BigInt u = hash_seq(*hash_fn, p_bytes, A, B);
109
110 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
111
113
115
116 const BigInt a_ux = a + u * x;
117
118 const size_t max_aux_bits = std::max<size_t>(a_bits + 1, 2 * 8 * hash_fn->output_length());
119 BOTAN_ASSERT_NOMSG(max_aux_bits >= a_ux.bits());
120
122
124
125 return std::make_pair(A, Sk);
126}
BigInt multiply_mod_p(const BigInt &x, const BigInt &y) const
Definition dl_group.cpp:487
BigInt power_b_p(const BigInt &b, const BigInt &x, size_t max_x_bits) const
Definition dl_group.cpp:533
References Botan::BigInt::bits(), BOTAN_ARG_CHECK, BOTAN_ASSERT_NOMSG, Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::get_g(), Botan::DL_Group::get_p(), Botan::DL_Group::mod_p(), Botan::DL_Group::multiply_mod_p(), Botan::DL_Group::p_bits(), Botan::DL_Group::p_bytes(), Botan::DL_Group::power_b_p(), Botan::DL_Group::power_g_p(), and Botan::BigInt::serialize().
◆ srp6_client_agree() [2/2]
| std::pair< BigInt, SymmetricKey > Botan::srp6_client_agree | ( | std::string_view | username, |
| std::string_view | password, | ||
| std::string_view | group_id, | ||
| std::string_view | hash_id, | ||
| const std::vector< uint8_t > & | salt, | ||
| const BigInt & | B, | ||
| RandomNumberGenerator & | rng ) |
SRP6a Client side
- Parameters
-
username the username we are attempting login for password the password we are attempting to use group_id specifies the shared SRP group hash_id specifies a secure hash function salt is the salt value sent by the server B is the server's public value rng is a random number generator
- Returns
- (A,K) the client public key and the shared secret key
Definition at line 65 of file srp6.cpp.
71 {
72 DL_Group group(group_id);
73 const size_t a_bits = group.exponent_bits();
74
76}
Definition dl_group.h:44
std::pair< BigInt, SymmetricKey > srp6_client_agree(std::string_view identifier, std::string_view password, std::string_view group_id, std::string_view hash_id, const std::vector< uint8_t > &salt, const BigInt &B, RandomNumberGenerator &rng)
Definition srp6.cpp:65
References Botan::DL_Group::exponent_bits(), and srp6_client_agree().
Referenced by botan_srp6_client_agree(), and srp6_client_agree().
◆ srp6_generate_verifier() [1/2]
| BigInt Botan::srp6_generate_verifier | ( | std::string_view | identifier, |
| std::string_view | password, | ||
| const std::vector< uint8_t > & | salt, | ||
| const DL_Group & | group, | ||
| std::string_view | hash_id ) |
Generate a new SRP-6 verifier
- Parameters
-
identifier a username or other client identifier password the secret used to authenticate user salt a randomly chosen value, at least 128 bits long group specifies the shared SRP group hash_id specifies a secure hash function
Definition at line 137 of file srp6.cpp.
141 {
142 auto hash_fn = HashFunction::create_or_throw(hash_id);
144 throw Invalid_Argument(fmt("Hash function {} too large for SRP6 with this group", hash_fn->name()));
145 }
146
147 const BigInt x = compute_x(*hash_fn, identifier, password, salt);
149}
References Botan::HashFunction::create_or_throw(), fmt(), Botan::DL_Group::p_bits(), and Botan::DL_Group::power_g_p().
◆ srp6_generate_verifier() [2/2]
| BigInt Botan::srp6_generate_verifier | ( | std::string_view | identifier, |
| std::string_view | password, | ||
| const std::vector< uint8_t > & | salt, | ||
| std::string_view | group_id, | ||
| std::string_view | hash_id ) |
Generate a new SRP-6 verifier
- Parameters
-
identifier a username or other client identifier password the secret used to authenticate user salt a randomly chosen value, at least 128 bits long group_id specifies the shared SRP group hash_id specifies a secure hash function
Definition at line 128 of file srp6.cpp.
132 {
133 DL_Group group(group_id);
135}
BigInt srp6_generate_verifier(std::string_view identifier, std::string_view password, const std::vector< uint8_t > &salt, std::string_view group_id, std::string_view hash_id)
Definition srp6.cpp:128
References srp6_generate_verifier().
Referenced by botan_srp6_generate_verifier(), and srp6_generate_verifier().
◆ srp6_group_identifier()
Return the group id for this SRP param set, or else thrown an exception
- Parameters
-
N the group modulus g the group generator
- Returns
- group identifier
Definition at line 46 of file srp6.cpp.
46 {
47 /*
48 This function assumes that only one 'standard' SRP parameter set has
49 been defined for a particular bitsize. As of this writing that is the case.
50 */
51 try {
53
54 DL_Group group(group_name);
55
56 if(group.get_p() == N && group.get_g() == g) {
57 return group_name;
58 }
59 } catch(...) {}
60
61 // If we didn't return, the group was unknown or did not match
62 throw Invalid_Argument("Invalid or unknown SRP group parameters");
63}
References Botan::BigInt::bits(), Botan::DL_Group::get_g(), and Botan::DL_Group::get_p().
◆ store_be()
template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
|
inlineconstexpr |
Store "something" in big endian byte order See the documentation of this file for more details.
Definition at line 773 of file loadstor.h.
773 {
774 return detail::store_any<detail::Endianness::Big, ModifierT>(std::forward<ParamTs>(params)...);
775}
References Botan::detail::store_any().
Referenced by Botan::GHASH::add_final_block(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::BigInt::binary_encode(), Botan::FPE_FE1::decrypt(), Botan::Blowfish::decrypt_n(), Botan::CAST_128::decrypt_n(), Botan::DES::decrypt_n(), Botan::Noekeon::decrypt_n(), Botan::SEED::decrypt_n(), Botan::SHACAL2::decrypt_n(), Botan::SM4::decrypt_n(), Botan::TripleDES::decrypt_n(), Botan::AlternativeName::encode_into(), Botan::CryptoBox::encrypt(), Botan::FPE_FE1::encrypt(), Botan::TLS::Session::encrypt(), Botan::Blowfish::encrypt_n(), Botan::CAST_128::encrypt_n(), Botan::DES::encrypt_n(), Botan::Noekeon::encrypt_n(), Botan::SEED::encrypt_n(), Botan::SHACAL2::encrypt_n(), Botan::SM4::encrypt_n(), Botan::TripleDES::encrypt_n(), Botan::TLS::Connection_Cipher_State::format_ad(), Botan::Kyber_Modern_Symmetric_Primitives::get_PRF(), Botan::ML_KEM_Symmetric_Primitives::get_PRF(), Botan::Kyber_Modern_Symmetric_Primitives::get_XOF(), Botan::ML_KEM_Symmetric_Primitives::get_XOF(), ipv4_to_string(), Botan::SP800_108_Counter::kdf(), Botan::SP800_108_Feedback::kdf(), Botan::SP800_108_Pipeline::kdf(), lmots_compute_pubkey_from_sig(), Botan::LMOTS_Public_Key::LMOTS_Public_Key(), Botan::TLS::make_hello_random(), Botan::TPM2::Context::manufacturer(), Botan::TLS::Cipher_State::next_ticket_nonce(), nist_key_wrap(), nist_key_wrap_padded(), Botan::XMSS_PublicKey::raw_public_key_bits(), Botan::CTR_BE::seek(), Botan::TLS::New_Session_Ticket_12::serialize(), Botan::TLS::New_Session_Ticket_13::serialize(), Botan::PseudorandomKeyGeneration::set_i(), Botan::PseudorandomKeyGeneration::set_j(), Botan::PseudorandomKeyGeneration::set_q(), Botan::HSS_LMS_PrivateKeyInternal::sign(), Botan::LMOTS_Private_Key::sign(), Botan::LMS_PrivateKey::sign_and_get_pk(), Botan::SIMD_4x32::store_be(), Botan::HSS_LMS_PrivateKeyInternal::to_bytes(), Botan::HSS_LMS_PublicKeyInternal::to_bytes(), Botan::LMS_PublicKey::to_bytes(), Botan::Sphincs_Address::to_bytes(), Botan::Sphincs_Address::to_bytes_compressed(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), Botan::Buffered_Computation::update_be(), and Botan::TPM2::Context::vendor().
◆ store_le()
template<typename ModifierT = detail::AutoDetect, typename... ParamTs>
|
inlineconstexpr |
Store "something" in little endian byte order See the documentation of this file for more details.
Definition at line 764 of file loadstor.h.
764 {
765 return detail::store_any<detail::Endianness::Little, ModifierT>(std::forward<ParamTs>(params)...);
766}
References Botan::detail::store_any().
Referenced by create_aes_row_generator(), create_shake_row_generator(), Botan::Sodium::crypto_core_hsalsa20(), Botan::GOST_28147_89::decrypt_n(), Botan::Kuznyechik::decrypt_n(), Botan::Serpent::decrypt_n(), Botan::Threefish_512::decrypt_n(), Botan::Twofish::decrypt_n(), Botan::GOST_28147_89::encrypt_n(), Botan::Kuznyechik::encrypt_n(), Botan::Serpent::encrypt_n(), Botan::Threefish_512::encrypt_n(), Botan::Twofish::encrypt_n(), Botan::Streebog::final_result(), generate_mceliece_key(), Botan::CRYSTALS::pack(), Botan::RandomNumberGenerator::randomize_with_ts_input(), Botan::Salsa20::salsa_core(), Botan::ChaCha::seek(), Botan::Salsa20::seek(), Botan::FrodoMatrix::serialize(), Botan::Sodium::sodium_malloc(), Botan::Keccak_Permutation::squeeze(), Botan::SIMD_4x32::store_le(), Botan::Gf448Elem::to_bytes(), Botan::Scalar448::to_bytes(), Botan::Buffered_Computation::update_le(), Botan::Buffered_Computation::update_le(), Botan::Buffered_Computation::update_le(), and Botan::ChaCha20Poly1305_Mode::update_len().
◆ string_join()
| std::string Botan::string_join | ( | const std::vector< std::string > & | strs, |
| char | delim ) |
Join a string
- Parameters
-
strs strings to join delim the delimitor
- Returns
- string joined by delim
Definition at line 140 of file parsing.cpp.
140 {
141 std::ostringstream out;
142
143 for(size_t i = 0; i != strs.size(); ++i) {
144 if(i != 0) {
145 out << delim;
146 }
147 out << strs[i];
148 }
149
150 return out.str();
151}
Referenced by Botan::CPUID::to_string(), and Botan::Key_Constraints::to_string().
◆ string_to_ipv4()
| std::optional< uint32_t > BOTAN_TEST_API Botan::string_to_ipv4 | ( | std::string_view | ip_str | ) |
Convert a string representation of an IPv4 address to a number
- Parameters
-
ip_str the string representation
- Returns
- integer IPv4 address
Definition at line 156 of file parsing.cpp.
156 {
157 // At least 3 dots + 4 1-digit integers
158 // At most 3 dots + 4 3-digit integers
159 if(str.size() < 3 + 4 * 1 || str.size() > 3 + 4 * 3) {
160 return {};
161 }
162
163 // the final result
164 uint32_t ip = 0;
165 // the number of '.' seen so far
166 size_t dots = 0;
167 // accumulates one quad (range 0-255)
168 uint32_t accum = 0;
169 // # of digits pushed to accum since last dot
170 size_t cur_digits = 0;
171
172 for(char c : str) {
173 if(c == '.') {
174 // . without preceding digit is invalid
175 if(cur_digits == 0) {
176 return {};
177 }
178 dots += 1;
179 // too many dots
180 if(dots > 3) {
181 return {};
182 }
183
184 cur_digits = 0;
185 ip = (ip << 8) | accum;
186 accum = 0;
187 } else if(c >= '0' && c <= '9') {
188 const auto d = static_cast<uint8_t>(c - '0');
189
190 // prohibit leading zero in quad (used for octal)
191 if(cur_digits > 0 && accum == 0) {
192 return {};
193 }
194 accum = (accum * 10) + d;
195
196 if(accum > 255) {
197 return {};
198 }
199
200 cur_digits++;
201 BOTAN_ASSERT_NOMSG(cur_digits <= 3);
202 } else {
203 return {};
204 }
205 }
206
207 // no trailing digits?
208 if(cur_digits == 0) {
209 return {};
210 }
211
212 // insufficient # of dots
213 if(dots != 3) {
214 return {};
215 }
216
217 ip = (ip << 8) | accum;
218
219 return ip;
220}
References BOTAN_ASSERT_NOMSG.
Referenced by Botan::AlternativeName::add_attribute(), Botan::AlternativeName::AlternativeName(), Botan::NameConstraints::is_excluded(), Botan::NameConstraints::is_permitted(), Botan::GeneralName::matches(), and Botan::X509_Certificate::matches_dns_name().
◆ swap_bits()
◆ swar_in_range()
SWAR (SIMD within a word) byte-by-byte comparison
This individually compares each byte of the provided words. It returns a mask which contains, for each byte, 0x80 if the byte in a was less than the byte in b. Otherwise the mask is 00.
This implementation assumes that the high bits of each byte in both lower and upper are clear! It is possible to support the full range of bytes, but this requires additional comparisons.
Definition at line 114 of file int_utils.h.
114 {
115 // The constant 0x808080... as a T
117 // The constant 0x7F7F7F... as a T
119
123 return (lo7 - a_lo + upper) & hi1 & ~a_hi;
124}
References T.
◆ swar_lt()
SWAR (SIMD within a word) byte-by-byte comparison
This individually compares each byte of the provided words. It returns a mask which contains, for each byte, 0xFF if the byte in a was less than the byte in b. Otherwise the mask is 00.
This implementation assumes that the high bits of each byte in both a and b are clear! It is possible to support the full range of bytes, but this requires additional comparisons.
Definition at line 91 of file int_utils.h.
91 {
92 // The constant 0x808080... as a T
94 // The constant 0x7F7F7F... as a T
97 // Currently the mask is 80 if lt, otherwise 00. Convert to FF/00
98 return (r << 1) - (r >> 7);
99}
◆ syndrome_init()
| std::vector< polyn_gf2m > Botan::syndrome_init | ( | const polyn_gf2m & | generator, |
| const std::vector< gf2m > & | support, | ||
| int | n ) |
Definition at line 608 of file polyn_gf2m.cpp.
608 {
609 int i, j, t;
610 gf2m a;
611
612 std::shared_ptr<GF2m_Field> m_sp_field = generator.get_sp_field();
613
614 std::vector<polyn_gf2m> result;
615 t = generator.get_degree();
616
617 //g(z)=g_t+g_(t-1).z^(t-1)+......+g_1.z+g_0
618 //f(z)=f_(t-1).z^(t-1)+......+f_1.z+f_0
619
620 for(j = 0; j < n; j++) {
621 result.push_back(polyn_gf2m(t - 1, m_sp_field));
622
623 (*&result[j]).set_coef(t - 1, 1);
624 for(i = t - 2; i >= 0; i--) {
625 (*&result[j]).set_coef(i, (generator)[i + 1] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][i + 1]));
626 }
627 a = ((generator)[0] ^ m_sp_field->gf_mul(lex_to_gray(support[j]), result[j][0]));
628 for(i = 0; i < t; i++) {
629 (*&result[j]).set_coef(i, m_sp_field->gf_div(result[j][i], a));
630 }
631 }
632 return result;
633}
References Botan::polyn_gf2m::get_degree(), Botan::polyn_gf2m::get_sp_field(), and lex_to_gray().
Referenced by generate_mceliece_key().
◆ system_rng()
| RandomNumberGenerator & Botan::system_rng | ( | ) |
Return a shared reference to a global PRNG instance provided by the operating system. For instance might be instantiated by /dev/urandom or CryptGenRandom.
Definition at line 368 of file system_rng.cpp.
368 {
369 static System_RNG_Impl g_system_rng;
370 return g_system_rng;
371}
Referenced by Botan::System_RNG::accepts_input(), botan_pk_op_decrypt_create(), botan_pk_op_encrypt_create(), botan_pk_op_kem_decrypt_create(), botan_pk_op_key_agreement_create(), botan_pk_op_sign_create(), botan_rng_reseed(), botan_system_rng_get(), Botan::System_RNG::clear(), Botan::System_RNG::fill_bytes_with_input(), Botan::System_RNG::is_seeded(), Botan::System_RNG::name(), Botan::Sodium::randombytes_buf(), and Botan::RandomNumberGenerator::randomize_with_ts_input().
◆ theta()
|
inline |
Definition at line 17 of file noekeon_simd.cpp.
24 {
27 A1 ^= T;
28 A3 ^= T;
29
30 A0 ^= K0;
31 A1 ^= K1;
32 A2 ^= K2;
33 A3 ^= K3;
34
35 T = A1 ^ A3;
37 A0 ^= T;
38 A2 ^= T;
39}
References T.
Referenced by Botan::Noekeon::decrypt_n(), and Botan::Noekeon::encrypt_n().
◆ throw_invalid_argument()
| void BOTAN_UNSTABLE_API Botan::throw_invalid_argument | ( | const char * | message, |
| const char * | func, | ||
| const char * | file ) |
Called when an invalid argument is used Throws Invalid_Argument
Definition at line 21 of file assert.cpp.
References fmt().
◆ throw_invalid_state()
| void BOTAN_UNSTABLE_API Botan::throw_invalid_state | ( | const char * | message, |
| const char * | func, | ||
| const char * | file ) |
Called when an invalid state is encountered Throws Invalid_State
Definition at line 25 of file assert.cpp.
References fmt().
◆ to_byte_vector()
template<concepts::contiguous_container T = std::vector<uint8_t>>
|
inline |
Definition at line 29 of file stl_util.h.
References T.
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Channel_Impl_12::key_material_export().
◆ to_string() [1/3]
| const char * Botan::to_string | ( | Certificate_Status_Code | code | ) |
Convert a status code to a human readable diagnostic message
- Parameters
-
code the certifcate status
- Returns
- string literal constant, or nullptr if code unknown
Definition at line 11 of file cert_status.cpp.
11 {
12 switch(code) {
13 case Certificate_Status_Code::VERIFIED:
14 return "Verified";
15 case Certificate_Status_Code::OCSP_RESPONSE_GOOD:
16 return "OCSP response accepted as affirming unrevoked status for certificate";
17 case Certificate_Status_Code::OCSP_SIGNATURE_OK:
18 return "Signature on OCSP response was found valid";
19 case Certificate_Status_Code::VALID_CRL_CHECKED:
20 return "Valid CRL examined";
21
22 case Certificate_Status_Code::CERT_SERIAL_NEGATIVE:
23 return "Certificate serial number is negative";
24 case Certificate_Status_Code::DN_TOO_LONG:
25 return "Distinguished name too long";
26 case Certificate_Status_Code::OCSP_NO_REVOCATION_URL:
27 return "OCSP URL not available";
28 case Certificate_Status_Code::OCSP_SERVER_NOT_AVAILABLE:
29 return "OCSP server not available";
30 case Certificate_Status_Code::TRUSTED_CERT_NOT_YET_VALID:
31 return "Trusted certificate is not yet valid";
32 case Certificate_Status_Code::TRUSTED_CERT_HAS_EXPIRED:
33 return "Trusted certificate has expired";
34 case Certificate_Status_Code::OCSP_ISSUER_NOT_TRUSTED:
35 return "OCSP issuer is not trustworthy";
36
37 case Certificate_Status_Code::NO_REVOCATION_DATA:
38 return "No revocation data";
39 case Certificate_Status_Code::SIGNATURE_METHOD_TOO_WEAK:
40 return "Signature method too weak";
41 case Certificate_Status_Code::UNTRUSTED_HASH:
42 return "Hash function used is considered too weak for security";
43
44 case Certificate_Status_Code::CERT_NOT_YET_VALID:
45 return "Certificate is not yet valid";
46 case Certificate_Status_Code::CERT_HAS_EXPIRED:
47 return "Certificate has expired";
48 case Certificate_Status_Code::OCSP_NOT_YET_VALID:
49 return "OCSP is not yet valid";
50 case Certificate_Status_Code::OCSP_HAS_EXPIRED:
51 return "OCSP response has expired";
52 case Certificate_Status_Code::OCSP_IS_TOO_OLD:
53 return "OCSP response is too old";
54 case Certificate_Status_Code::CRL_NOT_YET_VALID:
55 return "CRL response is not yet valid";
56 case Certificate_Status_Code::CRL_HAS_EXPIRED:
57 return "CRL has expired";
58
59 case Certificate_Status_Code::CERT_ISSUER_NOT_FOUND:
60 return "Certificate issuer not found";
61 case Certificate_Status_Code::CANNOT_ESTABLISH_TRUST:
62 return "Cannot establish trust";
63 case Certificate_Status_Code::CERT_CHAIN_LOOP:
64 return "Loop in certificate chain";
65 case Certificate_Status_Code::CHAIN_LACKS_TRUST_ROOT:
66 return "Certificate chain does not end in a CA certificate";
67 case Certificate_Status_Code::CHAIN_NAME_MISMATCH:
68 return "Certificate issuer does not match subject of issuing cert";
69
70 case Certificate_Status_Code::POLICY_ERROR:
71 return "Certificate policy error";
72 case Certificate_Status_Code::DUPLICATE_CERT_POLICY:
73 return "Certificate contains duplicate policy";
74 case Certificate_Status_Code::INVALID_USAGE:
75 return "Certificate does not allow the requested usage";
76 case Certificate_Status_Code::CERT_CHAIN_TOO_LONG:
77 return "Certificate chain too long";
78 case Certificate_Status_Code::CA_CERT_NOT_FOR_CERT_ISSUER:
79 return "CA certificate not allowed to issue certs";
80 case Certificate_Status_Code::CA_CERT_NOT_FOR_CRL_ISSUER:
81 return "CA certificate not allowed to issue CRLs";
82 case Certificate_Status_Code::NO_MATCHING_CRLDP:
83 return "No CRL with matching distribution point for certificate";
84 case Certificate_Status_Code::OCSP_CERT_NOT_LISTED:
85 return "OCSP cert not listed";
86 case Certificate_Status_Code::OCSP_BAD_STATUS:
87 return "OCSP bad status";
88 case Certificate_Status_Code::CERT_NAME_NOMATCH:
89 return "Certificate does not match provided name";
90 case Certificate_Status_Code::NAME_CONSTRAINT_ERROR:
91 return "Certificate does not pass name constraint";
92 case Certificate_Status_Code::UNKNOWN_CRITICAL_EXTENSION:
93 return "Unknown critical extension encountered";
94 case Certificate_Status_Code::DUPLICATE_CERT_EXTENSION:
95 return "Duplicate certificate extension encountered";
96 case Certificate_Status_Code::EXT_IN_V1_V2_CERT:
97 return "Encountered extension in certificate with version that does not allow it";
98 case Certificate_Status_Code::V2_IDENTIFIERS_IN_V1_CERT:
99 return "Encountered v2 identifiers in v1 certificate";
100 case Certificate_Status_Code::OCSP_SIGNATURE_ERROR:
101 return "OCSP signature error";
102 case Certificate_Status_Code::OCSP_ISSUER_NOT_FOUND:
103 return "Unable to find certificate issusing OCSP response";
104 case Certificate_Status_Code::OCSP_RESPONSE_MISSING_KEYUSAGE:
105 return "OCSP issuer's keyusage prohibits OCSP";
106 case Certificate_Status_Code::OCSP_RESPONSE_INVALID:
107 return "OCSP parsing valid";
108 case Certificate_Status_Code::OCSP_NO_HTTP:
109 return "OCSP requests not available, no HTTP support compiled in";
110 case Certificate_Status_Code::CERT_IS_REVOKED:
111 return "Certificate is revoked";
112 case Certificate_Status_Code::CRL_BAD_SIGNATURE:
113 return "CRL bad signature";
114 case Certificate_Status_Code::SIGNATURE_ERROR:
115 return "Signature error";
116 case Certificate_Status_Code::CERT_PUBKEY_INVALID:
117 return "Certificate public key invalid";
118 case Certificate_Status_Code::SIGNATURE_ALGO_UNKNOWN:
119 return "Certificate signed with unknown/unavailable algorithm";
120 case Certificate_Status_Code::SIGNATURE_ALGO_BAD_PARAMS:
121 return "Certificate signature has invalid parameters";
122
123 // intentionally no default so we are warned if new enum values are added
124 }
125
126 return nullptr;
127}
References CA_CERT_NOT_FOR_CERT_ISSUER, CA_CERT_NOT_FOR_CRL_ISSUER, CANNOT_ESTABLISH_TRUST, CERT_CHAIN_LOOP, CERT_CHAIN_TOO_LONG, CERT_HAS_EXPIRED, CERT_IS_REVOKED, CERT_ISSUER_NOT_FOUND, CERT_NAME_NOMATCH, CERT_NOT_YET_VALID, CERT_PUBKEY_INVALID, CERT_SERIAL_NEGATIVE, CHAIN_LACKS_TRUST_ROOT, CHAIN_NAME_MISMATCH, CRL_BAD_SIGNATURE, CRL_HAS_EXPIRED, CRL_NOT_YET_VALID, DN_TOO_LONG, DUPLICATE_CERT_EXTENSION, DUPLICATE_CERT_POLICY, EXT_IN_V1_V2_CERT, INVALID_USAGE, NAME_CONSTRAINT_ERROR, NO_MATCHING_CRLDP, NO_REVOCATION_DATA, OCSP_BAD_STATUS, OCSP_CERT_NOT_LISTED, OCSP_HAS_EXPIRED, OCSP_IS_TOO_OLD, OCSP_ISSUER_NOT_FOUND, OCSP_ISSUER_NOT_TRUSTED, OCSP_NO_HTTP, OCSP_NO_REVOCATION_URL, OCSP_NOT_YET_VALID, OCSP_RESPONSE_GOOD, OCSP_RESPONSE_INVALID, OCSP_RESPONSE_MISSING_KEYUSAGE, OCSP_SERVER_NOT_AVAILABLE, OCSP_SIGNATURE_ERROR, OCSP_SIGNATURE_OK, POLICY_ERROR, SIGNATURE_ALGO_BAD_PARAMS, SIGNATURE_ALGO_UNKNOWN, SIGNATURE_ERROR, SIGNATURE_METHOD_TOO_WEAK, TRUSTED_CERT_HAS_EXPIRED, TRUSTED_CERT_NOT_YET_VALID, UNKNOWN_CRITICAL_EXTENSION, UNTRUSTED_HASH, V2_IDENTIFIERS_IN_V1_CERT, VALID_CRL_CHECKED, and VERIFIED.
◆ to_string() [2/3]
| std::string Botan::to_string | ( | ErrorType | type | ) |
Convert an ErrorType to string.
Definition at line 13 of file exceptn.cpp.
13 {
14 switch(type) {
15 case ErrorType::Unknown:
16 return "Unknown";
17 case ErrorType::SystemError:
18 return "SystemError";
19 case ErrorType::NotImplemented:
20 return "NotImplemented";
21 case ErrorType::OutOfMemory:
22 return "OutOfMemory";
23 case ErrorType::InternalError:
24 return "InternalError";
25 case ErrorType::IoError:
26 return "IoError";
27 case ErrorType::InvalidObjectState:
28 return "InvalidObjectState";
29 case ErrorType::KeyNotSet:
30 return "KeyNotSet";
31 case ErrorType::InvalidArgument:
32 return "InvalidArgument";
33 case ErrorType::InvalidKeyLength:
34 return "InvalidKeyLength";
35 case ErrorType::InvalidNonceLength:
36 return "InvalidNonceLength";
37 case ErrorType::LookupError:
38 return "LookupError";
39 case ErrorType::EncodingFailure:
40 return "EncodingFailure";
41 case ErrorType::DecodingFailure:
42 return "DecodingFailure";
43 case ErrorType::TLSError:
44 return "TLSError";
45 case ErrorType::HttpError:
46 return "HttpError";
47 case ErrorType::InvalidTag:
48 return "InvalidTag";
49 case ErrorType::RoughtimeError:
50 return "RoughtimeError";
51 case ErrorType::CommonCryptoError:
52 return "CommonCryptoError";
53 case ErrorType::Pkcs11Error:
54 return "Pkcs11Error";
55 case ErrorType::TPMError:
56 return "TPMError";
57 case ErrorType::DatabaseError:
58 return "DatabaseError";
59 case ErrorType::ZlibError:
60 return "ZlibError";
61 case ErrorType::Bzip2Error:
62 return "Bzip2Error";
63 case ErrorType::LzmaError:
64 return "LzmaError";
65 }
66
67 // No default case in above switch so compiler warns
68 return "Unrecognized Botan error";
69}
References Bzip2Error, CommonCryptoError, DatabaseError, DecodingFailure, EncodingFailure, HttpError, InternalError, InvalidArgument, InvalidKeyLength, InvalidNonceLength, InvalidObjectState, InvalidTag, IoError, KeyNotSet, LookupError, LzmaError, NotImplemented, OutOfMemory, Pkcs11Error, RoughtimeError, SystemError, TLSError, TPMError, Unknown, and ZlibError.
Referenced by Botan::TLS::Server_Hello_13::basic_validation(), botan_x509_cert_validation_status(), Botan::TLS::PskIdentity::identity_as_string(), and Botan::Path_Validation_Result::status_string().
◆ to_string() [3/3]
|
inline |
Definition at line 33 of file stl_util.h.
33 {
34 return std::string(bytes.begin(), bytes.end());
35}
◆ to_u32bit()
| BOTAN_TEST_API uint32_t Botan::to_u32bit | ( | std::string_view | str | ) |
Convert a decimal string to a number
- Parameters
-
str the string to convert
- Returns
- number value of the string
Definition at line 32 of file parsing.cpp.
32 {
33 const std::string str(str_view);
34
35 // std::stoul is not strict enough. Ensure that str is digit only [0-9]*
36 for(const char chr : str) {
37 if(chr < '0' || chr > '9') {
39 }
40 }
41
42 const unsigned long int x = std::stoul(str);
43
44 if constexpr(sizeof(unsigned long int) > 4) {
45 // x might be uint64
46 if(x > std::numeric_limits<uint32_t>::max()) {
47 throw Invalid_Argument("Integer value of " + str + " exceeds 32 bit range");
48 }
49 }
50
51 return static_cast<uint32_t>(x);
52}
Referenced by Botan::SCAN_Name::arg_as_integer(), Botan::SCAN_Name::arg_as_integer(), argon2_check_pwhash(), create_private_key(), Botan::TLS::Text_Policy::get_len(), Botan::HTTP::http_sync(), and to_uint16().
◆ to_uint16()
| uint16_t Botan::to_uint16 | ( | std::string_view | str | ) |
Convert a decimal string to a number
- Parameters
-
str the string to convert
- Returns
- number value of the string
Definition at line 22 of file parsing.cpp.
22 {
24
25 if(x >> 16) {
27 }
28
29 return static_cast<uint16_t>(x);
30}
References to_u32bit().
Referenced by check_bcrypt(), and Botan::TLS::Text_Policy::srtp_profiles().
◆ to_underlying()
Definition at line 414 of file stl_util.h.
414 {
415 return static_cast<std::underlying_type_t<T>>(e);
416}
◆ tolower_string()
| std::string Botan::tolower_string | ( | std::string_view | in | ) |
Definition at line 241 of file parsing.cpp.
241 {
242 std::string s(in);
243 for(size_t i = 0; i != s.size(); ++i) {
244 const int cu = static_cast<unsigned char>(s[i]);
245 if(std::isalpha(cu)) {
246 s[i] = static_cast<char>(std::tolower(cu));
247 }
248 }
249 return s;
250}
Referenced by Botan::AlternativeName::add_dns(), Botan::GeneralName::decode_from(), and host_wildcard_match().
◆ treehash() [1/2]
| BOTAN_TEST_API void Botan::treehash | ( | StrongSpan< SphincsTreeNode > | out_root, |
| StrongSpan< SphincsAuthenticationPath > | out_auth_path, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes, | ||
| std::optional< TreeNodeIndex > | leaf_idx, | ||
| uint32_t | idx_offset, | ||
| uint32_t | tree_height, | ||
| const GenerateLeafFunction & | gen_leaf, | ||
| Sphincs_Address & | tree_address ) |
Implements a generic Merkle tree hash. Will be used for both FORS and XMSS signatures. gen_leaf is used to create leaf nodes in the respective trees. Additionally XMSS uses the gen_leaf logic to store the WOTS Signature in the main SLH-DSA signature. The leaf_idx is the index of leaf to sign. If only the root node must be computed (without a signature), the leaf_idx is set to std::nullopt.
Definition at line 17 of file sp_treehash.cpp.
25 {
28
30
31 std::vector<uint8_t> stack(total_tree_height * params.n());
33
34 /* Traverse the tree from the left-most leaf, matching siblings and up until
35 * the root (Post-order traversal). Collect the adjacent nodes (A) to build
36 * the authentication path (X) along the way.
37 *
38 * 7R
39 * / \
40 * 3X 6A
41 * / \ / \
42 * 1X 2A 4 5
43 */
46 gen_leaf(current_node, idx + idx_offset);
47
48 // Now combine the freshly generated right node with previously generated
49 // left ones
50 uint32_t internal_idx_offset = idx_offset;
51 TreeNodeIndex internal_idx = idx;
52 auto internal_leaf = leaf_idx;
53
55 // Check if we hit the top of the tree
56 if(h.get() == total_tree_height) {
57 copy_mem(out_root, current_node);
58 return;
59 }
60
61 // Check if the node we have is a part of the authentication path; if
62 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
63 // is 1 iff they have the same parent node in the FORS tree
64 if(internal_leaf.has_value() && (internal_idx ^ internal_leaf.value()) == 0x01U) {
66 copy_mem(auth_path_location, current_node);
67 }
68
69 // At this point we know that we'll need to use the stack. Get a
70 // reference to the correct location.
72
73 // Check if we're at a left child; if so, stop going up the stack
74 // Exception: if we've reached the end of the tree, keep on going (so
75 // we combine the last 4 nodes into the one root node in two more
76 // iterations)
77 if((internal_idx & 1) == 0U && idx < max_idx) {
78 // We've hit a left child; save the current for when we get the
79 // corresponding right child.
80 copy_mem(stack_location, current_node);
81 break;
82 }
83
84 // Ok, we're at a right node. Now combine the left and right logical
85 // nodes together.
86
87 // Set the address of the node we're creating.
88 internal_idx_offset /= 2;
89 tree_address.set_tree_height(h + 1);
90 tree_address.set_tree_index(internal_idx / 2 + internal_idx_offset);
91
92 hashes.T(current_node, tree_address, stack_location, current_node);
93
94 internal_idx /= 2;
95 if(internal_leaf.has_value()) {
96 internal_leaf.value() /= 2;
97 }
98 }
99 }
100}
References BOTAN_ASSERT_NOMSG, copy_mem(), Botan::StrongSpan< T >::get(), Botan::Sphincs_Parameters::n(), Botan::Sphincs_Address::set_tree_height(), Botan::Sphincs_Address::set_tree_index(), Botan::StrongSpan< T >::size(), and Botan::Sphincs_Hash_Functions::T().
Referenced by fors_sign_and_pkgen(), and xmss_sign_and_pkgen().
◆ treehash() [2/2]
template<concepts::contiguous_strong_type TreeNode, concepts::strong_span AuthPathSS, concepts::tree_node_index TreeNodeIndex, concepts::tree_layer_index TreeLayerIndex, typename Address >
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
requires concepts::tree_address<Address, TreeLayerIndex, TreeNodeIndex>
|
inline |
Treehash logic to build up a merkle hash tree.
Computes the root of the merkle tree. Can also output an authentication path necessary for a hash based signature.
Given the following tree: Layer: 2 7R / \ 1 3X 6A / \ / \ 0 1X 2A 4 5
The treehash logic traverses the tree (Post-order traversal), i.e., the nodes are discovered in order 1,2,3,...,7. If we want to create a signature using leaf node 1, the authentication path is (Node 2, Node 6), since we need those to compute the root.
- Parameters
-
out_root An output buffer to store the root node in (size: node_size ). out_auth_path Optional buffer to store the authentication path in (size: node_size * total_tree_height). leaf_idx The optional index of the leaf used to sign in the bottom tree layer beginning with index 0. nullopt if no node is signed, so we need no auth path. node_size The size of each node in the tree. total_tree_height The hight of the merkle tree to construct. idx_offset If we compute a subtree this marks the index of the leftmost leaf node in the bottom layer node_pair_hash The function to process two child nodes to compute their parent node. gen_leaf The logic to create a leaf node given the address in the tree. Probably this function creates a one-time/few-time-signature's public key which is hashed to be the leaf node. tree_address The address that is passed to gen_leaf or node_pair hash. This function will update the address accordings to the currently processed node. This object may contain further algorithm specific information, like the position of this merkle tree in a hypertree.
Definition at line 114 of file tree_hash.h.
123 {
125 BOTAN_ASSERT(out_auth_path.has_value() == leaf_idx.has_value(),
126 "Both leaf index and auth path buffer is given or neither.");
127 const bool is_signing = leaf_idx.has_value();
128 BOTAN_ASSERT_NOMSG(!is_signing || out_auth_path.value().size() == node_size * total_tree_height.get());
129
131
132 std::vector<TreeNode> last_visited_left_child_at_layer(total_tree_height.get(), TreeNode(node_size));
133
134 TreeNode current_node(node_size); // Current logical node
135
136 // Traverse the tree from the left-most leaf, matching siblings and up until
137 // the root (Post-order traversal). Collect the adjacent nodes to build
138 // the authentication path along the way.
140 tree_address.set_address(TreeLayerIndex(0), idx + idx_offset);
141 gen_leaf(StrongSpan<TreeNode>(current_node), tree_address);
142
143 // Now combine the freshly generated right node with previously generated
144 // left ones
145 uint32_t internal_idx_offset = idx_offset;
146 TreeNodeIndex internal_idx = idx;
147 auto internal_leaf = leaf_idx;
148
150 // Check if we hit the top of the tree
151 if(h == total_tree_height) {
152 copy_mem(out_root, current_node);
153 return;
154 }
155
156 // Check if the node we have is a part of the authentication path; if
157 // it is, write it out. The XOR sum of both nodes (at internal_idx and internal_leaf)
158 // is 1 iff they have the same parent node in the FORS tree
159 if(is_signing && (internal_idx ^ internal_leaf.value()) == 0x01U) {
160 auto auth_path_location = out_auth_path.value().get().subspan(h.get() * node_size, node_size);
161 copy_mem(auth_path_location, current_node);
162 }
163
164 // Check if we're at a left child; if so, stop going up the tree
165 // Exception: if we've reached the end of the tree, keep on going (so
166 // we combine the last 4 nodes into the one root node in two more
167 // iterations)
168 if((internal_idx & 1) == 0U && idx < max_idx) {
169 // We've hit a left child; save the current for when we get the
170 // corresponding right child.
171 copy_mem(last_visited_left_child_at_layer.at(h.get()), current_node);
172 break;
173 }
174
175 // Ok, we're at a right node. Now combine the left and right logical
176 // nodes together.
177
178 // Set the address of the node we're creating.
179 internal_idx_offset /= 2;
180 tree_address.set_address(h + 1, internal_idx / 2 + internal_idx_offset);
181
182 node_pair_hash(current_node, tree_address, last_visited_left_child_at_layer.at(h.get()), current_node);
183
184 internal_idx /= 2;
185 if(internal_leaf.has_value()) {
186 internal_leaf.value() /= 2;
187 }
188 }
189 }
190}
References BOTAN_ASSERT, BOTAN_ASSERT_NOMSG, copy_mem(), Botan::detail::Strong_Base< T >::get(), and Botan::StrongSpan< T >::size().
◆ typecast_copy() [1/9]
template<typename To >
requires std::is_trivial<To>::value
requires std::is_trivial<To>::value
|
inlineconstexprnoexcept |
Definition at line 254 of file mem_ops.h.
254 {
255 // asserts that *src points to the correct amount of memory
256 return typecast_copy<To>(std::span<const uint8_t, sizeof(To)>(src, sizeof(To)));
257}
References typecast_copy().
◆ typecast_copy() [2/9]
template<typename ToT , ranges::contiguous_range FromR>
requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
requires std::is_default_constructible_v<ToT> && std::is_trivially_copyable_v<ToT> && std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>>
|
inlineconstexprnoexcept |
Create a trivial type by bit-casting a range of trivially copyable type with matching length into it.
Definition at line 212 of file mem_ops.h.
References typecast_copy().
◆ typecast_copy() [3/9]
|
inlineconstexpr |
Definition at line 246 of file mem_ops.h.
246 {
247 // asserts that *in points to the correct amount of memory
249}
References T, and typecast_copy().
◆ typecast_copy() [4/9]
|
inlineconstexpr |
Definition at line 229 of file mem_ops.h.
231{
232 // asserts that *in and *out point to the correct amount of memory
234}
References T, and typecast_copy().
◆ typecast_copy() [5/9]
template<ranges::contiguous_output_range ToR, typename FromT >
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
requires std::is_trivially_copyable_v<FromT> && (!std::ranges::range<FromT>) && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
|
inlineconstexpr |
Copy an instance of trivially copyable type into a range of trivially copyable type with matching length.
Definition at line 201 of file mem_ops.h.
References typecast_copy().
◆ typecast_copy() [6/9]
template<ranges::contiguous_output_range ToR, ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<std::ranges::range_value_t<ToR>>
|
inlineconstexpr |
Copy a range of a trivially copyable type into another range of trivially copyable type of matching byte length.
Definition at line 178 of file mem_ops.h.
178 {
179 ranges::assert_equal_byte_lengths(out, in);
180 std::memcpy(std::ranges::data(out), std::ranges::data(in), ranges::size_bytes(out));
181}
References Botan::ranges::assert_equal_byte_lengths(), and Botan::ranges::size_bytes().
Referenced by decode_point(), decode_scalar(), Botan::Roughtime::Response::from_bits(), Botan::detail::load_any(), Botan::detail::load_any(), Botan::Roughtime::Nonce::Nonce(), Botan::detail::store_any(), Botan::detail::store_any(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), typecast_copy(), xor_buf(), and xor_buf().
◆ typecast_copy() [7/9]
template<typename ToT , ranges::contiguous_range FromR>
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
requires std::is_trivially_copyable_v<std::ranges::range_value_t<FromR>> && std::is_trivially_copyable_v<ToT> && (!std::ranges::range<ToT>)
|
inlineconstexprnoexcept |
Copy a range of trivially copyable type into an instance of trivially copyable type with matching length.
Definition at line 190 of file mem_ops.h.
References typecast_copy().
◆ typecast_copy() [8/9]
Definition at line 238 of file mem_ops.h.
238 {
239 // asserts that *out points to the correct amount of memory
241}
References T, and typecast_copy().
◆ typecast_copy() [9/9]
|
inlineconstexpr |
Definition at line 220 of file mem_ops.h.
222{
223 // asserts that *in and *out point to the correct amount of memory
225}
References T, and typecast_copy().
◆ ucs2_to_utf8()
| BOTAN_TEST_API std::string Botan::ucs2_to_utf8 | ( | const uint8_t | ucs2[], |
| size_t | len ) |
Convert a sequence of UCS-2 (big endian) characters to a UTF-8 string This is used for ASN.1 BMPString type
- Parameters
-
ucs2 the sequence of UCS-2 characters len length of ucs2 in bytes, must be a multiple of 2
Definition at line 54 of file charset.cpp.
54 {
55 if(len % 2 != 0) {
57 }
58
59 const size_t chars = len / 2;
60
61 std::string s;
62 for(size_t i = 0; i != chars; ++i) {
63 const uint32_t c = load_be<uint16_t>(ucs2, i);
64 append_utf8_for(s, c);
65 }
66
67 return s;
68}
References load_be().
Referenced by Botan::ASN1_String::decode_from().
◆ ucs4_to_utf8()
| BOTAN_TEST_API std::string Botan::ucs4_to_utf8 | ( | const uint8_t | ucs4[], |
| size_t | len ) |
Convert a sequence of UCS-4 (big endian) characters to a UTF-8 string This is used for ASN.1 UniversalString type
- Parameters
-
ucs4 the sequence of UCS-4 characters len length of ucs4 in bytes, must be a multiple of 4
Definition at line 70 of file charset.cpp.
70 {
71 if(len % 4 != 0) {
73 }
74
75 const size_t chars = len / 4;
76
77 std::string s;
78 for(size_t i = 0; i != chars; ++i) {
79 const uint32_t c = load_be<uint32_t>(ucs4, i);
80 append_utf8_for(s, c);
81 }
82
83 return s;
84}
References load_be().
Referenced by Botan::ASN1_String::decode_from().
◆ unlock()
template<typename T >
| std::vector< T > Botan::unlock | ( | const secure_vector< T > & | in | ) |
Definition at line 75 of file secmem.h.
75 {
76 return std::vector<T>(in.begin(), in.end());
77}
Referenced by Botan::OCSP::CertID::CertID(), Botan::Roughtime::Chain::Chain(), Botan::DL_Group::DL_Group(), Botan::DL_Group::DL_Group_from_PEM(), Botan::KeyPair::encryption_consistency_check(), Botan::OCSP::CertID::is_id_for(), and Botan::Cipher_Mode_Filter::set_iv().
◆ unwrap_strong_type()
Generically unwraps a strong type to its underlying type.
If the provided type is not a strong type, it is returned as is.
- Note
- This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary
get()method if you know that you are dealing with a strong type.
- Parameters
-
t value to be unwrapped
- Returns
- the unwrapped value
Definition at line 198 of file strong_type.h.
198 {
200 // If the parameter type isn't a strong type, return it as is.
201 return std::forward<T>(t);
202 } else {
203 // Unwrap the strong type and return the underlying value.
204 return std::forward<T>(t).get();
205 }
206}
Definition concepts.h:196
Referenced by checked_cast_to_or_throw(), Botan::detail::concatenate(), and Botan::detail::unwrap_strong_type_or_enum().
◆ value_exists()
template<typename T , typename OT >
| bool Botan::value_exists | ( | const std::vector< T > & | vec, |
| const OT & | val ) |
Existence check for values
Definition at line 60 of file stl_util.h.
60 {
61 for(size_t i = 0; i != vec.size(); ++i) {
62 if(vec[i] == val) {
63 return true;
64 }
65 }
66 return false;
67}
Referenced by Botan::TLS::Policy::acceptable_ciphersuite(), Botan::TLS::Policy::allowed_signature_hash(), Botan::TLS::Policy::allowed_signature_method(), Botan::TLS::Certificate_Type_Base::Certificate_Type_Base(), Botan::TLS::Policy::choose_key_exchange_group(), Botan::TLS::Policy::ciphersuite_list(), Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Server_Hello_13::create(), Botan::TPM2::Context::find_free_persistent_handle(), Botan::TLS::Hello_Retry_Request::Hello_Retry_Request(), Botan::TLS::Signature_Scheme::is_available(), Botan::TLS::Server_Impl_13::new_session_ticket_supported(), Botan::TPM2::Context::persist(), Botan::TLS::Key_Share::retry_offer(), Botan::TLS::Supported_Groups::Supported_Groups(), and Botan::TLS::Certificate_Type_Base::validate_selection().
◆ var_ctz32()
|
inlineconstexpr |
◆ vartime_divide()
| BOTAN_TEST_API void Botan::vartime_divide | ( | const BigInt & | x, |
| const BigInt & | y, | ||
| BigInt & | q, | ||
| BigInt & | r ) |
BigInt Division
- Parameters
-
x an integer y a non-zero integer q will be set to x / y r will be set to x % y
Definition at line 155 of file divide.cpp.
155 {
156 if(y_arg.is_zero()) {
158 }
159
160 const size_t y_words = y_arg.sig_words();
161
162 BOTAN_ASSERT_NOMSG(y_words > 0);
163
164 BigInt y = y_arg;
165
166 BigInt r = x;
167 BigInt q = BigInt::zero();
168 secure_vector<word> ws;
169
170 r.set_sign(BigInt::Positive);
171 y.set_sign(BigInt::Positive);
172
173 // Calculate shifts needed to normalize y with high bit set
174 const size_t shifts = y.top_bits_free();
175
176 y <<= shifts;
177 r <<= shifts;
178
179 // we know y has not changed size, since we only shifted up to set high bit
180 const size_t t = y_words - 1;
181 const size_t n = std::max(y_words, r.sig_words()) - 1; // r may have changed size however
182
183 BOTAN_ASSERT_NOMSG(n >= t);
184
185 q.grow_to(n - t + 1);
186
187 word* q_words = q.mutable_data();
188
189 BigInt shifted_y = y << (BOTAN_MP_WORD_BITS * (n - t));
190
191 // Set q_{n-t} to number of times r > shifted_y
192 q_words[n - t] = r.reduce_below(shifted_y, ws);
193
194 const word y_t0 = y.word_at(t);
195 const word y_t1 = y.word_at(t - 1);
197
198 for(size_t j = n; j != t; --j) {
199 const word x_j0 = r.word_at(j);
200 const word x_j1 = r.word_at(j - 1);
201 const word x_j2 = r.word_at(j - 2);
202
203 word qjt = bigint_divop_vartime(x_j0, x_j1, y_t0);
204
205 qjt = CT::Mask<word>::is_equal(x_j0, y_t0).select(WordInfo<word>::max, qjt);
206
207 // Per HAC 14.23, this operation is required at most twice
208 qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
209 qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
211
212 shifted_y >>= BOTAN_MP_WORD_BITS;
213 // Now shifted_y == y << (BOTAN_MP_WORD_BITS * (j-t-1))
214
215 // TODO this sequence could be better
216 r -= qjt * shifted_y;
217 qjt -= r.is_negative();
218 r += static_cast<word>(r.is_negative()) * shifted_y;
219
220 q_words[j - t - 1] = qjt;
221 }
222
223 r >>= shifts;
224
225 sign_fixup(x, y_arg, q, r);
226
227 r_out = r;
228 q_out = q;
229}
References bigint_divop_vartime(), BOTAN_ASSERT_NOMSG, BOTAN_DEBUG_ASSERT, BOTAN_MP_WORD_BITS, Botan::BigInt::grow_to(), Botan::CT::Mask< T >::is_equal(), Botan::BigInt::is_negative(), Botan::BigInt::is_zero(), Botan::BigInt::mutable_data(), Botan::BigInt::Positive, Botan::BigInt::reduce_below(), Botan::BigInt::set_sign(), Botan::BigInt::sig_words(), Botan::BigInt::top_bits_free(), Botan::BigInt::word_at(), and Botan::BigInt::zero().
Referenced by botan_mp_div(), operator%(), and operator/().
◆ verify_signature()
| BOTAN_TEST_API bool Botan::verify_signature | ( | std::span< const uint8_t, ED448_LEN > | pk, |
| bool | phflag, | ||
| std::span< const uint8_t > | context, | ||
| std::span< const uint8_t > | sig, | ||
| std::span< const uint8_t > | msg ) |
Verify a signature(RFC 8032 5.2.7)
- Parameters
-
pk the public key phflag the prehash flag (true iff using Ed448ph) context the context string sig the signature msg the message to verify
- Exceptions
-
Decoding_Error if the public key or signature is malformed
- Returns
- true if the signature is valid
Definition at line 283 of file ed448_internal.cpp.
287 {
288 // RFC 8032 5.2.7. Verify
289 // 1. To verify a signature on a message M using context C and public
290 // key A, with F being 0 for Ed448 and 1 for Ed448ph, first split
291 // the signature into two 57-octet halves. Decode the first half as
292 // a point R, and the second half as an integer S, in the range 0 <=
293 // s < L. Decode the public key A as point A’. If any of the
294 // decodings fail (including S being out of range), the signature is
295 // invalid.
296 if(sig.size() != 2 * ED448_LEN) {
297 // Wrong signature size
299 }
300 const auto [big_r_bytes, big_s_bytes] = split(sig.first<2 * ED448_LEN>());
301 const auto big_r = Ed448Point::decode(big_r_bytes);
302 if(!Scalar448::bytes_are_reduced(big_s_bytes)) {
303 // S not in range 0 <= s < L
304 throw Decoding_Error("Ed448 signature has invalid S");
305 }
306 const Scalar448 big_s(big_s_bytes);
307 // 2. Compute SHAKE256(dom4(F, C) || R || A || PH(M), 114), and
308 // interpret the 114-octet digest as a little-endian integer k.
309 const Scalar448 k(shake(phflag, context, big_r_bytes, pk, msg));
310 // 3. Check the group equation [4][S]B = [4]R + [4][k]A’. It’s
311 // sufficient, but not required, to instead check [S]B = R + [k]A’.
312 return (big_s * Ed448Point::base_point()) == (big_r + k * Ed448Point::decode(pk));
313}
References Botan::Ed448Point::base_point(), Botan::Scalar448::bytes_are_reduced(), Botan::Ed448Point::decode(), and ED448_LEN.
Referenced by Botan::Roughtime::Response::from_bits().
◆ version_cstr()
| const char * Botan::version_cstr | ( | ) |
Same as version_string() except returning a pointer to a statically allocated string.
- Returns
- version string
Definition at line 33 of file version.cpp.
33 {
34 /*
35 It is intentional that this string is a compile-time constant;
36 it makes it much easier to find in binaries.
37 */
38
39 return "Botan " STR(BOTAN_VERSION_MAJOR) "." STR(BOTAN_VERSION_MINOR) "." STR(BOTAN_VERSION_PATCH)
40#if defined(BOTAN_VERSION_SUFFIX)
41 STR(BOTAN_VERSION_SUFFIX)
42#endif
43 " ("
44#if defined(BOTAN_UNSAFE_FUZZER_MODE) || defined(BOTAN_TERMINATE_ON_ASSERTS)
45 "UNSAFE "
46 #if defined(BOTAN_UNSAFE_FUZZER_MODE)
47 "FUZZER MODE "
48 #endif
49 #if defined(BOTAN_TERMINATE_ON_ASSERTS)
50 "TERMINATE ON ASSERTS "
51 #endif
52 "BUILD "
53#endif
55#if(BOTAN_VERSION_DATESTAMP != 0)
57#endif
59}
References BOTAN_DISTRIBUTION_INFO, BOTAN_VERSION_DATESTAMP, BOTAN_VERSION_MAJOR, BOTAN_VERSION_MINOR, BOTAN_VERSION_PATCH, BOTAN_VERSION_RELEASE_TYPE, BOTAN_VERSION_VC_REVISION, and STR.
Referenced by botan_version_string(), and version_string().
◆ version_datestamp()
| uint32_t Botan::version_datestamp | ( | ) |
Return the date this version of botan was released, in an integer of the form YYYYMMDD. For instance a version released on May 21, 2013 would return the integer 20130521. If the currently running version is not an official release, this function will return 0 instead.
- Returns
- release date, or zero if unreleased
Definition at line 75 of file version.cpp.
References BOTAN_VERSION_DATESTAMP.
Referenced by botan_version_datestamp().
◆ version_major()
| uint32_t Botan::version_major | ( | ) |
Get the major version number.
- Returns
- major version number
Definition at line 82 of file version.cpp.
References BOTAN_VERSION_MAJOR.
Referenced by botan_version_major(), and runtime_version_check().
◆ version_minor()
| uint32_t Botan::version_minor | ( | ) |
Get the minor version number.
- Returns
- minor version number
Definition at line 86 of file version.cpp.
References BOTAN_VERSION_MINOR.
Referenced by botan_version_minor(), and runtime_version_check().
◆ version_patch()
| uint32_t Botan::version_patch | ( | ) |
Get the patch number.
- Returns
- patch number
Definition at line 90 of file version.cpp.
References BOTAN_VERSION_PATCH.
Referenced by botan_version_patch(), and runtime_version_check().
◆ version_string()
| std::string Botan::version_string | ( | ) |
Get a human-readable single-line string identifying the version of Botan. No particular format should be assumed.
- Returns
- version string
Definition at line 67 of file version.cpp.
67 {
69}
References version_cstr().
◆ word3_add()
template<WordType W>
|
inlineconstexpr |
Definition at line 520 of file mp_asmi.h.
520 {
521#if defined(BOTAN_MP_USE_X86_64_ASM)
522 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
523 asm(R"(
524 addq %[x],%[w0]
525 adcq $0,%[w1]
526 adcq $0,%[w2]
527 )"
528 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
529 : [x] "r"(x), "0"(*w0), "1"(*w1), "2"(*w2)
530 : "cc");
531 return;
532 }
533#endif
534
535 *w0 += x;
536 W c1 = (*w0 < x);
537 *w1 += c1;
538 W c2 = (*w1 < c1);
539 *w2 += c2;
540}
Referenced by Botan::word3< W >::add().
◆ word3_muladd()
template<WordType W>
|
inlineconstexpr |
Definition at line 490 of file mp_asmi.h.
490 {
491#if defined(BOTAN_MP_USE_X86_64_ASM)
492 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
493 W z0 = 0, z1 = 0;
494
495 asm("mulq %[y]" : "=a"(z0), "=d"(z1) : "a"(x), [y] "rm"(y) : "cc");
496
497 asm(R"(
498 addq %[z0],%[w0]
499 adcq %[z1],%[w1]
500 adcq $0,%[w2]
501 )"
502 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
503 : [z0] "r"(z0), [z1] "r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
504 : "cc");
505 return;
506 }
507#endif
508
509 W carry = *w0;
510 *w0 = word_madd2(x, y, &carry);
511 *w1 += carry;
512 *w2 += (*w1 < carry);
513}
References carry(), and word_madd2().
Referenced by Botan::word3< W >::mul().
◆ word3_muladd_2()
template<WordType W>
|
inlineconstexpr |
Definition at line 547 of file mp_asmi.h.
547 {
548#if defined(BOTAN_MP_USE_X86_64_ASM)
549 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
550 W z0 = 0, z1 = 0;
551
552 asm("mulq %[y]" : "=a"(z0), "=d"(z1) : "a"(x), [y] "rm"(y) : "cc");
553
554 asm(R"(
555 addq %[z0],%[w0]
556 adcq %[z1],%[w1]
557 adcq $0,%[w2]
558
559 addq %[z0],%[w0]
560 adcq %[z1],%[w1]
561 adcq $0,%[w2]
562 )"
563 : [w0] "=r"(*w0), [w1] "=r"(*w1), [w2] "=r"(*w2)
564 : [z0] "r"(z0), [z1] "r"(z1), "0"(*w0), "1"(*w1), "2"(*w2)
565 : "cc");
566 return;
567 }
568#endif
569
570 W carry = 0;
571 x = word_madd2(x, y, &carry);
572 y = carry;
573
574 const size_t top_bit_shift = WordInfo<W>::bits - 1;
575
576 W top = (y >> top_bit_shift);
577 y <<= 1;
578 y |= (x >> top_bit_shift);
579 x <<= 1;
580
581 carry = 0;
582 *w0 = word_add(*w0, x, &carry);
583 *w1 = word_add(*w1, y, &carry);
584 *w2 = word_add(*w2, top, &carry);
585}
References carry(), word_add(), and word_madd2().
Referenced by Botan::word3< W >::mul_x2().
◆ word4_add3()
template<WordType W>
|
inlineconstexpr |
Definition at line 259 of file mp_asmi.h.
259 {
260#if defined(BOTAN_MP_USE_X86_64_ASM)
261 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
262 asm volatile(ADD_OR_SUBTRACT(DO_4_TIMES(ADDSUB3_OP, "adcq"))
265 : "cc", "memory");
267 }
268#endif
269
270 z[0] = word_add(x[0], y[0], &carry);
271 z[1] = word_add(x[1], y[1], &carry);
272 z[2] = word_add(x[2], y[2], &carry);
273 z[3] = word_add(x[3], y[3], &carry);
274 return carry;
275}
References carry(), and word_add().
Referenced by bigint_add().
◆ word4_sub3()
template<WordType W>
|
inlineconstexpr |
Definition at line 389 of file mp_asmi.h.
389 {
390#if defined(BOTAN_MP_USE_X86_64_ASM)
391 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
392 asm volatile(ADD_OR_SUBTRACT(DO_4_TIMES(ADDSUB3_OP, "sbbq"))
395 : "cc", "memory");
397 }
398#endif
399
400 z[0] = word_sub(x[0], y[0], &carry);
401 z[1] = word_sub(x[1], y[1], &carry);
402 z[2] = word_sub(x[2], y[2], &carry);
403 z[3] = word_sub(x[3], y[3], &carry);
404 return carry;
405}
References carry(), and word_sub().
Referenced by bigint_monty_maybe_sub().
◆ word8_add2()
template<WordType W>
|
inlineconstexpr |
Definition at line 210 of file mp_asmi.h.
210 {
211#if defined(BOTAN_MP_USE_X86_64_ASM)
212 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
213 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "adcq"))
216 : "cc", "memory");
218 }
219#endif
220
221 x[0] = word_add(x[0], y[0], &carry);
222 x[1] = word_add(x[1], y[1], &carry);
223 x[2] = word_add(x[2], y[2], &carry);
224 x[3] = word_add(x[3], y[3], &carry);
225 x[4] = word_add(x[4], y[4], &carry);
226 x[5] = word_add(x[5], y[5], &carry);
227 x[6] = word_add(x[6], y[6], &carry);
228 x[7] = word_add(x[7], y[7], &carry);
229 return carry;
230}
References carry(), and word_add().
Referenced by bigint_add2_nc().
◆ word8_add3()
template<WordType W>
|
inlineconstexpr |
Definition at line 236 of file mp_asmi.h.
236 {
237#if defined(BOTAN_MP_USE_X86_64_ASM)
238 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
239 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "adcq"))
242 : "cc", "memory");
244 }
245#endif
246
247 z[0] = word_add(x[0], y[0], &carry);
248 z[1] = word_add(x[1], y[1], &carry);
249 z[2] = word_add(x[2], y[2], &carry);
250 z[3] = word_add(x[3], y[3], &carry);
251 z[4] = word_add(x[4], y[4], &carry);
252 z[5] = word_add(x[5], y[5], &carry);
253 z[6] = word_add(x[6], y[6], &carry);
254 z[7] = word_add(x[7], y[7], &carry);
255 return carry;
256}
References carry(), and word_add().
Referenced by bigint_add(), bigint_add3_nc(), bigint_cnd_add(), bigint_cnd_add_or_sub(), and bigint_cnd_addsub().
◆ word8_linmul2()
template<WordType W>
|
inlineconstexpr |
Definition at line 411 of file mp_asmi.h.
411 {
412#if defined(BOTAN_MP_USE_X86_64_ASM)
413 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
414 asm(DO_8_TIMES(LINMUL_OP, "x")
417 : "cc", "%rax", "%rdx");
419 }
420#endif
421
422 x[0] = word_madd2(x[0], y, &carry);
423 x[1] = word_madd2(x[1], y, &carry);
424 x[2] = word_madd2(x[2], y, &carry);
425 x[3] = word_madd2(x[3], y, &carry);
426 x[4] = word_madd2(x[4], y, &carry);
427 x[5] = word_madd2(x[5], y, &carry);
428 x[6] = word_madd2(x[6], y, &carry);
429 x[7] = word_madd2(x[7], y, &carry);
430 return carry;
431}
References carry(), and word_madd2().
Referenced by bigint_linmul2().
◆ word8_linmul3()
template<WordType W>
|
inlineconstexpr |
Definition at line 437 of file mp_asmi.h.
437 {
438#if defined(BOTAN_MP_USE_X86_64_ASM)
439 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
440 asm(DO_8_TIMES(LINMUL_OP, "z")
443 : "cc", "%rax", "%rdx");
445 }
446#endif
447
448 z[0] = word_madd2(x[0], y, &carry);
449 z[1] = word_madd2(x[1], y, &carry);
450 z[2] = word_madd2(x[2], y, &carry);
451 z[3] = word_madd2(x[3], y, &carry);
452 z[4] = word_madd2(x[4], y, &carry);
453 z[5] = word_madd2(x[5], y, &carry);
454 z[6] = word_madd2(x[6], y, &carry);
455 z[7] = word_madd2(x[7], y, &carry);
456 return carry;
457}
References carry(), and word_madd2().
Referenced by bigint_linmul3().
◆ word8_madd3()
template<WordType W>
|
inlineconstexpr |
Definition at line 463 of file mp_asmi.h.
463 {
464#if defined(BOTAN_MP_USE_X86_64_ASM)
465 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
466 asm(DO_8_TIMES(MULADD_OP, "")
469 : "cc", "%rax", "%rdx");
471 }
472#endif
473
474 z[0] = word_madd3(x[0], y, z[0], &carry);
475 z[1] = word_madd3(x[1], y, z[1], &carry);
476 z[2] = word_madd3(x[2], y, z[2], &carry);
477 z[3] = word_madd3(x[3], y, z[3], &carry);
478 z[4] = word_madd3(x[4], y, z[4], &carry);
479 z[5] = word_madd3(x[5], y, z[5], &carry);
480 z[6] = word_madd3(x[6], y, z[6], &carry);
481 z[7] = word_madd3(x[7], y, z[7], &carry);
482 return carry;
483}
References carry(), and word_madd3().
Referenced by basecase_mul(), and basecase_sqr().
◆ word8_sub2()
template<WordType W>
|
inlineconstexpr |
Definition at line 314 of file mp_asmi.h.
314 {
315#if defined(BOTAN_MP_USE_X86_64_ASM)
316 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
317 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB2_OP, "sbbq"))
320 : "cc", "memory");
322 }
323#endif
324
325 x[0] = word_sub(x[0], y[0], &carry);
326 x[1] = word_sub(x[1], y[1], &carry);
327 x[2] = word_sub(x[2], y[2], &carry);
328 x[3] = word_sub(x[3], y[3], &carry);
329 x[4] = word_sub(x[4], y[4], &carry);
330 x[5] = word_sub(x[5], y[5], &carry);
331 x[6] = word_sub(x[6], y[6], &carry);
332 x[7] = word_sub(x[7], y[7], &carry);
333 return carry;
334}
References carry(), and word_sub().
Referenced by bigint_sub2().
◆ word8_sub2_rev()
template<WordType W>
|
inlineconstexpr |
Definition at line 340 of file mp_asmi.h.
340 {
341#if defined(BOTAN_MP_USE_X86_64_ASM)
342 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
343 asm(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
346 : "cc", "memory");
348 }
349#endif
350
351 x[0] = word_sub(y[0], x[0], &carry);
352 x[1] = word_sub(y[1], x[1], &carry);
353 x[2] = word_sub(y[2], x[2], &carry);
354 x[3] = word_sub(y[3], x[3], &carry);
355 x[4] = word_sub(y[4], x[4], &carry);
356 x[5] = word_sub(y[5], x[5], &carry);
357 x[6] = word_sub(y[6], x[6], &carry);
358 x[7] = word_sub(y[7], x[7], &carry);
359 return carry;
360}
References carry(), and word_sub().
Referenced by bigint_sub2_rev().
◆ word8_sub3()
template<WordType W>
|
inlineconstexpr |
Definition at line 366 of file mp_asmi.h.
366 {
367#if defined(BOTAN_MP_USE_X86_64_ASM)
368 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
369 asm volatile(ADD_OR_SUBTRACT(DO_8_TIMES(ADDSUB3_OP, "sbbq"))
372 : "cc", "memory");
374 }
375#endif
376
377 z[0] = word_sub(x[0], y[0], &carry);
378 z[1] = word_sub(x[1], y[1], &carry);
379 z[2] = word_sub(x[2], y[2], &carry);
380 z[3] = word_sub(x[3], y[3], &carry);
381 z[4] = word_sub(x[4], y[4], &carry);
382 z[5] = word_sub(x[5], y[5], &carry);
383 z[6] = word_sub(x[6], y[6], &carry);
384 z[7] = word_sub(x[7], y[7], &carry);
385 return carry;
386}
References carry(), and word_sub().
Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_monty_maybe_sub(), bigint_monty_maybe_sub(), bigint_sub3(), and bigint_sub_abs().
◆ word_add()
template<WordType W>
|
inlineconstexpr |
Definition at line 177 of file mp_asmi.h.
177 {
178 if(!std::is_constant_evaluated()) {
179#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_addc)
180 if constexpr(std::same_as<W, unsigned int>) {
181 return __builtin_addc(x, y, *carry & 1, carry);
182 } else if constexpr(std::same_as<W, unsigned long>) {
183 return __builtin_addcl(x, y, *carry & 1, carry);
184 } else if constexpr(std::same_as<W, unsigned long long>) {
185 return __builtin_addcll(x, y, *carry & 1, carry);
186 }
187#elif defined(BOTAN_MP_USE_X86_64_ASM)
188 if(std::same_as<W, uint64_t>) {
189 asm(ADD_OR_SUBTRACT(ASM("adcq %[y],%[x]"))
192 : "cc");
193 return x;
194 }
195#endif
196 }
197
199 W z = x + y;
200 W c1 = (z < x);
201 z += cb;
202 *carry = c1 | (z < cb);
203 return z;
204}
References carry().
Referenced by bigint_add2_nc(), bigint_add3_nc(), bigint_cnd_abs(), bigint_cnd_add(), bigint_cnd_add_or_sub(), bigint_cnd_addsub(), word3_muladd_2(), word4_add3(), word8_add2(), and word8_add3().
◆ word_madd2()
template<WordType W>
|
inlineconstexpr |
Definition at line 66 of file mp_asmi.h.
66 {
67#if defined(BOTAN_MP_USE_X86_64_ASM)
68 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
69 asm(R"(
70 mulq %[b]
71 addq %[c],%[a]
72 adcq $0,%[carry]
73 )"
76 : "cc");
77
78 return a;
79 }
80#endif
81
82 typedef typename WordInfo<W>::dword dword;
83 const dword s = dword(a) * b + *c;
84 *c = static_cast<W>(s >> WordInfo<W>::bits);
85 return static_cast<W>(s);
86}
Referenced by bigint_linmul2(), bigint_linmul3(), bigint_modop_vartime(), redc_crandall(), word3_muladd(), word3_muladd_2(), word8_linmul2(), and word8_linmul3().
◆ word_madd3()
template<WordType W>
|
inlineconstexpr |
Definition at line 92 of file mp_asmi.h.
92 {
93#if defined(BOTAN_MP_USE_X86_64_ASM)
94 if(std::same_as<W, uint64_t> && !std::is_constant_evaluated()) {
95 asm(R"(
96 mulq %[b]
97
98 addq %[c],%[a]
99 adcq $0,%[carry]
100
101 addq %[d],%[a]
102 adcq $0,%[carry]
103 )"
106 : "cc");
107
108 return a;
109 }
110#endif
111
112 typedef typename WordInfo<W>::dword dword;
113 const dword s = dword(a) * b + c + *d;
114 *d = static_cast<W>(s >> WordInfo<W>::bits);
115 return static_cast<W>(s);
116}
Referenced by basecase_mul(), basecase_sqr(), redc_crandall(), and word8_madd3().
◆ word_sub()
template<WordType W>
|
inlineconstexpr |
Definition at line 281 of file mp_asmi.h.
281 {
282 if(!std::is_constant_evaluated()) {
283#if BOTAN_COMPILER_HAS_BUILTIN(__builtin_subc)
284 if constexpr(std::same_as<W, unsigned int>) {
285 return __builtin_subc(x, y, *carry & 1, carry);
286 } else if constexpr(std::same_as<W, unsigned long>) {
287 return __builtin_subcl(x, y, *carry & 1, carry);
288 } else if constexpr(std::same_as<W, unsigned long long>) {
289 return __builtin_subcll(x, y, *carry & 1, carry);
290 }
291#elif defined(BOTAN_MP_USE_X86_64_ASM)
292 if(std::same_as<W, uint64_t>) {
293 asm(ADD_OR_SUBTRACT(ASM("sbbq %[y],%[x]"))
296 : "cc");
297 return x;
298 }
299#endif
300 }
301
303 W t0 = x - y;
304 W c1 = (t0 > x);
305 W z = t0 - cb;
306 *carry = c1 | (z > t0);
307 return z;
308}
References carry().
Referenced by bigint_cnd_add_or_sub(), bigint_cnd_addsub(), bigint_cnd_sub(), bigint_monty_maybe_sub(), bigint_monty_maybe_sub(), bigint_sub2(), bigint_sub2_rev(), bigint_sub3(), bigint_sub_abs(), word4_sub3(), word8_sub2(), word8_sub2_rev(), and word8_sub3().
◆ words_for_bits()
|
constexpr |
Definition at line 18 of file curve448_scalar.h.
18 {
19 constexpr size_t word_bits = sizeof(word) * 8;
20 return (x + word_bits - 1) / word_bits;
21}
◆ wots_public_key_from_signature()
| BOTAN_TEST_API WotsPublicKey Botan::wots_public_key_from_signature | ( | const SphincsTreeNode & | hashed_message, |
| StrongSpan< const WotsSignature > | signature, | ||
| Sphincs_Address & | address, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes ) |
FIPS 205, Algorithm 8: wots_pkFromSig.
Reconstructs the WOTS public key from a given WOTS signature and message. This is tailored for the use case in the SLH-DSA implementation and is not meant for general usability in non SLH-DSA algorithms.
Definition at line 103 of file sp_wots.cpp.
107 {
110 BufferSlicer sig(signature);
111 BufferStuffer pk(pk_buffer);
112
114 address.set_chain_address(i);
115
116 // params.w() can be one of {4, 8, 256}
119
122 start_index,
123 steps_to_take,
124 address,
125 hashes,
126 params);
127 }
128
129 return pk_buffer;
130}
Sphincs_Address & set_chain_address(WotsChainIndex chain)
Definition sp_address.h:84
std::vector< WotsHashIndex > chain_lengths(const SphincsTreeNode &msg, const Sphincs_Parameters ¶ms)
Definition sp_wots.cpp:91
References chain_lengths(), Botan::detail::Strong_Base< T >::get(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Address::set_chain_address(), Botan::BufferSlicer::take(), Botan::Sphincs_Parameters::w(), and Botan::Sphincs_Parameters::wots_len().
Referenced by ht_verify().
◆ wots_sign_and_pkgen()
| BOTAN_TEST_API void Botan::wots_sign_and_pkgen | ( | StrongSpan< WotsSignature > | sig_out, |
| StrongSpan< SphincsTreeNode > | leaf_out, | ||
| const SphincsSecretSeed & | secret_seed, | ||
| TreeNodeIndex | leaf_idx, | ||
| std::optional< TreeNodeIndex > | sign_leaf_idx, | ||
| const std::vector< WotsHashIndex > & | wots_steps, | ||
| Sphincs_Address & | leaf_addr, | ||
| Sphincs_Address & | pk_addr, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes ) |
FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
Implements a domain specific wrapper for the one-time signature scheme WOTS+ (Winternitz OTS). It is meant to be used inside SLH-DSA and does not aim to be applicable for other use cases. If this function is not used in a signing operation (i.e. sign_leaf_idx is not set), wots_steps may be empty.
Definition at line 132 of file sp_wots.cpp.
141 {
142 // `wots_steps` are needed only if `sign_leaf_idx` is set
145
146 secure_vector<uint8_t> wots_sig;
148
149 BufferStuffer wots_pk(wots_pk_buffer);
150 BufferStuffer sig(sig_out);
151
152 leaf_addr.set_keypair_address(leaf_idx);
153 pk_addr.set_keypair_address(leaf_idx);
154
156 // If the current leaf is part of the signature wots_k stores the chain index
157 // of the value neccessary for the signature. Otherwise: nullopt (no signature)
158 const auto wots_k = [&]() -> std::optional<WotsHashIndex> {
159 if(sign_leaf_idx.has_value() && leaf_idx == sign_leaf_idx.value()) {
160 return wots_steps[i.get()];
161 } else {
162 return std::nullopt;
163 }
164 }();
165
166 // Start with the secret seed
167 leaf_addr.set_chain_address(i);
169 leaf_addr.set_type(Sphincs_Address_Type::WotsKeyGeneration);
170
172
173 hashes.PRF(buffer_s, secret_seed, leaf_addr);
174
175 leaf_addr.set_type(Sphincs_Address_Type::WotsHash);
176
177 // Iterates down the WOTS chain
178 for(WotsHashIndex k(0);; k++) {
179 // Check if this is the value that needs to be saved as a part of the WOTS signature
180 if(wots_k.has_value() && k == wots_k.value()) {
181 std::copy(buffer_s.begin(), buffer_s.end(), sig.next<WotsNode>(params.n()).begin());
182 }
183
184 // Check if the top of the chain was hit
186 break;
187 }
188
189 // Iterate one step on the chain
190 leaf_addr.set_hash_address(k);
191
192 hashes.T(buffer_s, leaf_addr, buffer_s);
193 }
194 }
195
196 // Do the final thash to generate the public keys
197 hashes.T(leaf_out, pk_addr, wots_pk_buffer);
198}
Sphincs_Address & set_hash_address(WotsHashIndex hash)
Definition sp_address.h:94
Sphincs_Address & set_keypair_address(TreeNodeIndex keypair)
Definition sp_address.h:79
Sphincs_Address & set_type(Sphincs_Address_Type type)
Definition sp_address.h:74
Strong< uint8_t, struct WotsHashIndex_, EnableArithmeticWithPlainNumber > WotsHashIndex
Index of a hash application inside a single WOTS chain (integers in "base_w")
Definition sp_types.h:98
Strong< secure_vector< uint8_t >, struct WotsNode_ > WotsNode
Start (or intermediate) node of a WOTS+ chain.
Definition sp_types.h:79
References Botan::detail::Strong_Adapter< T >::begin(), BOTAN_ASSERT_NOMSG, Botan::Sphincs_Address::get_type(), Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::Sphincs_Hash_Functions::PRF(), Botan::Sphincs_Address::set_chain_address(), Botan::Sphincs_Address::set_hash_address(), Botan::Sphincs_Address::set_keypair_address(), Botan::Sphincs_Address::set_type(), Botan::Sphincs_Hash_Functions::T(), Botan::Sphincs_Parameters::w(), Botan::Sphincs_Parameters::wots_bytes(), Botan::Sphincs_Parameters::wots_len(), WotsHash, WotsKeyGeneration, and WotsPublicKeyCompression.
Referenced by xmss_sign_and_pkgen().
◆ wrap_strong_type()
template<typename T , typename ParamT >
requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>)
requires std::constructible_from<T, ParamT> || (concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>)
|
nodiscardconstexpr |
Wraps a value into a caller-defined (strong) type.
If the provided object t is already of type T, it is returned as is.
- Note
- This is meant as a helper for generic code that needs to deal with both wrapped strong types and bare objects. Use the ordinary constructor if you know that you are dealing with a bare value type.
- Parameters
-
t value to be wrapped
- Returns
- the wrapped value
Definition at line 223 of file strong_type.h.
223 {
225 // Noop, if the parameter type already is the desired return type.
226 return std::forward<ParamT>(t);
227 } else if constexpr(std::constructible_from<T, ParamT>) {
228 // Implicit conversion from the parameter type to the return type.
230 } else {
231 // Explicitly calling the wrapped type's constructor to support
232 // implicit conversions on types that mark their constructors as explicit.
233 static_assert(concepts::strong_type<T> && std::constructible_from<typename T::wrapped_type, ParamT>);
235 }
236}
References T.
Referenced by checked_cast_to_or_throw(), Botan::detail::load_any(), and Botan::detail::wrap_strong_type_or_enum().
◆ x448()
| BOTAN_TEST_API Point448 Botan::x448 | ( | const ScalarX448 & | k, |
| const Point448 & | u ) |
Multiply a scalar k with a point u.
- Parameters
-
k scalar u point on curve
- Returns
- k * u
Definition at line 48 of file x448_internal.cpp.
48 {
50
52 Gf448Elem x_2 = 1;
53 Gf448Elem z_2 = 0;
55 Gf448Elem z_3 = 1;
57
58 for(int16_t t = 448 - 1; t >= 0; --t) {
60 swap ^= k_t;
61
62 x_2.ct_cond_swap(swap.as_bool(), x_3);
63 z_2.ct_cond_swap(swap.as_bool(), z_3);
64 swap = k_t;
65
66 const auto A = x_2 + z_2;
68 const auto B = x_2 - z_2;
70 const auto E = AA - BB;
71 const auto C = x_3 + z_3;
72 const auto D = x_3 - z_3;
73 const auto DA = D * A;
74 const auto CB = C * B;
75 x_3 = square(DA + CB);
76 z_3 = x_1 * square(DA - CB);
77 x_2 = AA * BB;
78 z_2 = E * (AA + a24 * E);
79 }
80
81 x_2.ct_cond_swap(swap.as_bool(), x_3);
82 z_2.ct_cond_swap(swap.as_bool(), z_3);
83
84 const auto res = x_2 / z_2;
85
86 return Point448(res.to_bytes());
87}
void ct_cond_swap(bool b, Gf448Elem &other)
Swap this and other if b == true. Constant time for any b.
Definition curve448_gf.cpp:284
References Botan::CT::Mask< T >::cleared(), Botan::Gf448Elem::ct_cond_swap(), Botan::CT::Mask< T >::expand(), Botan::detail::Strong_Base< T >::get(), and square().
Referenced by x448_basepoint().
◆ x448_basepoint()
| BOTAN_TEST_API Point448 Botan::x448_basepoint | ( | const ScalarX448 & | k | ) |
Multiply a scalar with the base group element (5)
Multiply a scalar with the standard group element (5)
- Parameters
-
k scalar
- Returns
- encoded point
Definition at line 41 of file x448_internal.cpp.
References x448().
◆ x509_path_validate() [1/4]
| Path_Validation_Result Botan::x509_path_validate | ( | const std::vector< X509_Certificate > & | end_certs, |
| const Path_Validation_Restrictions & | restrictions, | ||
| const Certificate_Store & | store, | ||
| std::string_view | hostname = "", | ||
| Usage_Type | usage = Usage_Type::UNSPECIFIED, | ||
| std::chrono::system_clock::time_point | validation_time = std::chrono::system_clock::now(), | ||
| std::chrono::milliseconds | ocsp_timeout = std::chrono::milliseconds(0), | ||
| const std::vector< std::optional< OCSP::Response > > & | ocsp_resp = {} ) |
PKIX Path Validation
- Parameters
-
end_certs certificate chain to validate restrictions path validation restrictions store store that contains trusted certificates hostname if not empty, compared against the DNS name in end_certs[0] usage if not set to UNSPECIFIED, compared against the key usage in end_certs[0] validation_time what reference time to use for validation ocsp_timeout timeout for OCSP operations, 0 disables OCSP check ocsp_resp additional OCSP responses to consider (eg from peer)
- Returns
- result of the path validation
Definition at line 956 of file x509path.cpp.
963 {
964 std::vector<Certificate_Store*> trusted_roots;
966
967 return x509_path_validate(end_certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
968}
Definition certstor.h:20
Path_Validation_Result x509_path_validate(const std::vector< X509_Certificate > &end_certs, const Path_Validation_Restrictions &restrictions, const std::vector< Certificate_Store * > &trusted_roots, std::string_view hostname, Usage_Type usage, std::chrono::system_clock::time_point ref_time, std::chrono::milliseconds ocsp_timeout, const std::vector< std::optional< OCSP::Response > > &ocsp_resp)
Definition x509path.cpp:882
References x509_path_validate().
◆ x509_path_validate() [2/4]
| Path_Validation_Result Botan::x509_path_validate | ( | const std::vector< X509_Certificate > & | end_certs, |
| const Path_Validation_Restrictions & | restrictions, | ||
| const std::vector< Certificate_Store * > & | trusted_roots, | ||
| std::string_view | hostname = "", | ||
| Usage_Type | usage = Usage_Type::UNSPECIFIED, | ||
| std::chrono::system_clock::time_point | validation_time = std::chrono::system_clock::now(), | ||
| std::chrono::milliseconds | ocsp_timeout = std::chrono::milliseconds(0), | ||
| const std::vector< std::optional< OCSP::Response > > & | ocsp_resp = {} ) |
PKIX Path Validation
- Parameters
-
end_certs certificate chain to validate (with end entity certificate in end_certs[0]) restrictions path validation restrictions trusted_roots list of certificate stores that contain trusted certificates hostname if not empty, compared against the DNS name in end_certs[0] usage if not set to UNSPECIFIED, compared against the key usage in end_certs[0] validation_time what reference time to use for validation ocsp_timeout timeout for OCSP operations, 0 disables OCSP check ocsp_resp additional OCSP responses to consider (eg from peer)
- Returns
- result of the path validation note: when enabled, OCSP check is softfail by default: if the OCSP server is not reachable, Path_Validation_Result::successful_validation() will return true. Hardfail OCSP check can be achieve by also calling Path_Validation_Result::no_warnings().
Definition at line 882 of file x509path.cpp.
889 {
890 if(end_certs.empty()) {
892 }
893
894 X509_Certificate end_entity = end_certs[0];
895 std::vector<X509_Certificate> end_entity_extra;
896 for(size_t i = 1; i < end_certs.size(); ++i) {
897 end_entity_extra.push_back(end_certs[i]);
898 }
899
900 std::vector<std::vector<X509_Certificate>> cert_paths;
901 Certificate_Status_Code path_building_result =
902 PKIX::build_all_certificate_paths(cert_paths, trusted_roots, end_entity, end_entity_extra);
903
904 // If we cannot successfully build a chain to a trusted self-signed root, stop now
905 if(path_building_result != Certificate_Status_Code::OK) {
906 return Path_Validation_Result(path_building_result);
907 }
908
909 std::vector<Path_Validation_Result> error_results;
910 // Try validating all the potentially valid paths and return the first one to validate properly
911 for(auto cert_path : cert_paths) {
912 CertificatePathStatusCodes status = PKIX::check_chain(cert_path, ref_time, hostname, usage, restrictions);
913
914 CertificatePathStatusCodes crl_status = PKIX::check_crl(cert_path, trusted_roots, ref_time);
915
916 CertificatePathStatusCodes ocsp_status;
917
918 if(!ocsp_resp.empty()) {
919 ocsp_status = PKIX::check_ocsp(cert_path, ocsp_resp, trusted_roots, ref_time, restrictions);
920 }
921
922 if(ocsp_status.empty() && ocsp_timeout != std::chrono::milliseconds(0)) {
923#if defined(BOTAN_TARGET_OS_HAS_THREADS) && defined(BOTAN_HAS_HTTP_UTIL)
924 ocsp_status = PKIX::check_ocsp_online(cert_path, trusted_roots, ref_time, ocsp_timeout, restrictions);
925#else
926 ocsp_status.resize(1);
927 ocsp_status[0].insert(Certificate_Status_Code::OCSP_NO_HTTP);
928#endif
929 }
930
931 PKIX::merge_revocation_status(status, crl_status, ocsp_status, restrictions);
932
933 Path_Validation_Result pvd(status, std::move(cert_path));
934 if(pvd.successful_validation()) {
935 return pvd;
936 } else {
937 error_results.push_back(std::move(pvd));
938 }
939 }
940 return error_results[0];
941}
std::vector< std::set< Certificate_Status_Code > > CertificatePathStatusCodes
Definition x509path.h:29
References Botan::PKIX::build_all_certificate_paths(), Botan::PKIX::check_chain(), Botan::PKIX::check_crl(), Botan::PKIX::check_ocsp(), Botan::PKIX::merge_revocation_status(), OCSP_NO_HTTP, OK, and Botan::Path_Validation_Result::successful_validation().
Referenced by botan_x509_cert_verify(), botan_x509_cert_verify_with_crl(), Botan::TLS::Callbacks::tls_verify_cert_chain(), x509_path_validate(), x509_path_validate(), and x509_path_validate().
◆ x509_path_validate() [3/4]
| Path_Validation_Result Botan::x509_path_validate | ( | const X509_Certificate & | end_cert, |
| const Path_Validation_Restrictions & | restrictions, | ||
| const Certificate_Store & | store, | ||
| std::string_view | hostname = "", | ||
| Usage_Type | usage = Usage_Type::UNSPECIFIED, | ||
| std::chrono::system_clock::time_point | validation_time = std::chrono::system_clock::now(), | ||
| std::chrono::milliseconds | ocsp_timeout = std::chrono::milliseconds(0), | ||
| const std::vector< std::optional< OCSP::Response > > & | ocsp_resp = {} ) |
PKIX Path Validation
- Parameters
-
end_cert certificate to validate restrictions path validation restrictions store store that contains trusted certificates hostname if not empty, compared against the DNS name in end_cert usage if not set to UNSPECIFIED, compared against the key usage in end_cert validation_time what reference time to use for validation ocsp_timeout timeout for OCSP operations, 0 disables OCSP check ocsp_resp additional OCSP responses to consider (eg from peer)
- Returns
- result of the path validation
Definition at line 970 of file x509path.cpp.
977 {
978 std::vector<X509_Certificate> certs;
979 certs.push_back(end_cert);
980
981 std::vector<Certificate_Store*> trusted_roots;
983
984 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
985}
References x509_path_validate().
◆ x509_path_validate() [4/4]
| Path_Validation_Result Botan::x509_path_validate | ( | const X509_Certificate & | end_cert, |
| const Path_Validation_Restrictions & | restrictions, | ||
| const std::vector< Certificate_Store * > & | trusted_roots, | ||
| std::string_view | hostname = "", | ||
| Usage_Type | usage = Usage_Type::UNSPECIFIED, | ||
| std::chrono::system_clock::time_point | validation_time = std::chrono::system_clock::now(), | ||
| std::chrono::milliseconds | ocsp_timeout = std::chrono::milliseconds(0), | ||
| const std::vector< std::optional< OCSP::Response > > & | ocsp_resp = {} ) |
PKIX Path Validation
- Parameters
-
end_cert certificate to validate restrictions path validation restrictions trusted_roots list of stores that contain trusted certificates hostname if not empty, compared against the DNS name in end_cert usage if not set to UNSPECIFIED, compared against the key usage in end_cert validation_time what reference time to use for validation ocsp_timeout timeout for OCSP operations, 0 disables OCSP check ocsp_resp additional OCSP responses to consider (eg from peer)
- Returns
- result of the path validation
Definition at line 943 of file x509path.cpp.
950 {
951 std::vector<X509_Certificate> certs;
952 certs.push_back(end_cert);
953 return x509_path_validate(certs, restrictions, trusted_roots, hostname, usage, when, ocsp_timeout, ocsp_resp);
954}
References x509_path_validate().
◆ xmss_gen_root()
| SphincsTreeNode Botan::xmss_gen_root | ( | const Sphincs_Parameters & | params, |
| const SphincsSecretSeed & | secret_seed, | ||
| Sphincs_Hash_Functions & | hashes ) |
Compute the XMSS public key (root node) of the top-most subtree. Contains logic of FIPS 205, Algorithm 18: slh_keygen_internal
Definition at line 58 of file sp_xmss.cpp.
60 {
61 // We do not need the a sig/auth path in key generation, but it simplifies the
62 // code to have just one treehash routine that computes both root and path
63 // in one function.
66
67 Sphincs_Address top_tree_addr(Sphincs_Address_Type::HashTree);
68 Sphincs_Address wots_addr(Sphincs_Address_Type::WotsPublicKeyCompression);
69
72
74 xmss_sign_and_pkgen(dummy_sig, dummy_root, secret_seed, wots_addr, top_tree_addr, std::nullopt, params, hashes);
75
77}
Gf448Elem root(const Gf448Elem &elem)
Compute the root of elem in the field.
Definition curve448_gf.cpp:354
References Botan::Sphincs_Parameters::d(), HashTree, Botan::Sphincs_Parameters::n(), root(), Botan::Sphincs_Address::set_layer_address(), Botan::Sphincs_Parameters::wots_bytes(), WotsPublicKeyCompression, xmss_sign_and_pkgen(), and Botan::Sphincs_Parameters::xmss_tree_height().
Referenced by Botan::SphincsPlus_PrivateKey::SphincsPlus_PrivateKey().
◆ xmss_sign_and_pkgen()
| SphincsTreeNode Botan::xmss_sign_and_pkgen | ( | StrongSpan< SphincsXmssSignature > | out_sig, |
| const SphincsTreeNode & | message, | ||
| const SphincsSecretSeed & | secret_seed, | ||
| Sphincs_Address & | wots_addr, | ||
| Sphincs_Address & | tree_addr, | ||
| std::optional< TreeNodeIndex > | idx_leaf, | ||
| const Sphincs_Parameters & | params, | ||
| Sphincs_Hash_Functions & | hashes ) |
FIPS 205, Algorithm 10: xmss_sign.
This generates a Merkle signature of message (i.e. a FORS public key (bottom layer) or an XMSS root node). The Merkle authentication path logic is mostly hidden in treehash_spec. The WOTS signature followed by the Merkle authentication path are stored in out_sig. Set idx_leaf to std::nullopt if no signature is desired.
- Returns
- the XMSS public key (i.e. the root of the XMSS merkle tree)
Definition at line 19 of file sp_xmss.cpp.
26 {
27 BufferStuffer sig(out_sig);
30
31 const auto steps = [&]() -> std::vector<WotsHashIndex> {
32 // if `idx_leaf` is not set, we don't want to calculate a signature and
33 // therefore won't need to bother preparing the chain lengths either.
34 if(idx_leaf.has_value()) {
36 } else {
37 return {};
38 };
39 }();
40
41 Sphincs_Address leaf_addr = Sphincs_Address::as_subtree_from(wots_addr);
42 Sphincs_Address pk_addr = Sphincs_Address::as_subtree_from(wots_addr);
43
44 pk_addr.set_type(Sphincs_Address_Type::WotsPublicKeyCompression);
45
46 GenerateLeafFunction xmss_gen_leaf = [&](StrongSpan<SphincsTreeNode> out_root, TreeNodeIndex address_index) {
48 wots_bytes_s, out_root, secret_seed, address_index, idx_leaf, steps, leaf_addr, pk_addr, params, hashes);
49 };
50
53 treehash(next_root, auth_path_s, params, hashes, idx_leaf, 0, params.xmss_tree_height(), xmss_gen_leaf, tree_addr);
54
55 return next_root;
56}
void wots_sign_and_pkgen(StrongSpan< WotsSignature > sig_out, StrongSpan< SphincsTreeNode > leaf_out, const SphincsSecretSeed &secret_seed, TreeNodeIndex leaf_idx, std::optional< TreeNodeIndex > sign_leaf_idx, const std::vector< WotsHashIndex > &wots_steps, Sphincs_Address &leaf_addr, Sphincs_Address &pk_addr, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes)
FIPS 205, Algorithm 6 and 7: wots_pkGen and wots_sign.
Definition sp_wots.cpp:132
Strong< uint32_t, struct TreeNodeIndex_, EnableArithmeticWithPlainNumber > TreeNodeIndex
Index of an individual node inside an XMSS or FORS tree.
Definition sp_types.h:92
void treehash(StrongSpan< SphincsTreeNode > out_root, StrongSpan< SphincsAuthenticationPath > out_auth_path, const Sphincs_Parameters ¶ms, Sphincs_Hash_Functions &hashes, std::optional< TreeNodeIndex > leaf_idx, uint32_t idx_offset, uint32_t total_tree_height, const GenerateLeafFunction &gen_leaf, Sphincs_Address &tree_address)
Definition sp_treehash.cpp:17
References Botan::Sphincs_Address::as_subtree_from(), BOTAN_ASSERT_NOMSG, chain_lengths(), Botan::Sphincs_Address::get_type(), HashTree, Botan::Sphincs_Parameters::n(), Botan::BufferStuffer::next(), Botan::BufferStuffer::remaining_capacity(), Botan::Sphincs_Address::set_type(), treehash(), Botan::Sphincs_Parameters::wots_bytes(), wots_sign_and_pkgen(), WotsPublicKeyCompression, and Botan::Sphincs_Parameters::xmss_tree_height().
Referenced by ht_sign(), and xmss_gen_root().
◆ xor_buf() [1/7]
|
inlineconstexpr |
XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length
- Parameters
-
out the input/output range in the read-only input range
Definition at line 341 of file mem_ops.h.
342 {
343 ranges::assert_equal_byte_lengths(out, in);
344
345 std::span<uint8_t> o(out);
346 std::span<const uint8_t> i(in);
347
348 for(; o.size_bytes() >= 32; o = o.subspan(32), i = i.subspan(32)) {
349 auto x = typecast_copy<std::array<uint64_t, 4>>(o.template first<32>());
350 const auto y = typecast_copy<std::array<uint64_t, 4>>(i.template first<32>());
351
352 x[0] ^= y[0];
353 x[1] ^= y[1];
354 x[2] ^= y[2];
355 x[3] ^= y[3];
356
357 typecast_copy(o.template first<32>(), x);
358 }
359
360 for(size_t off = 0; off != o.size_bytes(); ++off) {
361 o[off] ^= i[off];
362 }
363}
References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().
Referenced by Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::TLS::Connection_Cipher_State::aead_nonce(), Botan::Salsa20::cipher_bytes(), Botan::Lion::decrypt_n(), Botan::BlockCipher::decrypt_n_xex(), Botan::Lion::encrypt_n(), Botan::BlockCipher::encrypt_n_xex(), mgf1_mask(), operator^(), Botan::OctetString::operator^=(), operator^=(), pbkdf2(), Botan::SIV_Mode::S2V(), xor_buf(), xor_buf(), xor_buf(), xor_buf(), and xor_buf().
◆ xor_buf() [2/7]
|
inlineconstexpr |
XOR arrays. Postcondition out[i] = in1[i] ^ in2[i] forall i = 0...length
- Parameters
-
out the output range in1 the first input range in2 the second input range
Definition at line 371 of file mem_ops.h.
373 {
374 ranges::assert_equal_byte_lengths(out, in1, in2);
375
376 std::span o{out};
377 std::span i1{in1};
378 std::span i2{in2};
379
380 for(; o.size_bytes() >= 32; o = o.subspan(32), i1 = i1.subspan(32), i2 = i2.subspan(32)) {
381 auto x = typecast_copy<std::array<uint64_t, 4>>(i1.template first<32>());
382 const auto y = typecast_copy<std::array<uint64_t, 4>>(i2.template first<32>());
383
384 x[0] ^= y[0];
385 x[1] ^= y[1];
386 x[2] ^= y[2];
387 x[3] ^= y[3];
388
389 typecast_copy(o.template first<32>(), x);
390 }
391
392 for(size_t off = 0; off != o.size_bytes(); ++off) {
393 o[off] = i1[off] ^ i2[off];
394 }
395}
References Botan::ranges::assert_equal_byte_lengths(), and typecast_copy().
◆ xor_buf() [3/7]
|
inline |
Definition at line 421 of file mem_ops.h.
References BOTAN_ARG_CHECK, and xor_buf().
◆ xor_buf() [4/7]
template<typename Alloc , typename Alloc2 >
| void Botan::xor_buf | ( | std::vector< uint8_t, Alloc > & | out, |
| const uint8_t * | in, | ||
| const std::vector< uint8_t, Alloc2 > & | in2, | ||
| size_t | n ) |
Definition at line 437 of file mem_ops.h.
437 {
440 // simply assumes that *in points to "n" allocated bytes at least
441 xor_buf(std::span{out}.first(n), std::span{in, n}, std::span{in2}.first(n));
442}
References BOTAN_ARG_CHECK, and xor_buf().
◆ xor_buf() [5/7]
template<typename Alloc >
| void Botan::xor_buf | ( | std::vector< uint8_t, Alloc > & | out, |
| const uint8_t * | in, | ||
| size_t | n ) |
Definition at line 429 of file mem_ops.h.
429 {
431 // simply assumes that *in points to "n" allocated bytes at least
432 xor_buf(std::span{out}.first(n), std::span{in, n});
433}
References BOTAN_ARG_CHECK, and xor_buf().
◆ xor_buf() [6/7]
|
inline |
XOR arrays. Postcondition out[i] = in[i] ^ in2[i] forall i = 0...length
- Parameters
-
out the output buffer in the first input buffer in2 the second input buffer length the length of the three buffers
Definition at line 415 of file mem_ops.h.
415 {
416 // simply assumes that *out, *in, and *in2 point to "length" allocated bytes at least
417 xor_buf(std::span{out, length}, std::span{in, length}, std::span{in2, length});
418}
References xor_buf().
◆ xor_buf() [7/7]
|
inline |
XOR arrays. Postcondition out[i] = in[i] ^ out[i] forall i = 0...length
- Parameters
-
out the input/output buffer in the read-only input buffer length the length of the buffers
Definition at line 403 of file mem_ops.h.
403 {
404 // simply assumes that *out and *in point to "length" allocated bytes at least
405 xor_buf(std::span{out, length}, std::span{in, length});
406}
References xor_buf().
◆ xts_update_tweak_block()
| void Botan::xts_update_tweak_block | ( | uint8_t | tweak[], |
| size_t | BS, | ||
| size_t | blocks_in_tweak ) |
Definition at line 119 of file poly_dbl.cpp.
119 {
120 if(BS == 16) {
121 constexpr size_t LIMBS = 2;
122
123 uint64_t W[LIMBS];
124 load_le(W, &tweak[0], LIMBS);
125
126 for(size_t i = 1; i < blocks_in_tweak; ++i) {
128 W[1] = (W[1] << 1) ^ (W[0] >> 63);
129 W[0] = (W[0] << 1) ^ carry;
130 copy_out_le(std::span(&tweak[i * BS], 2 * 8), W);
131 }
132 } else {
133 for(size_t i = 1; i < blocks_in_tweak; ++i) {
134 const uint8_t* prev = &tweak[(i - 1) * BS];
135 uint8_t* cur = &tweak[i * BS];
136 poly_double_n_le(cur, prev, BS);
137 }
138 }
139}
void poly_double_n_le(uint8_t out[], const uint8_t in[], size_t n)
Definition poly_dbl.cpp:100
References carry(), copy_out_le(), load_le(), and poly_double_n_le().
Referenced by Botan::XTS_Mode::update_tweak().
◆ zap()
Zeroise the values then free the memory
- Parameters
-
vec the vector to zeroise and free
Definition at line 117 of file secmem.h.
References zeroise().
Referenced by Botan::TLS::Cipher_State::advance_with_client_finished(), Botan::TLS::Cipher_State::advance_with_client_hello(), Botan::AES_128::clear(), Botan::AES_192::clear(), Botan::AES_256::clear(), Botan::ANSI_X919_MAC::clear(), Botan::ARIA_128::clear(), Botan::ARIA_192::clear(), Botan::ARIA_256::clear(), Botan::Blowfish::clear(), Botan::Camellia_128::clear(), Botan::Camellia_192::clear(), Botan::Camellia_256::clear(), Botan::CAST_128::clear(), Botan::ChaCha::clear(), Botan::CTR_BE::clear(), Botan::DES::clear(), Botan::GHASH::clear(), Botan::GOST_28147_89::clear(), Botan::HMAC::clear(), Botan::IDEA::clear(), Botan::KMAC::clear(), Botan::Lion::clear(), Botan::Noekeon::clear(), Botan::Poly1305::clear(), Botan::RC4::clear(), Botan::Salsa20::clear(), Botan::SEED::clear(), Botan::Serpent::clear(), Botan::SHACAL2::clear(), Botan::SipHash::clear(), Botan::SM4::clear(), Botan::Threefish_512::clear(), Botan::TripleDES::clear(), Botan::Twofish::clear(), Botan::TLS::Record_Layer::clear_read_buffer(), Botan::TLS::Cipher_State::clear_read_keys(), and Botan::TLS::Cipher_State::clear_write_keys().
◆ zeroise()
Zeroise the values; length remains unchanged
- Parameters
-
vec the vector to zeroise
Definition at line 108 of file secmem.h.
References T.
Referenced by Botan::BLAKE2b::clear(), Botan::CMAC::clear(), Botan::CTR_BE::clear(), Botan::GMAC::clear(), Botan::GOST_34_11::clear(), Botan::Keccak_Permutation::clear(), Botan::OFB::clear(), Botan::SHAKE_Cipher::clear(), Botan::Streebog::clear(), Botan::Whirlpool::init(), Botan::OctetString::operator^=(), Botan::CBC_Decryption::reset(), Botan::CFB_Mode::reset(), Botan::GHASH::reset(), Botan::OCB_Mode::reset(), Botan::CTR_BE::seek(), Botan::GHASH::set_associated_data(), and zap().
Variable Documentation
◆ b
| const SIMD_8x32& Botan::b |
Initial value:
{
return SIMD_8x32(_mm256_gf2p8mul_epi8(a.raw(), b.raw()))
Definition at line 63 of file simd_avx2_gfni.h.
Referenced by Botan::FE_25519::add(), Botan::FrodoMatrix::add(), Botan::BufferStuffer::append(), bigint_cnd_swap(), cast_uint8_ptr_to_char(), cast_uint8_ptr_to_char(), ceil_division(), checked_add(), checked_add(), checked_mul(), checked_sub(), choose(), Botan::SIMD_4x32::choose(), combine_lower(), Botan::CT::copy_output(), Botan::Gf448Elem::ct_cond_assign(), Botan::Gf448Elem::ct_cond_swap(), ct_divide(), ct_divide_word(), ct_modulo(), Botan::PEM_Code::decode(), Botan::OID::decode_from(), Botan::DER_Encoder::DER_Encoder(), Botan::DER_Encoder::DER_Encoder(), Botan::CRYSTALS::detail::dot_product(), Botan::EC_Group::EC_Group(), Botan::EC_Group::EC_Group(), extended_euclidean_algorithm(), fe_add(), fe_copy(), fe_frombytes(), fe_mul(), fe_sub(), fe_tobytes(), Botan::CRYSTALS::Trait_Base< ConstantsT, DerivedT >::fqmul(), Botan::FrodoKEM_PrivateKey::FrodoKEM_PrivateKey(), Botan::FrodoKEM_PrivateKey::FrodoKEM_PrivateKey(), Botan::FrodoKEM_PublicKey::FrodoKEM_PublicKey(), gcd(), ge_double_scalarmult_vartime(), generate_dsa_primes(), Botan::GF2m_Field::gf_div_nrr(), Botan::GF2m_Field::gf_div_rnr(), Botan::GF2m_Field::gf_div_zzr(), Botan::GF2m_Field::gf_mul_lll(), Botan::GF2m_Field::gf_mul_nrr(), Botan::GF2m_Field::gf_mul_rrr(), lcm(), majority(), monty_inverse(), Botan::EC_Point::mul(), mul64x64_128(), Botan::FrodoMatrix::mul_add_sb_plus_e(), Botan::FrodoMatrix::mul_bs(), Botan::RandomNumberGenerator::next_byte(), Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::next_in(), Botan::RandomNumberGenerator::next_nonzero_byte(), Botan::Zlib_Style_Stream< Stream, ByteType, StreamLenType >::next_out(), operator!=(), operator!=(), operator!=(), Botan::TLS::operator!=(), operator&(), operator&(), operator&(), operator&(), operator&=(), operator&=(), Botan::CRYSTALS::operator*(), Botan::CRYSTALS::operator*(), operator*(), operator*(), operator*(), operator*=(), operator*=(), Botan::CRYSTALS::operator+(), operator+(), operator+(), operator+(), operator+=(), operator+=(), operator-(), operator-(), operator-(), operator-=(), operator-=(), operator/(), operator/(), operator/(), operator/=(), operator/=(), operator<(), operator<(), operator<(), Botan::TLS::operator<(), operator<<(), operator<<(), operator<<(), operator<<=(), operator<<=(), operator<=(), operator<=(), operator<=>(), operator<=>(), operator==(), operator==(), operator==(), operator==(), Botan::TLS::operator==(), operator>(), operator>(), operator>=(), operator>=(), operator>>(), operator>>(), operator>>(), operator>>=(), operator>>=(), operator^(), operator^(), operator^(), operator^=(), operator^=(), operator|(), operator|(), operator|(), operator|(), Botan::PKCS11::operator|(), operator|=(), operator|=(), Botan::FrodoMatrix::pack(), Botan::EC_Group_Data::params_match(), Botan::PCurve::PrimeOrderCurveImpl< C >::point_add(), Botan::PCurve::PrimeOrderCurveImpl< C >::point_add_mixed(), Botan::KyberPolyTraits::poly_pointwise_montgomery(), Botan::DL_Group::power_b_p(), Botan::BigInt::power_of_2(), random_gf2m(), random_prime(), SBoxD0(), Botan::Serpent_F::SBoxD0(), SBoxD1(), Botan::Serpent_F::SBoxD1(), SBoxD2(), Botan::Serpent_F::SBoxD2(), SBoxD3(), Botan::Serpent_F::SBoxD3(), SBoxD4(), Botan::Serpent_F::SBoxD4(), SBoxD5(), Botan::Serpent_F::SBoxD5(), SBoxD6(), Botan::Serpent_F::SBoxD6(), SBoxD7(), Botan::Serpent_F::SBoxD7(), SBoxE0(), Botan::Serpent_F::SBoxE0(), SBoxE1(), Botan::Serpent_F::SBoxE1(), SBoxE2(), Botan::Serpent_F::SBoxE2(), SBoxE3(), Botan::Serpent_F::SBoxE3(), SBoxE4(), Botan::Serpent_F::SBoxE4(), SBoxE5(), Botan::Serpent_F::SBoxE5(), SBoxE6(), Botan::Serpent_F::SBoxE6(), SBoxE7(), Botan::Serpent_F::SBoxE7(), sc_muladd(), Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_add(), Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_equal(), Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_mul(), Botan::PCurve::PrimeOrderCurveImpl< C >::scalar_sub(), significant_bytes(), Botan::Sodium::sodium_add(), Botan::Sodium::sodium_increment(), Botan::Sodium::sodium_is_zero(), Botan::FE_25519::sub(), Botan::FrodoMatrix::sub(), swar_lt(), Botan::FrodoMatrix::unpack(), Botan::EC_Group::verify_group(), word_madd2(), word_madd3(), Botan::EC_Point::x_bytes(), Botan::EC_Point::xy_bytes(), and Botan::EC_Point::y_bytes().
◆ BLAKE2B_BLOCKBYTES
|
constexpr |
Definition at line 21 of file blake2b.h.
Referenced by Botan::BLAKE2b::add_data().
◆ BYTES_448
|
constexpr |
Definition at line 20 of file curve448_gf.h.
◆ ED448_LEN
|
constexpr |
Definition at line 17 of file ed448_internal.h.
Referenced by Botan::Ed448_PrivateKey::Ed448_PrivateKey(), Botan::Ed448_PrivateKey::Ed448_PrivateKey(), Botan::Ed448_PublicKey::Ed448_PublicKey(), Botan::Ed448_PrivateKey::private_key_bits(), sign_message(), and verify_signature().
◆ HEX_CODEC_BUFFER_SIZE
| const size_t Botan::HEX_CODEC_BUFFER_SIZE = 256 |
Size used for internal buffer in hex encoder/decoder
Definition at line 19 of file hex_filt.cpp.
Referenced by Botan::Hex_Decoder::Hex_Decoder(), Botan::Hex_Encoder::Hex_Encoder(), and Botan::Hex_Encoder::Hex_Encoder().
◆ is_strong_span_v
template<typename T >
|
constexpr |
Definition at line 688 of file strong_type.h.
◆ is_strong_type_v
template<typename... Ts>
|
constexpr |
Definition at line 34 of file concepts.h.
◆ LMS_IDENTIFIER_LEN
|
constexpr |
The length in bytes of the LMS identifier (I).
Definition at line 67 of file lms.h.
Referenced by Botan::HSS_LMS_PrivateKeyInternal::from_bytes_or_throw(), Botan::LMS_PublicKey::from_bytes_or_throw(), Botan::HSS_LMS_PrivateKeyInternal::HSS_LMS_PrivateKeyInternal(), Botan::LMS_PublicKey::LMS_PublicKey(), and Botan::LMS_PublicKey::size().
◆ MAX_EXT_DEG
| const size_t Botan::MAX_EXT_DEG = 16 |
Definition at line 18 of file gf2m_small_m.cpp.
◆ PRIME_TABLE_SIZE
| const size_t Botan::PRIME_TABLE_SIZE = 6541 |
The size of the PRIMES[] array
Definition at line 172 of file numthry.h.
Referenced by Botan::DL_Group::DL_Group(), is_prime(), and random_prime().
◆ PRIMES
| const uint16_t Botan::PRIMES |
A const array of all odd primes less than 65535
Definition at line 12 of file primes.cpp.
12 {
13 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59,
14 61, 67, 71, 73, 79, 83, 89, 97, 101, 103, 107, 109, 113, 127, 131, 137,
15 139, 149, 151, 157, 163, 167, 173, 179, 181, 191, 193, 197, 199, 211, 223, 227,
16 229, 233, 239, 241, 251, 257, 263, 269, 271, 277, 281, 283, 293, 307, 311, 313,
17 317, 331, 337, 347, 349, 353, 359, 367, 373, 379, 383, 389, 397, 401, 409, 419,
18 421, 431, 433, 439, 443, 449, 457, 461, 463, 467, 479, 487, 491, 499, 503, 509,
19 521, 523, 541, 547, 557, 563, 569, 571, 577, 587, 593, 599, 601, 607, 613, 617,
20 619, 631, 641, 643, 647, 653, 659, 661, 673, 677, 683, 691, 701, 709, 719, 727,
21 733, 739, 743, 751, 757, 761, 769, 773, 787, 797, 809, 811, 821, 823, 827, 829,
22 839, 853, 857, 859, 863, 877, 881, 883, 887, 907, 911, 919, 929, 937, 941, 947,
23 953, 967, 971, 977, 983, 991, 997, 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, 1051,
24 1061, 1063, 1069, 1087, 1091, 1093, 1097, 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, 1171,
25 1181, 1187, 1193, 1201, 1213, 1217, 1223, 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, 1289,
26 1291, 1297, 1301, 1303, 1307, 1319, 1321, 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, 1427,
27 1429, 1433, 1439, 1447, 1451, 1453, 1459, 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, 1523,
28 1531, 1543, 1549, 1553, 1559, 1567, 1571, 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, 1621,
29 1627, 1637, 1657, 1663, 1667, 1669, 1693, 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, 1753,
30 1759, 1777, 1783, 1787, 1789, 1801, 1811, 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, 1879,
31 1889, 1901, 1907, 1913, 1931, 1933, 1949, 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, 2011,
32 2017, 2027, 2029, 2039, 2053, 2063, 2069, 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, 2131,
33 2137, 2141, 2143, 2153, 2161, 2179, 2203, 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, 2269,
34 2273, 2281, 2287, 2293, 2297, 2309, 2311, 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, 2381,
35 2383, 2389, 2393, 2399, 2411, 2417, 2423, 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, 2521,
36 2531, 2539, 2543, 2549, 2551, 2557, 2579, 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, 2659,
37 2663, 2671, 2677, 2683, 2687, 2689, 2693, 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, 2749,
38 2753, 2767, 2777, 2789, 2791, 2797, 2801, 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, 2879,
39 2887, 2897, 2903, 2909, 2917, 2927, 2939, 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, 3019,
40 3023, 3037, 3041, 3049, 3061, 3067, 3079, 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, 3169,
41 3181, 3187, 3191, 3203, 3209, 3217, 3221, 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, 3307,
42 3313, 3319, 3323, 3329, 3331, 3343, 3347, 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, 3433,
43 3449, 3457, 3461, 3463, 3467, 3469, 3491, 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, 3547,
44 3557, 3559, 3571, 3581, 3583, 3593, 3607, 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, 3673,
45 3677, 3691, 3697, 3701, 3709, 3719, 3727, 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, 3803,
46 3821, 3823, 3833, 3847, 3851, 3853, 3863, 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, 3929,
47 3931, 3943, 3947, 3967, 3989, 4001, 4003, 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, 4073,
48 4079, 4091, 4093, 4099, 4111, 4127, 4129, 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, 4217,
49 4219, 4229, 4231, 4241, 4243, 4253, 4259, 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, 4339,
50 4349, 4357, 4363, 4373, 4391, 4397, 4409, 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, 4483,
51 4493, 4507, 4513, 4517, 4519, 4523, 4547, 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, 4637,
52 4639, 4643, 4649, 4651, 4657, 4663, 4673, 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, 4759,
53 4783, 4787, 4789, 4793, 4799, 4801, 4813, 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, 4919,
54 4931, 4933, 4937, 4943, 4951, 4957, 4967, 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, 5021,
55 5023, 5039, 5051, 5059, 5077, 5081, 5087, 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, 5171,
56 5179, 5189, 5197, 5209, 5227, 5231, 5233, 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, 5323,
57 5333, 5347, 5351, 5381, 5387, 5393, 5399, 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, 5449,
58 5471, 5477, 5479, 5483, 5501, 5503, 5507, 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, 5581,
59 5591, 5623, 5639, 5641, 5647, 5651, 5653, 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, 5717,
60 5737, 5741, 5743, 5749, 5779, 5783, 5791, 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, 5851,
61 5857, 5861, 5867, 5869, 5879, 5881, 5897, 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, 6011,
62 6029, 6037, 6043, 6047, 6053, 6067, 6073, 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, 6143,
63 6151, 6163, 6173, 6197, 6199, 6203, 6211, 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, 6277,
64 6287, 6299, 6301, 6311, 6317, 6323, 6329, 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, 6389,
65 6397, 6421, 6427, 6449, 6451, 6469, 6473, 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, 6569,
66 6571, 6577, 6581, 6599, 6607, 6619, 6637, 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, 6703,
67 6709, 6719, 6733, 6737, 6761, 6763, 6779, 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, 6841,
68 6857, 6863, 6869, 6871, 6883, 6899, 6907, 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, 6977,
69 6983, 6991, 6997, 7001, 7013, 7019, 7027, 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, 7127,
70 7129, 7151, 7159, 7177, 7187, 7193, 7207, 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, 7283,
71 7297, 7307, 7309, 7321, 7331, 7333, 7349, 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, 7459,
72 7477, 7481, 7487, 7489, 7499, 7507, 7517, 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, 7573,
73 7577, 7583, 7589, 7591, 7603, 7607, 7621, 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, 7699,
74 7703, 7717, 7723, 7727, 7741, 7753, 7757, 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, 7867,
75 7873, 7877, 7879, 7883, 7901, 7907, 7919, 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, 8011,
76 8017, 8039, 8053, 8059, 8069, 8081, 8087, 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, 8167,
77 8171, 8179, 8191, 8209, 8219, 8221, 8231, 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, 8293,
78 8297, 8311, 8317, 8329, 8353, 8363, 8369, 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, 8447,
79 8461, 8467, 8501, 8513, 8521, 8527, 8537, 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, 8623,
80 8627, 8629, 8641, 8647, 8663, 8669, 8677, 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, 8737,
81 8741, 8747, 8753, 8761, 8779, 8783, 8803, 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, 8863,
82 8867, 8887, 8893, 8923, 8929, 8933, 8941, 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, 9013,
83 9029, 9041, 9043, 9049, 9059, 9067, 9091, 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, 9173,
84 9181, 9187, 9199, 9203, 9209, 9221, 9227, 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, 9319,
85 9323, 9337, 9341, 9343, 9349, 9371, 9377, 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, 9437,
86 9439, 9461, 9463, 9467, 9473, 9479, 9491, 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, 9601,
87 9613, 9619, 9623, 9629, 9631, 9643, 9649, 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, 9739,
88 9743, 9749, 9767, 9769, 9781, 9787, 9791, 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, 9859,
89 9871, 9883, 9887, 9901, 9907, 9923, 9929, 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, 10039,
90 10061, 10067, 10069, 10079, 10091, 10093, 10099, 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, 10169,
91 10177, 10181, 10193, 10211, 10223, 10243, 10247, 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, 10313,
92 10321, 10331, 10333, 10337, 10343, 10357, 10369, 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, 10463,
93 10477, 10487, 10499, 10501, 10513, 10529, 10531, 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, 10631,
94 10639, 10651, 10657, 10663, 10667, 10687, 10691, 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, 10781,
95 10789, 10799, 10831, 10837, 10847, 10853, 10859, 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, 10939,
96 10949, 10957, 10973, 10979, 10987, 10993, 11003, 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, 11093,
97 11113, 11117, 11119, 11131, 11149, 11159, 11161, 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, 11257,
98 11261, 11273, 11279, 11287, 11299, 11311, 11317, 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, 11411,
99 11423, 11437, 11443, 11447, 11467, 11471, 11483, 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, 11579,
100 11587, 11593, 11597, 11617, 11621, 11633, 11657, 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, 11743,
101 11777, 11779, 11783, 11789, 11801, 11807, 11813, 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, 11897,
102 11903, 11909, 11923, 11927, 11933, 11939, 11941, 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, 12037,
103 12041, 12043, 12049, 12071, 12073, 12097, 12101, 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, 12163,
104 12197, 12203, 12211, 12227, 12239, 12241, 12251, 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, 12329,
105 12343, 12347, 12373, 12377, 12379, 12391, 12401, 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, 12479,
106 12487, 12491, 12497, 12503, 12511, 12517, 12527, 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, 12601,
107 12611, 12613, 12619, 12637, 12641, 12647, 12653, 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, 12743,
108 12757, 12763, 12781, 12791, 12799, 12809, 12821, 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, 12911,
109 12917, 12919, 12923, 12941, 12953, 12959, 12967, 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, 13037,
110 13043, 13049, 13063, 13093, 13099, 13103, 13109, 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, 13183,
111 13187, 13217, 13219, 13229, 13241, 13249, 13259, 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, 13339,
112 13367, 13381, 13397, 13399, 13411, 13417, 13421, 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, 13513,
113 13523, 13537, 13553, 13567, 13577, 13591, 13597, 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, 13687,
114 13691, 13693, 13697, 13709, 13711, 13721, 13723, 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, 13807,
115 13829, 13831, 13841, 13859, 13873, 13877, 13879, 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, 13963,
116 13967, 13997, 13999, 14009, 14011, 14029, 14033, 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, 14149,
117 14153, 14159, 14173, 14177, 14197, 14207, 14221, 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, 14327,
118 14341, 14347, 14369, 14387, 14389, 14401, 14407, 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, 14479,
119 14489, 14503, 14519, 14533, 14537, 14543, 14549, 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, 14629,
120 14633, 14639, 14653, 14657, 14669, 14683, 14699, 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, 14759,
121 14767, 14771, 14779, 14783, 14797, 14813, 14821, 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, 14891,
122 14897, 14923, 14929, 14939, 14947, 14951, 14957, 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, 15077,
123 15083, 15091, 15101, 15107, 15121, 15131, 15137, 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, 15227,
124 15233, 15241, 15259, 15263, 15269, 15271, 15277, 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, 15349,
125 15359, 15361, 15373, 15377, 15383, 15391, 15401, 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, 15493,
126 15497, 15511, 15527, 15541, 15551, 15559, 15569, 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, 15647,
127 15649, 15661, 15667, 15671, 15679, 15683, 15727, 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, 15787,
128 15791, 15797, 15803, 15809, 15817, 15823, 15859, 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, 15923,
129 15937, 15959, 15971, 15973, 15991, 16001, 16007, 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, 16091,
130 16097, 16103, 16111, 16127, 16139, 16141, 16183, 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, 16253,
131 16267, 16273, 16301, 16319, 16333, 16339, 16349, 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, 16433,
132 16447, 16451, 16453, 16477, 16481, 16487, 16493, 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, 16607,
133 16619, 16631, 16633, 16649, 16651, 16657, 16661, 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, 16759,
134 16763, 16787, 16811, 16823, 16829, 16831, 16843, 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, 16931,
135 16937, 16943, 16963, 16979, 16981, 16987, 16993, 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, 17077,
136 17093, 17099, 17107, 17117, 17123, 17137, 17159, 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, 17239,
137 17257, 17291, 17293, 17299, 17317, 17321, 17327, 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, 17393,
138 17401, 17417, 17419, 17431, 17443, 17449, 17467, 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, 17539,
139 17551, 17569, 17573, 17579, 17581, 17597, 17599, 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, 17707,
140 17713, 17729, 17737, 17747, 17749, 17761, 17783, 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, 17881,
141 17891, 17903, 17909, 17911, 17921, 17923, 17929, 17939, 17957, 17959, 17971, 17977, 17981, 17987, 17989, 18013,
142 18041, 18043, 18047, 18049, 18059, 18061, 18077, 18089, 18097, 18119, 18121, 18127, 18131, 18133, 18143, 18149,
143 18169, 18181, 18191, 18199, 18211, 18217, 18223, 18229, 18233, 18251, 18253, 18257, 18269, 18287, 18289, 18301,
144 18307, 18311, 18313, 18329, 18341, 18353, 18367, 18371, 18379, 18397, 18401, 18413, 18427, 18433, 18439, 18443,
145 18451, 18457, 18461, 18481, 18493, 18503, 18517, 18521, 18523, 18539, 18541, 18553, 18583, 18587, 18593, 18617,
146 18637, 18661, 18671, 18679, 18691, 18701, 18713, 18719, 18731, 18743, 18749, 18757, 18773, 18787, 18793, 18797,
147 18803, 18839, 18859, 18869, 18899, 18911, 18913, 18917, 18919, 18947, 18959, 18973, 18979, 19001, 19009, 19013,
148 19031, 19037, 19051, 19069, 19073, 19079, 19081, 19087, 19121, 19139, 19141, 19157, 19163, 19181, 19183, 19207,
149 19211, 19213, 19219, 19231, 19237, 19249, 19259, 19267, 19273, 19289, 19301, 19309, 19319, 19333, 19373, 19379,
150 19381, 19387, 19391, 19403, 19417, 19421, 19423, 19427, 19429, 19433, 19441, 19447, 19457, 19463, 19469, 19471,
151 19477, 19483, 19489, 19501, 19507, 19531, 19541, 19543, 19553, 19559, 19571, 19577, 19583, 19597, 19603, 19609,
152 19661, 19681, 19687, 19697, 19699, 19709, 19717, 19727, 19739, 19751, 19753, 19759, 19763, 19777, 19793, 19801,
153 19813, 19819, 19841, 19843, 19853, 19861, 19867, 19889, 19891, 19913, 19919, 19927, 19937, 19949, 19961, 19963,
154 19973, 19979, 19991, 19993, 19997, 20011, 20021, 20023, 20029, 20047, 20051, 20063, 20071, 20089, 20101, 20107,
155 20113, 20117, 20123, 20129, 20143, 20147, 20149, 20161, 20173, 20177, 20183, 20201, 20219, 20231, 20233, 20249,
156 20261, 20269, 20287, 20297, 20323, 20327, 20333, 20341, 20347, 20353, 20357, 20359, 20369, 20389, 20393, 20399,
157 20407, 20411, 20431, 20441, 20443, 20477, 20479, 20483, 20507, 20509, 20521, 20533, 20543, 20549, 20551, 20563,
158 20593, 20599, 20611, 20627, 20639, 20641, 20663, 20681, 20693, 20707, 20717, 20719, 20731, 20743, 20747, 20749,
159 20753, 20759, 20771, 20773, 20789, 20807, 20809, 20849, 20857, 20873, 20879, 20887, 20897, 20899, 20903, 20921,
160 20929, 20939, 20947, 20959, 20963, 20981, 20983, 21001, 21011, 21013, 21017, 21019, 21023, 21031, 21059, 21061,
161 21067, 21089, 21101, 21107, 21121, 21139, 21143, 21149, 21157, 21163, 21169, 21179, 21187, 21191, 21193, 21211,
162 21221, 21227, 21247, 21269, 21277, 21283, 21313, 21317, 21319, 21323, 21341, 21347, 21377, 21379, 21383, 21391,
163 21397, 21401, 21407, 21419, 21433, 21467, 21481, 21487, 21491, 21493, 21499, 21503, 21517, 21521, 21523, 21529,
164 21557, 21559, 21563, 21569, 21577, 21587, 21589, 21599, 21601, 21611, 21613, 21617, 21647, 21649, 21661, 21673,
165 21683, 21701, 21713, 21727, 21737, 21739, 21751, 21757, 21767, 21773, 21787, 21799, 21803, 21817, 21821, 21839,
166 21841, 21851, 21859, 21863, 21871, 21881, 21893, 21911, 21929, 21937, 21943, 21961, 21977, 21991, 21997, 22003,
167 22013, 22027, 22031, 22037, 22039, 22051, 22063, 22067, 22073, 22079, 22091, 22093, 22109, 22111, 22123, 22129,
168 22133, 22147, 22153, 22157, 22159, 22171, 22189, 22193, 22229, 22247, 22259, 22271, 22273, 22277, 22279, 22283,
169 22291, 22303, 22307, 22343, 22349, 22367, 22369, 22381, 22391, 22397, 22409, 22433, 22441, 22447, 22453, 22469,
170 22481, 22483, 22501, 22511, 22531, 22541, 22543, 22549, 22567, 22571, 22573, 22613, 22619, 22621, 22637, 22639,
171 22643, 22651, 22669, 22679, 22691, 22697, 22699, 22709, 22717, 22721, 22727, 22739, 22741, 22751, 22769, 22777,
172 22783, 22787, 22807, 22811, 22817, 22853, 22859, 22861, 22871, 22877, 22901, 22907, 22921, 22937, 22943, 22961,
173 22963, 22973, 22993, 23003, 23011, 23017, 23021, 23027, 23029, 23039, 23041, 23053, 23057, 23059, 23063, 23071,
174 23081, 23087, 23099, 23117, 23131, 23143, 23159, 23167, 23173, 23189, 23197, 23201, 23203, 23209, 23227, 23251,
175 23269, 23279, 23291, 23293, 23297, 23311, 23321, 23327, 23333, 23339, 23357, 23369, 23371, 23399, 23417, 23431,
176 23447, 23459, 23473, 23497, 23509, 23531, 23537, 23539, 23549, 23557, 23561, 23563, 23567, 23581, 23593, 23599,
177 23603, 23609, 23623, 23627, 23629, 23633, 23663, 23669, 23671, 23677, 23687, 23689, 23719, 23741, 23743, 23747,
178 23753, 23761, 23767, 23773, 23789, 23801, 23813, 23819, 23827, 23831, 23833, 23857, 23869, 23873, 23879, 23887,
179 23893, 23899, 23909, 23911, 23917, 23929, 23957, 23971, 23977, 23981, 23993, 24001, 24007, 24019, 24023, 24029,
180 24043, 24049, 24061, 24071, 24077, 24083, 24091, 24097, 24103, 24107, 24109, 24113, 24121, 24133, 24137, 24151,
181 24169, 24179, 24181, 24197, 24203, 24223, 24229, 24239, 24247, 24251, 24281, 24317, 24329, 24337, 24359, 24371,
182 24373, 24379, 24391, 24407, 24413, 24419, 24421, 24439, 24443, 24469, 24473, 24481, 24499, 24509, 24517, 24527,
183 24533, 24547, 24551, 24571, 24593, 24611, 24623, 24631, 24659, 24671, 24677, 24683, 24691, 24697, 24709, 24733,
184 24749, 24763, 24767, 24781, 24793, 24799, 24809, 24821, 24841, 24847, 24851, 24859, 24877, 24889, 24907, 24917,
185 24919, 24923, 24943, 24953, 24967, 24971, 24977, 24979, 24989, 25013, 25031, 25033, 25037, 25057, 25073, 25087,
186 25097, 25111, 25117, 25121, 25127, 25147, 25153, 25163, 25169, 25171, 25183, 25189, 25219, 25229, 25237, 25243,
187 25247, 25253, 25261, 25301, 25303, 25307, 25309, 25321, 25339, 25343, 25349, 25357, 25367, 25373, 25391, 25409,
188 25411, 25423, 25439, 25447, 25453, 25457, 25463, 25469, 25471, 25523, 25537, 25541, 25561, 25577, 25579, 25583,
189 25589, 25601, 25603, 25609, 25621, 25633, 25639, 25643, 25657, 25667, 25673, 25679, 25693, 25703, 25717, 25733,
190 25741, 25747, 25759, 25763, 25771, 25793, 25799, 25801, 25819, 25841, 25847, 25849, 25867, 25873, 25889, 25903,
191 25913, 25919, 25931, 25933, 25939, 25943, 25951, 25969, 25981, 25997, 25999, 26003, 26017, 26021, 26029, 26041,
192 26053, 26083, 26099, 26107, 26111, 26113, 26119, 26141, 26153, 26161, 26171, 26177, 26183, 26189, 26203, 26209,
193 26227, 26237, 26249, 26251, 26261, 26263, 26267, 26293, 26297, 26309, 26317, 26321, 26339, 26347, 26357, 26371,
194 26387, 26393, 26399, 26407, 26417, 26423, 26431, 26437, 26449, 26459, 26479, 26489, 26497, 26501, 26513, 26539,
195 26557, 26561, 26573, 26591, 26597, 26627, 26633, 26641, 26647, 26669, 26681, 26683, 26687, 26693, 26699, 26701,
196 26711, 26713, 26717, 26723, 26729, 26731, 26737, 26759, 26777, 26783, 26801, 26813, 26821, 26833, 26839, 26849,
197 26861, 26863, 26879, 26881, 26891, 26893, 26903, 26921, 26927, 26947, 26951, 26953, 26959, 26981, 26987, 26993,
198 27011, 27017, 27031, 27043, 27059, 27061, 27067, 27073, 27077, 27091, 27103, 27107, 27109, 27127, 27143, 27179,
199 27191, 27197, 27211, 27239, 27241, 27253, 27259, 27271, 27277, 27281, 27283, 27299, 27329, 27337, 27361, 27367,
200 27397, 27407, 27409, 27427, 27431, 27437, 27449, 27457, 27479, 27481, 27487, 27509, 27527, 27529, 27539, 27541,
201 27551, 27581, 27583, 27611, 27617, 27631, 27647, 27653, 27673, 27689, 27691, 27697, 27701, 27733, 27737, 27739,
202 27743, 27749, 27751, 27763, 27767, 27773, 27779, 27791, 27793, 27799, 27803, 27809, 27817, 27823, 27827, 27847,
203 27851, 27883, 27893, 27901, 27917, 27919, 27941, 27943, 27947, 27953, 27961, 27967, 27983, 27997, 28001, 28019,
204 28027, 28031, 28051, 28057, 28069, 28081, 28087, 28097, 28099, 28109, 28111, 28123, 28151, 28163, 28181, 28183,
205 28201, 28211, 28219, 28229, 28277, 28279, 28283, 28289, 28297, 28307, 28309, 28319, 28349, 28351, 28387, 28393,
206 28403, 28409, 28411, 28429, 28433, 28439, 28447, 28463, 28477, 28493, 28499, 28513, 28517, 28537, 28541, 28547,
207 28549, 28559, 28571, 28573, 28579, 28591, 28597, 28603, 28607, 28619, 28621, 28627, 28631, 28643, 28649, 28657,
208 28661, 28663, 28669, 28687, 28697, 28703, 28711, 28723, 28729, 28751, 28753, 28759, 28771, 28789, 28793, 28807,
209 28813, 28817, 28837, 28843, 28859, 28867, 28871, 28879, 28901, 28909, 28921, 28927, 28933, 28949, 28961, 28979,
210 29009, 29017, 29021, 29023, 29027, 29033, 29059, 29063, 29077, 29101, 29123, 29129, 29131, 29137, 29147, 29153,
211 29167, 29173, 29179, 29191, 29201, 29207, 29209, 29221, 29231, 29243, 29251, 29269, 29287, 29297, 29303, 29311,
212 29327, 29333, 29339, 29347, 29363, 29383, 29387, 29389, 29399, 29401, 29411, 29423, 29429, 29437, 29443, 29453,
213 29473, 29483, 29501, 29527, 29531, 29537, 29567, 29569, 29573, 29581, 29587, 29599, 29611, 29629, 29633, 29641,
214 29663, 29669, 29671, 29683, 29717, 29723, 29741, 29753, 29759, 29761, 29789, 29803, 29819, 29833, 29837, 29851,
215 29863, 29867, 29873, 29879, 29881, 29917, 29921, 29927, 29947, 29959, 29983, 29989, 30011, 30013, 30029, 30047,
216 30059, 30071, 30089, 30091, 30097, 30103, 30109, 30113, 30119, 30133, 30137, 30139, 30161, 30169, 30181, 30187,
217 30197, 30203, 30211, 30223, 30241, 30253, 30259, 30269, 30271, 30293, 30307, 30313, 30319, 30323, 30341, 30347,
218 30367, 30389, 30391, 30403, 30427, 30431, 30449, 30467, 30469, 30491, 30493, 30497, 30509, 30517, 30529, 30539,
219 30553, 30557, 30559, 30577, 30593, 30631, 30637, 30643, 30649, 30661, 30671, 30677, 30689, 30697, 30703, 30707,
220 30713, 30727, 30757, 30763, 30773, 30781, 30803, 30809, 30817, 30829, 30839, 30841, 30851, 30853, 30859, 30869,
221 30871, 30881, 30893, 30911, 30931, 30937, 30941, 30949, 30971, 30977, 30983, 31013, 31019, 31033, 31039, 31051,
222 31063, 31069, 31079, 31081, 31091, 31121, 31123, 31139, 31147, 31151, 31153, 31159, 31177, 31181, 31183, 31189,
223 31193, 31219, 31223, 31231, 31237, 31247, 31249, 31253, 31259, 31267, 31271, 31277, 31307, 31319, 31321, 31327,
224 31333, 31337, 31357, 31379, 31387, 31391, 31393, 31397, 31469, 31477, 31481, 31489, 31511, 31513, 31517, 31531,
225 31541, 31543, 31547, 31567, 31573, 31583, 31601, 31607, 31627, 31643, 31649, 31657, 31663, 31667, 31687, 31699,
226 31721, 31723, 31727, 31729, 31741, 31751, 31769, 31771, 31793, 31799, 31817, 31847, 31849, 31859, 31873, 31883,
227 31891, 31907, 31957, 31963, 31973, 31981, 31991, 32003, 32009, 32027, 32029, 32051, 32057, 32059, 32063, 32069,
228 32077, 32083, 32089, 32099, 32117, 32119, 32141, 32143, 32159, 32173, 32183, 32189, 32191, 32203, 32213, 32233,
229 32237, 32251, 32257, 32261, 32297, 32299, 32303, 32309, 32321, 32323, 32327, 32341, 32353, 32359, 32363, 32369,
230 32371, 32377, 32381, 32401, 32411, 32413, 32423, 32429, 32441, 32443, 32467, 32479, 32491, 32497, 32503, 32507,
231 32531, 32533, 32537, 32561, 32563, 32569, 32573, 32579, 32587, 32603, 32609, 32611, 32621, 32633, 32647, 32653,
232 32687, 32693, 32707, 32713, 32717, 32719, 32749, 32771, 32779, 32783, 32789, 32797, 32801, 32803, 32831, 32833,
233 32839, 32843, 32869, 32887, 32909, 32911, 32917, 32933, 32939, 32941, 32957, 32969, 32971, 32983, 32987, 32993,
234 32999, 33013, 33023, 33029, 33037, 33049, 33053, 33071, 33073, 33083, 33091, 33107, 33113, 33119, 33149, 33151,
235 33161, 33179, 33181, 33191, 33199, 33203, 33211, 33223, 33247, 33287, 33289, 33301, 33311, 33317, 33329, 33331,
236 33343, 33347, 33349, 33353, 33359, 33377, 33391, 33403, 33409, 33413, 33427, 33457, 33461, 33469, 33479, 33487,
237 33493, 33503, 33521, 33529, 33533, 33547, 33563, 33569, 33577, 33581, 33587, 33589, 33599, 33601, 33613, 33617,
238 33619, 33623, 33629, 33637, 33641, 33647, 33679, 33703, 33713, 33721, 33739, 33749, 33751, 33757, 33767, 33769,
239 33773, 33791, 33797, 33809, 33811, 33827, 33829, 33851, 33857, 33863, 33871, 33889, 33893, 33911, 33923, 33931,
240 33937, 33941, 33961, 33967, 33997, 34019, 34031, 34033, 34039, 34057, 34061, 34123, 34127, 34129, 34141, 34147,
241 34157, 34159, 34171, 34183, 34211, 34213, 34217, 34231, 34253, 34259, 34261, 34267, 34273, 34283, 34297, 34301,
242 34303, 34313, 34319, 34327, 34337, 34351, 34361, 34367, 34369, 34381, 34403, 34421, 34429, 34439, 34457, 34469,
243 34471, 34483, 34487, 34499, 34501, 34511, 34513, 34519, 34537, 34543, 34549, 34583, 34589, 34591, 34603, 34607,
244 34613, 34631, 34649, 34651, 34667, 34673, 34679, 34687, 34693, 34703, 34721, 34729, 34739, 34747, 34757, 34759,
245 34763, 34781, 34807, 34819, 34841, 34843, 34847, 34849, 34871, 34877, 34883, 34897, 34913, 34919, 34939, 34949,
246 34961, 34963, 34981, 35023, 35027, 35051, 35053, 35059, 35069, 35081, 35083, 35089, 35099, 35107, 35111, 35117,
247 35129, 35141, 35149, 35153, 35159, 35171, 35201, 35221, 35227, 35251, 35257, 35267, 35279, 35281, 35291, 35311,
248 35317, 35323, 35327, 35339, 35353, 35363, 35381, 35393, 35401, 35407, 35419, 35423, 35437, 35447, 35449, 35461,
249 35491, 35507, 35509, 35521, 35527, 35531, 35533, 35537, 35543, 35569, 35573, 35591, 35593, 35597, 35603, 35617,
250 35671, 35677, 35729, 35731, 35747, 35753, 35759, 35771, 35797, 35801, 35803, 35809, 35831, 35837, 35839, 35851,
251 35863, 35869, 35879, 35897, 35899, 35911, 35923, 35933, 35951, 35963, 35969, 35977, 35983, 35993, 35999, 36007,
252 36011, 36013, 36017, 36037, 36061, 36067, 36073, 36083, 36097, 36107, 36109, 36131, 36137, 36151, 36161, 36187,
253 36191, 36209, 36217, 36229, 36241, 36251, 36263, 36269, 36277, 36293, 36299, 36307, 36313, 36319, 36341, 36343,
254 36353, 36373, 36383, 36389, 36433, 36451, 36457, 36467, 36469, 36473, 36479, 36493, 36497, 36523, 36527, 36529,
255 36541, 36551, 36559, 36563, 36571, 36583, 36587, 36599, 36607, 36629, 36637, 36643, 36653, 36671, 36677, 36683,
256 36691, 36697, 36709, 36713, 36721, 36739, 36749, 36761, 36767, 36779, 36781, 36787, 36791, 36793, 36809, 36821,
257 36833, 36847, 36857, 36871, 36877, 36887, 36899, 36901, 36913, 36919, 36923, 36929, 36931, 36943, 36947, 36973,
258 36979, 36997, 37003, 37013, 37019, 37021, 37039, 37049, 37057, 37061, 37087, 37097, 37117, 37123, 37139, 37159,
259 37171, 37181, 37189, 37199, 37201, 37217, 37223, 37243, 37253, 37273, 37277, 37307, 37309, 37313, 37321, 37337,
260 37339, 37357, 37361, 37363, 37369, 37379, 37397, 37409, 37423, 37441, 37447, 37463, 37483, 37489, 37493, 37501,
261 37507, 37511, 37517, 37529, 37537, 37547, 37549, 37561, 37567, 37571, 37573, 37579, 37589, 37591, 37607, 37619,
262 37633, 37643, 37649, 37657, 37663, 37691, 37693, 37699, 37717, 37747, 37781, 37783, 37799, 37811, 37813, 37831,
263 37847, 37853, 37861, 37871, 37879, 37889, 37897, 37907, 37951, 37957, 37963, 37967, 37987, 37991, 37993, 37997,
264 38011, 38039, 38047, 38053, 38069, 38083, 38113, 38119, 38149, 38153, 38167, 38177, 38183, 38189, 38197, 38201,
265 38219, 38231, 38237, 38239, 38261, 38273, 38281, 38287, 38299, 38303, 38317, 38321, 38327, 38329, 38333, 38351,
266 38371, 38377, 38393, 38431, 38447, 38449, 38453, 38459, 38461, 38501, 38543, 38557, 38561, 38567, 38569, 38593,
267 38603, 38609, 38611, 38629, 38639, 38651, 38653, 38669, 38671, 38677, 38693, 38699, 38707, 38711, 38713, 38723,
268 38729, 38737, 38747, 38749, 38767, 38783, 38791, 38803, 38821, 38833, 38839, 38851, 38861, 38867, 38873, 38891,
269 38903, 38917, 38921, 38923, 38933, 38953, 38959, 38971, 38977, 38993, 39019, 39023, 39041, 39043, 39047, 39079,
270 39089, 39097, 39103, 39107, 39113, 39119, 39133, 39139, 39157, 39161, 39163, 39181, 39191, 39199, 39209, 39217,
271 39227, 39229, 39233, 39239, 39241, 39251, 39293, 39301, 39313, 39317, 39323, 39341, 39343, 39359, 39367, 39371,
272 39373, 39383, 39397, 39409, 39419, 39439, 39443, 39451, 39461, 39499, 39503, 39509, 39511, 39521, 39541, 39551,
273 39563, 39569, 39581, 39607, 39619, 39623, 39631, 39659, 39667, 39671, 39679, 39703, 39709, 39719, 39727, 39733,
274 39749, 39761, 39769, 39779, 39791, 39799, 39821, 39827, 39829, 39839, 39841, 39847, 39857, 39863, 39869, 39877,
275 39883, 39887, 39901, 39929, 39937, 39953, 39971, 39979, 39983, 39989, 40009, 40013, 40031, 40037, 40039, 40063,
276 40087, 40093, 40099, 40111, 40123, 40127, 40129, 40151, 40153, 40163, 40169, 40177, 40189, 40193, 40213, 40231,
277 40237, 40241, 40253, 40277, 40283, 40289, 40343, 40351, 40357, 40361, 40387, 40423, 40427, 40429, 40433, 40459,
278 40471, 40483, 40487, 40493, 40499, 40507, 40519, 40529, 40531, 40543, 40559, 40577, 40583, 40591, 40597, 40609,
279 40627, 40637, 40639, 40693, 40697, 40699, 40709, 40739, 40751, 40759, 40763, 40771, 40787, 40801, 40813, 40819,
280 40823, 40829, 40841, 40847, 40849, 40853, 40867, 40879, 40883, 40897, 40903, 40927, 40933, 40939, 40949, 40961,
281 40973, 40993, 41011, 41017, 41023, 41039, 41047, 41051, 41057, 41077, 41081, 41113, 41117, 41131, 41141, 41143,
282 41149, 41161, 41177, 41179, 41183, 41189, 41201, 41203, 41213, 41221, 41227, 41231, 41233, 41243, 41257, 41263,
283 41269, 41281, 41299, 41333, 41341, 41351, 41357, 41381, 41387, 41389, 41399, 41411, 41413, 41443, 41453, 41467,
284 41479, 41491, 41507, 41513, 41519, 41521, 41539, 41543, 41549, 41579, 41593, 41597, 41603, 41609, 41611, 41617,
285 41621, 41627, 41641, 41647, 41651, 41659, 41669, 41681, 41687, 41719, 41729, 41737, 41759, 41761, 41771, 41777,
286 41801, 41809, 41813, 41843, 41849, 41851, 41863, 41879, 41887, 41893, 41897, 41903, 41911, 41927, 41941, 41947,
287 41953, 41957, 41959, 41969, 41981, 41983, 41999, 42013, 42017, 42019, 42023, 42043, 42061, 42071, 42073, 42083,
288 42089, 42101, 42131, 42139, 42157, 42169, 42179, 42181, 42187, 42193, 42197, 42209, 42221, 42223, 42227, 42239,
289 42257, 42281, 42283, 42293, 42299, 42307, 42323, 42331, 42337, 42349, 42359, 42373, 42379, 42391, 42397, 42403,
290 42407, 42409, 42433, 42437, 42443, 42451, 42457, 42461, 42463, 42467, 42473, 42487, 42491, 42499, 42509, 42533,
291 42557, 42569, 42571, 42577, 42589, 42611, 42641, 42643, 42649, 42667, 42677, 42683, 42689, 42697, 42701, 42703,
292 42709, 42719, 42727, 42737, 42743, 42751, 42767, 42773, 42787, 42793, 42797, 42821, 42829, 42839, 42841, 42853,
293 42859, 42863, 42899, 42901, 42923, 42929, 42937, 42943, 42953, 42961, 42967, 42979, 42989, 43003, 43013, 43019,
294 43037, 43049, 43051, 43063, 43067, 43093, 43103, 43117, 43133, 43151, 43159, 43177, 43189, 43201, 43207, 43223,
295 43237, 43261, 43271, 43283, 43291, 43313, 43319, 43321, 43331, 43391, 43397, 43399, 43403, 43411, 43427, 43441,
296 43451, 43457, 43481, 43487, 43499, 43517, 43541, 43543, 43573, 43577, 43579, 43591, 43597, 43607, 43609, 43613,
297 43627, 43633, 43649, 43651, 43661, 43669, 43691, 43711, 43717, 43721, 43753, 43759, 43777, 43781, 43783, 43787,
298 43789, 43793, 43801, 43853, 43867, 43889, 43891, 43913, 43933, 43943, 43951, 43961, 43963, 43969, 43973, 43987,
299 43991, 43997, 44017, 44021, 44027, 44029, 44041, 44053, 44059, 44071, 44087, 44089, 44101, 44111, 44119, 44123,
300 44129, 44131, 44159, 44171, 44179, 44189, 44201, 44203, 44207, 44221, 44249, 44257, 44263, 44267, 44269, 44273,
301 44279, 44281, 44293, 44351, 44357, 44371, 44381, 44383, 44389, 44417, 44449, 44453, 44483, 44491, 44497, 44501,
302 44507, 44519, 44531, 44533, 44537, 44543, 44549, 44563, 44579, 44587, 44617, 44621, 44623, 44633, 44641, 44647,
303 44651, 44657, 44683, 44687, 44699, 44701, 44711, 44729, 44741, 44753, 44771, 44773, 44777, 44789, 44797, 44809,
304 44819, 44839, 44843, 44851, 44867, 44879, 44887, 44893, 44909, 44917, 44927, 44939, 44953, 44959, 44963, 44971,
305 44983, 44987, 45007, 45013, 45053, 45061, 45077, 45083, 45119, 45121, 45127, 45131, 45137, 45139, 45161, 45179,
306 45181, 45191, 45197, 45233, 45247, 45259, 45263, 45281, 45289, 45293, 45307, 45317, 45319, 45329, 45337, 45341,
307 45343, 45361, 45377, 45389, 45403, 45413, 45427, 45433, 45439, 45481, 45491, 45497, 45503, 45523, 45533, 45541,
308 45553, 45557, 45569, 45587, 45589, 45599, 45613, 45631, 45641, 45659, 45667, 45673, 45677, 45691, 45697, 45707,
309 45737, 45751, 45757, 45763, 45767, 45779, 45817, 45821, 45823, 45827, 45833, 45841, 45853, 45863, 45869, 45887,
310 45893, 45943, 45949, 45953, 45959, 45971, 45979, 45989, 46021, 46027, 46049, 46051, 46061, 46073, 46091, 46093,
311 46099, 46103, 46133, 46141, 46147, 46153, 46171, 46181, 46183, 46187, 46199, 46219, 46229, 46237, 46261, 46271,
312 46273, 46279, 46301, 46307, 46309, 46327, 46337, 46349, 46351, 46381, 46399, 46411, 46439, 46441, 46447, 46451,
313 46457, 46471, 46477, 46489, 46499, 46507, 46511, 46523, 46549, 46559, 46567, 46573, 46589, 46591, 46601, 46619,
314 46633, 46639, 46643, 46649, 46663, 46679, 46681, 46687, 46691, 46703, 46723, 46727, 46747, 46751, 46757, 46769,
315 46771, 46807, 46811, 46817, 46819, 46829, 46831, 46853, 46861, 46867, 46877, 46889, 46901, 46919, 46933, 46957,
316 46993, 46997, 47017, 47041, 47051, 47057, 47059, 47087, 47093, 47111, 47119, 47123, 47129, 47137, 47143, 47147,
317 47149, 47161, 47189, 47207, 47221, 47237, 47251, 47269, 47279, 47287, 47293, 47297, 47303, 47309, 47317, 47339,
318 47351, 47353, 47363, 47381, 47387, 47389, 47407, 47417, 47419, 47431, 47441, 47459, 47491, 47497, 47501, 47507,
319 47513, 47521, 47527, 47533, 47543, 47563, 47569, 47581, 47591, 47599, 47609, 47623, 47629, 47639, 47653, 47657,
320 47659, 47681, 47699, 47701, 47711, 47713, 47717, 47737, 47741, 47743, 47777, 47779, 47791, 47797, 47807, 47809,
321 47819, 47837, 47843, 47857, 47869, 47881, 47903, 47911, 47917, 47933, 47939, 47947, 47951, 47963, 47969, 47977,
322 47981, 48017, 48023, 48029, 48049, 48073, 48079, 48091, 48109, 48119, 48121, 48131, 48157, 48163, 48179, 48187,
323 48193, 48197, 48221, 48239, 48247, 48259, 48271, 48281, 48299, 48311, 48313, 48337, 48341, 48353, 48371, 48383,
324 48397, 48407, 48409, 48413, 48437, 48449, 48463, 48473, 48479, 48481, 48487, 48491, 48497, 48523, 48527, 48533,
325 48539, 48541, 48563, 48571, 48589, 48593, 48611, 48619, 48623, 48647, 48649, 48661, 48673, 48677, 48679, 48731,
326 48733, 48751, 48757, 48761, 48767, 48779, 48781, 48787, 48799, 48809, 48817, 48821, 48823, 48847, 48857, 48859,
327 48869, 48871, 48883, 48889, 48907, 48947, 48953, 48973, 48989, 48991, 49003, 49009, 49019, 49031, 49033, 49037,
328 49043, 49057, 49069, 49081, 49103, 49109, 49117, 49121, 49123, 49139, 49157, 49169, 49171, 49177, 49193, 49199,
329 49201, 49207, 49211, 49223, 49253, 49261, 49277, 49279, 49297, 49307, 49331, 49333, 49339, 49363, 49367, 49369,
330 49391, 49393, 49409, 49411, 49417, 49429, 49433, 49451, 49459, 49463, 49477, 49481, 49499, 49523, 49529, 49531,
331 49537, 49547, 49549, 49559, 49597, 49603, 49613, 49627, 49633, 49639, 49663, 49667, 49669, 49681, 49697, 49711,
332 49727, 49739, 49741, 49747, 49757, 49783, 49787, 49789, 49801, 49807, 49811, 49823, 49831, 49843, 49853, 49871,
333 49877, 49891, 49919, 49921, 49927, 49937, 49939, 49943, 49957, 49991, 49993, 49999, 50021, 50023, 50033, 50047,
334 50051, 50053, 50069, 50077, 50087, 50093, 50101, 50111, 50119, 50123, 50129, 50131, 50147, 50153, 50159, 50177,
335 50207, 50221, 50227, 50231, 50261, 50263, 50273, 50287, 50291, 50311, 50321, 50329, 50333, 50341, 50359, 50363,
336 50377, 50383, 50387, 50411, 50417, 50423, 50441, 50459, 50461, 50497, 50503, 50513, 50527, 50539, 50543, 50549,
337 50551, 50581, 50587, 50591, 50593, 50599, 50627, 50647, 50651, 50671, 50683, 50707, 50723, 50741, 50753, 50767,
338 50773, 50777, 50789, 50821, 50833, 50839, 50849, 50857, 50867, 50873, 50891, 50893, 50909, 50923, 50929, 50951,
339 50957, 50969, 50971, 50989, 50993, 51001, 51031, 51043, 51047, 51059, 51061, 51071, 51109, 51131, 51133, 51137,
340 51151, 51157, 51169, 51193, 51197, 51199, 51203, 51217, 51229, 51239, 51241, 51257, 51263, 51283, 51287, 51307,
341 51329, 51341, 51343, 51347, 51349, 51361, 51383, 51407, 51413, 51419, 51421, 51427, 51431, 51437, 51439, 51449,
342 51461, 51473, 51479, 51481, 51487, 51503, 51511, 51517, 51521, 51539, 51551, 51563, 51577, 51581, 51593, 51599,
343 51607, 51613, 51631, 51637, 51647, 51659, 51673, 51679, 51683, 51691, 51713, 51719, 51721, 51749, 51767, 51769,
344 51787, 51797, 51803, 51817, 51827, 51829, 51839, 51853, 51859, 51869, 51871, 51893, 51899, 51907, 51913, 51929,
345 51941, 51949, 51971, 51973, 51977, 51991, 52009, 52021, 52027, 52051, 52057, 52067, 52069, 52081, 52103, 52121,
346 52127, 52147, 52153, 52163, 52177, 52181, 52183, 52189, 52201, 52223, 52237, 52249, 52253, 52259, 52267, 52289,
347 52291, 52301, 52313, 52321, 52361, 52363, 52369, 52379, 52387, 52391, 52433, 52453, 52457, 52489, 52501, 52511,
348 52517, 52529, 52541, 52543, 52553, 52561, 52567, 52571, 52579, 52583, 52609, 52627, 52631, 52639, 52667, 52673,
349 52691, 52697, 52709, 52711, 52721, 52727, 52733, 52747, 52757, 52769, 52783, 52807, 52813, 52817, 52837, 52859,
350 52861, 52879, 52883, 52889, 52901, 52903, 52919, 52937, 52951, 52957, 52963, 52967, 52973, 52981, 52999, 53003,
351 53017, 53047, 53051, 53069, 53077, 53087, 53089, 53093, 53101, 53113, 53117, 53129, 53147, 53149, 53161, 53171,
352 53173, 53189, 53197, 53201, 53231, 53233, 53239, 53267, 53269, 53279, 53281, 53299, 53309, 53323, 53327, 53353,
353 53359, 53377, 53381, 53401, 53407, 53411, 53419, 53437, 53441, 53453, 53479, 53503, 53507, 53527, 53549, 53551,
354 53569, 53591, 53593, 53597, 53609, 53611, 53617, 53623, 53629, 53633, 53639, 53653, 53657, 53681, 53693, 53699,
355 53717, 53719, 53731, 53759, 53773, 53777, 53783, 53791, 53813, 53819, 53831, 53849, 53857, 53861, 53881, 53887,
356 53891, 53897, 53899, 53917, 53923, 53927, 53939, 53951, 53959, 53987, 53993, 54001, 54011, 54013, 54037, 54049,
357 54059, 54083, 54091, 54101, 54121, 54133, 54139, 54151, 54163, 54167, 54181, 54193, 54217, 54251, 54269, 54277,
358 54287, 54293, 54311, 54319, 54323, 54331, 54347, 54361, 54367, 54371, 54377, 54401, 54403, 54409, 54413, 54419,
359 54421, 54437, 54443, 54449, 54469, 54493, 54497, 54499, 54503, 54517, 54521, 54539, 54541, 54547, 54559, 54563,
360 54577, 54581, 54583, 54601, 54617, 54623, 54629, 54631, 54647, 54667, 54673, 54679, 54709, 54713, 54721, 54727,
361 54751, 54767, 54773, 54779, 54787, 54799, 54829, 54833, 54851, 54869, 54877, 54881, 54907, 54917, 54919, 54941,
362 54949, 54959, 54973, 54979, 54983, 55001, 55009, 55021, 55049, 55051, 55057, 55061, 55073, 55079, 55103, 55109,
363 55117, 55127, 55147, 55163, 55171, 55201, 55207, 55213, 55217, 55219, 55229, 55243, 55249, 55259, 55291, 55313,
364 55331, 55333, 55337, 55339, 55343, 55351, 55373, 55381, 55399, 55411, 55439, 55441, 55457, 55469, 55487, 55501,
365 55511, 55529, 55541, 55547, 55579, 55589, 55603, 55609, 55619, 55621, 55631, 55633, 55639, 55661, 55663, 55667,
366 55673, 55681, 55691, 55697, 55711, 55717, 55721, 55733, 55763, 55787, 55793, 55799, 55807, 55813, 55817, 55819,
367 55823, 55829, 55837, 55843, 55849, 55871, 55889, 55897, 55901, 55903, 55921, 55927, 55931, 55933, 55949, 55967,
368 55987, 55997, 56003, 56009, 56039, 56041, 56053, 56081, 56087, 56093, 56099, 56101, 56113, 56123, 56131, 56149,
369 56167, 56171, 56179, 56197, 56207, 56209, 56237, 56239, 56249, 56263, 56267, 56269, 56299, 56311, 56333, 56359,
370 56369, 56377, 56383, 56393, 56401, 56417, 56431, 56437, 56443, 56453, 56467, 56473, 56477, 56479, 56489, 56501,
371 56503, 56509, 56519, 56527, 56531, 56533, 56543, 56569, 56591, 56597, 56599, 56611, 56629, 56633, 56659, 56663,
372 56671, 56681, 56687, 56701, 56711, 56713, 56731, 56737, 56747, 56767, 56773, 56779, 56783, 56807, 56809, 56813,
373 56821, 56827, 56843, 56857, 56873, 56891, 56893, 56897, 56909, 56911, 56921, 56923, 56929, 56941, 56951, 56957,
374 56963, 56983, 56989, 56993, 56999, 57037, 57041, 57047, 57059, 57073, 57077, 57089, 57097, 57107, 57119, 57131,
375 57139, 57143, 57149, 57163, 57173, 57179, 57191, 57193, 57203, 57221, 57223, 57241, 57251, 57259, 57269, 57271,
376 57283, 57287, 57301, 57329, 57331, 57347, 57349, 57367, 57373, 57383, 57389, 57397, 57413, 57427, 57457, 57467,
377 57487, 57493, 57503, 57527, 57529, 57557, 57559, 57571, 57587, 57593, 57601, 57637, 57641, 57649, 57653, 57667,
378 57679, 57689, 57697, 57709, 57713, 57719, 57727, 57731, 57737, 57751, 57773, 57781, 57787, 57791, 57793, 57803,
379 57809, 57829, 57839, 57847, 57853, 57859, 57881, 57899, 57901, 57917, 57923, 57943, 57947, 57973, 57977, 57991,
380 58013, 58027, 58031, 58043, 58049, 58057, 58061, 58067, 58073, 58099, 58109, 58111, 58129, 58147, 58151, 58153,
381 58169, 58171, 58189, 58193, 58199, 58207, 58211, 58217, 58229, 58231, 58237, 58243, 58271, 58309, 58313, 58321,
382 58337, 58363, 58367, 58369, 58379, 58391, 58393, 58403, 58411, 58417, 58427, 58439, 58441, 58451, 58453, 58477,
383 58481, 58511, 58537, 58543, 58549, 58567, 58573, 58579, 58601, 58603, 58613, 58631, 58657, 58661, 58679, 58687,
384 58693, 58699, 58711, 58727, 58733, 58741, 58757, 58763, 58771, 58787, 58789, 58831, 58889, 58897, 58901, 58907,
385 58909, 58913, 58921, 58937, 58943, 58963, 58967, 58979, 58991, 58997, 59009, 59011, 59021, 59023, 59029, 59051,
386 59053, 59063, 59069, 59077, 59083, 59093, 59107, 59113, 59119, 59123, 59141, 59149, 59159, 59167, 59183, 59197,
387 59207, 59209, 59219, 59221, 59233, 59239, 59243, 59263, 59273, 59281, 59333, 59341, 59351, 59357, 59359, 59369,
388 59377, 59387, 59393, 59399, 59407, 59417, 59419, 59441, 59443, 59447, 59453, 59467, 59471, 59473, 59497, 59509,
389 59513, 59539, 59557, 59561, 59567, 59581, 59611, 59617, 59621, 59627, 59629, 59651, 59659, 59663, 59669, 59671,
390 59693, 59699, 59707, 59723, 59729, 59743, 59747, 59753, 59771, 59779, 59791, 59797, 59809, 59833, 59863, 59879,
391 59887, 59921, 59929, 59951, 59957, 59971, 59981, 59999, 60013, 60017, 60029, 60037, 60041, 60077, 60083, 60089,
392 60091, 60101, 60103, 60107, 60127, 60133, 60139, 60149, 60161, 60167, 60169, 60209, 60217, 60223, 60251, 60257,
393 60259, 60271, 60289, 60293, 60317, 60331, 60337, 60343, 60353, 60373, 60383, 60397, 60413, 60427, 60443, 60449,
394 60457, 60493, 60497, 60509, 60521, 60527, 60539, 60589, 60601, 60607, 60611, 60617, 60623, 60631, 60637, 60647,
395 60649, 60659, 60661, 60679, 60689, 60703, 60719, 60727, 60733, 60737, 60757, 60761, 60763, 60773, 60779, 60793,
396 60811, 60821, 60859, 60869, 60887, 60889, 60899, 60901, 60913, 60917, 60919, 60923, 60937, 60943, 60953, 60961,
397 61001, 61007, 61027, 61031, 61043, 61051, 61057, 61091, 61099, 61121, 61129, 61141, 61151, 61153, 61169, 61211,
398 61223, 61231, 61253, 61261, 61283, 61291, 61297, 61331, 61333, 61339, 61343, 61357, 61363, 61379, 61381, 61403,
399 61409, 61417, 61441, 61463, 61469, 61471, 61483, 61487, 61493, 61507, 61511, 61519, 61543, 61547, 61553, 61559,
400 61561, 61583, 61603, 61609, 61613, 61627, 61631, 61637, 61643, 61651, 61657, 61667, 61673, 61681, 61687, 61703,
401 61717, 61723, 61729, 61751, 61757, 61781, 61813, 61819, 61837, 61843, 61861, 61871, 61879, 61909, 61927, 61933,
402 61949, 61961, 61967, 61979, 61981, 61987, 61991, 62003, 62011, 62017, 62039, 62047, 62053, 62057, 62071, 62081,
403 62099, 62119, 62129, 62131, 62137, 62141, 62143, 62171, 62189, 62191, 62201, 62207, 62213, 62219, 62233, 62273,
404 62297, 62299, 62303, 62311, 62323, 62327, 62347, 62351, 62383, 62401, 62417, 62423, 62459, 62467, 62473, 62477,
405 62483, 62497, 62501, 62507, 62533, 62539, 62549, 62563, 62581, 62591, 62597, 62603, 62617, 62627, 62633, 62639,
406 62653, 62659, 62683, 62687, 62701, 62723, 62731, 62743, 62753, 62761, 62773, 62791, 62801, 62819, 62827, 62851,
407 62861, 62869, 62873, 62897, 62903, 62921, 62927, 62929, 62939, 62969, 62971, 62981, 62983, 62987, 62989, 63029,
408 63031, 63059, 63067, 63073, 63079, 63097, 63103, 63113, 63127, 63131, 63149, 63179, 63197, 63199, 63211, 63241,
409 63247, 63277, 63281, 63299, 63311, 63313, 63317, 63331, 63337, 63347, 63353, 63361, 63367, 63377, 63389, 63391,
410 63397, 63409, 63419, 63421, 63439, 63443, 63463, 63467, 63473, 63487, 63493, 63499, 63521, 63527, 63533, 63541,
411 63559, 63577, 63587, 63589, 63599, 63601, 63607, 63611, 63617, 63629, 63647, 63649, 63659, 63667, 63671, 63689,
412 63691, 63697, 63703, 63709, 63719, 63727, 63737, 63743, 63761, 63773, 63781, 63793, 63799, 63803, 63809, 63823,
413 63839, 63841, 63853, 63857, 63863, 63901, 63907, 63913, 63929, 63949, 63977, 63997, 64007, 64013, 64019, 64033,
414 64037, 64063, 64067, 64081, 64091, 64109, 64123, 64151, 64153, 64157, 64171, 64187, 64189, 64217, 64223, 64231,
415 64237, 64271, 64279, 64283, 64301, 64303, 64319, 64327, 64333, 64373, 64381, 64399, 64403, 64433, 64439, 64451,
416 64453, 64483, 64489, 64499, 64513, 64553, 64567, 64577, 64579, 64591, 64601, 64609, 64613, 64621, 64627, 64633,
417 64661, 64663, 64667, 64679, 64693, 64709, 64717, 64747, 64763, 64781, 64783, 64793, 64811, 64817, 64849, 64853,
418 64871, 64877, 64879, 64891, 64901, 64919, 64921, 64927, 64937, 64951, 64969, 64997, 65003, 65011, 65027, 65029,
419 65033, 65053, 65063, 65071, 65089, 65099, 65101, 65111, 65119, 65123, 65129, 65141, 65147, 65167, 65171, 65173,
420 65179, 65183, 65203, 65213, 65239, 65257, 65267, 65269, 65287, 65293, 65309, 65323, 65327, 65353, 65357, 65371,
421 65381, 65393, 65407, 65413, 65419, 65423, 65437, 65447, 65449, 65479, 65497, 65519, 65521, 0};
Referenced by Botan::DL_Group::DL_Group(), is_prime(), and random_prime().
◆ STREEBOG_Ax
|
extern |
Definition at line 34 of file streebog_precalc.cpp.
34 {
35 {0xd01f715b5c7ef8e6, 0x16fa240980778325, 0xa8a42e857ee049c8, 0x6ac1068fa186465b, 0x6e417bd7a2e9320b,
36 0x665c8167a437daab, 0x7666681aa89617f6, 0x4b959163700bdcf5, 0xf14be6b78df36248, 0xc585bd689a625cff,
37 0x9557d7fca67d82cb, 0x89f0b969af6dd366, 0xb0833d48749f6c35, 0xa1998c23b1ecbc7c, 0x8d70c431ac02a736,
38 0xd6dfbc2fd0a8b69e, 0x37aeb3e551fa198b, 0x0b7d128a40b5cf9c, 0x5a8f2008b5780cbc, 0xedec882284e333e5,
39 0xd25fc177d3c7c2ce, 0x5e0f5d50b61778ec, 0x1d873683c0c24cb9, 0xad040bcbb45d208c, 0x2f89a0285b853c76,
40 0x5732fff6791b8d58, 0x3e9311439ef6ec3f, 0xc9183a809fd3c00f, 0x83adf3f5260a01ee, 0xa6791941f4e8ef10,
41 0x103ae97d0ca1cd5d, 0x2ce948121dee1b4a, 0x39738421dbf2bf53, 0x093da2a6cf0cf5b4, 0xcd9847d89cbcb45f,
42 0xf9561c078b2d8ae8, 0x9c6a755a6971777f, 0xbc1ebaa0712ef0c5, 0x72e61542abf963a6, 0x78bb5fde229eb12e,
43 0x14ba94250fceb90d, 0x844d6697630e5282, 0x98ea08026a1e032f, 0xf06bbea144217f5c, 0xdb6263d11ccb377a,
44 0x641c314b2b8ee083, 0x320e96ab9b4770cf, 0x1ee7deb986a96b85, 0xe96cf57a878c47b5, 0xfdd6615f8842feb8,
45 0xc83862965601dd1b, 0x2ea9f83e92572162, 0xf876441142ff97fc, 0xeb2c455608357d9d, 0x5612a7e0b0c9904c,
46 0x6c01cbfb2d500823, 0x4548a6a7fa037a2d, 0xabc4c6bf388b6ef4, 0xbade77d4fdf8bebd, 0x799b07c8eb4cac3a,
47 0x0c9d87e805b19cf0, 0xcb588aac106afa27, 0xea0c1d40c1e76089, 0x2869354a1e816f1a, 0xff96d17307fbc490,
48 0x9f0a9d602f1a5043, 0x96373fc6e016a5f7, 0x5292dab8b3a6e41c, 0x9b8ae0382c752413, 0x4f15ec3b7364a8a5,
49 0x3fb349555724f12b, 0xc7c50d4415db66d7, 0x92b7429ee379d1a7, 0xd37f99611a15dfda, 0x231427c05e34a086,
50 0xa439a96d7b51d538, 0xb403401077f01865, 0xdda2aea5901d7902, 0x0a5d4a9c8967d288, 0xc265280adf660f93,
51 0x8bb0094520d4e94e, 0x2a29856691385532, 0x42a833c5bf072941, 0x73c64d54622b7eb2, 0x07e095624504536c,
52 0x8a905153e906f45a, 0x6f6123c16b3b2f1f, 0xc6e55552dc097bc3, 0x4468feb133d16739, 0xe211e7f0c7398829,
53 0xa2f96419f7879b40, 0x19074bdbc3ad38e9, 0xf4ebc3f9474e0b0c, 0x43886bd376d53455, 0xd8028beb5aa01046,
54 0x51f23282f5cdc320, 0xe7b1c2be0d84e16d, 0x081dfab006dee8a0, 0x3b33340d544b857b, 0x7f5bcabc679ae242,
55 0x0edd37c48a08a6d8, 0x81ed43d9a9b33bc6, 0xb1a3655ebd4d7121, 0x69a1eeb5e7ed6167, 0xf6ab73d5c8f73124,
56 0x1a67a3e185c61fd5, 0x2dc91004d43c065e, 0x0240b02c8fb93a28, 0x90f7f2b26cc0eb8f, 0x3cd3a16f114fd617,
57 0xaae49ea9f15973e0, 0x06c0cd748cd64e78, 0xda423bc7d5192a6e, 0xc345701c16b41287, 0x6d2193ede4821537,
58 0xfcf639494190e3ac, 0x7c3b228621f1c57e, 0xfb16ac2b0494b0c0, 0xbf7e529a3745d7f9, 0x6881b6a32e3f7c73,
59 0xca78d2bad9b8e733, 0xbbfe2fc2342aa3a9, 0x0dbddffecc6381e4, 0x70a6a56e2440598e, 0xe4d12a844befc651,
60 0x8c509c2765d0ba22, 0xee8c6018c28814d9, 0x17da7c1f49a59e31, 0x609c4c1328e194d3, 0xb3e3d57232f44b09,
61 0x91d7aaa4a512f69b, 0x0ffd6fd243dabbcc, 0x50d26a943c1fde34, 0x6be15e9968545b4f, 0x94778fea6faf9fdf,
62 0x2b09dd7058ea4826, 0x677cd9716de5c7bf, 0x49d5214fffb2e6dd, 0x0360e83a466b273c, 0x1fc786af4f7b7691,
63 0xa0b9d435783ea168, 0xd49f0c035f118cb6, 0x01205816c9d21d14, 0xac2453dd7d8f3d98, 0x545217cc3f70aa64,
64 0x26b4028e9489c9c2, 0xdec2469fd6765e3e, 0x04807d58036f7450, 0xe5f17292823ddb45, 0xf30b569b024a5860,
65 0x62dcfc3fa758aefb, 0xe84cad6c4e5e5aa1, 0xccb81fce556ea94b, 0x53b282ae7a74f908, 0x1b47fbf74c1402c1,
66 0x368eebf39828049f, 0x7afbeff2ad278b06, 0xbe5e0a8cfe97caed, 0xcfd8f7f413058e77, 0xf78b2bc301252c30,
67 0x4d555c17fcdd928d, 0x5f2f05467fc565f8, 0x24f4b2a21b30f3ea, 0x860dd6bbecb768aa, 0x4c750401350f8f99,
68 0x0000000000000000, 0xecccd0344d312ef1, 0xb5231806be220571, 0xc105c030990d28af, 0x653c695de25cfd97,
69 0x159acc33c61ca419, 0xb89ec7f872418495, 0xa9847693b73254dc, 0x58cf90243ac13694, 0x59efc832f3132b80,
70 0x5c4fed7c39ae42c4, 0x828dabe3efd81cfa, 0xd13f294d95ace5f2, 0x7d1b7a90e823d86a, 0xb643f03cf849224d,
71 0x3df3f979d89dcb03, 0x7426d836272f2dde, 0xdfe21e891fa4432a, 0x3a136c1b9d99986f, 0xfa36f43dcd46add4,
72 0xc025982650df35bb, 0x856d3e81aadc4f96, 0xc4a5e57e53b041eb, 0x4708168b75ba4005, 0xaf44bbe73be41aa4,
73 0x971767d029c4b8e3, 0xb9be9feebb939981, 0x215497ecd18d9aae, 0x316e7e91dd2c57f3, 0xcef8afe2dad79363,
74 0x3853dc371220a247, 0x35ee03c9de4323a3, 0xe6919aa8c456fc79, 0xe05157dc4880b201, 0x7bdbb7e464f59612,
75 0x127a59518318f775, 0x332ecebd52956ddb, 0x8f30741d23bb9d1e, 0xd922d3fd93720d52, 0x7746300c61440ae2,
76 0x25d4eab4d2e2eefe, 0x75068020eefd30ca, 0x135a01474acaea61, 0x304e268714fe4ae7, 0xa519f17bb283c82c,
77 0xdc82f6b359cf6416, 0x5baf781e7caa11a8, 0xb2c38d64fb26561d, 0x34ce5bdf17913eb7, 0x5d6fb56af07c5fd0,
78 0x182713cd0a7f25fd, 0x9e2ac576e6c84d57, 0x9aaab82ee5a73907, 0xa3d93c0f3e558654, 0x7e7b92aaae48ff56,
79 0x872d8ead256575be, 0x41c8dbfff96c0e7d, 0x99ca5014a3cc1e3b, 0x40e883e930be1369, 0x1ca76e95091051ad,
80 0x4e35b42dbab6b5b1, 0x05a0254ecabd6944, 0xe1710fca8152af15, 0xf22b0e8dcb984574, 0xb763a82a319b3f59,
81 0x63fca4296e8ab3ef, 0x9d4a2d4ca0a36a6b, 0xe331bfe60eeb953d, 0xd5bf541596c391a2, 0xf5cb9bef8e9c1618,
82 0x46284e9dbc685d11, 0x2074cffa185f87ba, 0xbd3ee2b6b8fcedd1, 0xae64e3f1f23607b0, 0xfeb68965ce29d984,
83 0x55724fdaf6a2b770, 0x29496d5cd753720e, 0xa75941573d3af204, 0x8e102c0bea69800a, 0x111ab16bc573d049,
84 0xd7ffe439197aab8a, 0xefac380e0b5a09cd, 0x48f579593660fbc9, 0x22347fd697e6bd92, 0x61bc1405e13389c7,
85 0x4ab5c975b9d9c1e1, 0x80cd1bcf606126d2, 0x7186fd78ed92449a, 0x93971a882aabccb3, 0x88d0e17f66bfce72,
86 0x27945a985d5bd4d6},
87 {0xde553f8c05a811c8, 0x1906b59631b4f565, 0x436e70d6b1964ff7, 0x36d343cb8b1e9d85, 0x843dfacc858aab5a,
88 0xfdfc95c299bfc7f9, 0x0f634bdea1d51fa2, 0x6d458b3b76efb3cd, 0x85c3f77cf8593f80, 0x3c91315fbe737cb2,
89 0x2148b03366ace398, 0x18f8b8264c6761bf, 0xc830c1c495c9fb0f, 0x981a76102086a0aa, 0xaa16012142f35760,
90 0x35cc54060c763cf6, 0x42907d66cc45db2d, 0x8203d44b965af4bc, 0x3d6f3cefc3a0e868, 0xbc73ff69d292bda7,
91 0x8722ed0102e20a29, 0x8f8185e8cd34deb7, 0x9b0561dda7ee01d9, 0x5335a0193227fad6, 0xc9cecc74e81a6fd5,
92 0x54f5832e5c2431ea, 0x99e47ba05d553470, 0xf7bee756acd226ce, 0x384e05a5571816fd, 0xd1367452a47d0e6a,
93 0xf29fde1c386ad85b, 0x320c77316275f7ca, 0xd0c879e2d9ae9ab0, 0xdb7406c69110ef5d, 0x45505e51a2461011,
94 0xfc029872e46c5323, 0xfa3cb6f5f7bc0cc5, 0x031f17cd8768a173, 0xbd8df2d9af41297d, 0x9d3b4f5ab43e5e3f,
95 0x4071671b36feee84, 0x716207e7d3e3b83d, 0x48d20ff2f9283a1a, 0x27769eb4757cbc7e, 0x5c56ebc793f2e574,
96 0xa48b474f9ef5dc18, 0x52cbada94ff46e0c, 0x60c7da982d8199c6, 0x0e9d466edc068b78, 0x4eec2175eaf865fc,
97 0x550b8e9e21f7a530, 0x6b7ba5bc653fec2b, 0x5eb7f1ba6949d0dd, 0x57ea94e3db4c9099, 0xf640eae6d101b214,
98 0xdd4a284182c0b0bb, 0xff1d8fbf6304f250, 0xb8accb933bf9d7e8, 0xe8867c478eb68c4d, 0x3f8e2692391bddc1,
99 0xcb2fd60912a15a7c, 0xaec935dbab983d2f, 0xf55ffd2b56691367, 0x80e2ce366ce1c115, 0x179bf3f8edb27e1d,
100 0x01fe0db07dd394da, 0xda8a0b76ecc37b87, 0x44ae53e1df9584cb, 0xb310b4b77347a205, 0xdfab323c787b8512,
101 0x3b511268d070b78e, 0x65e6e3d2b9396753, 0x6864b271e2574d58, 0x259784c98fc789d7, 0x02e11a7dfabb35a9,
102 0x8841a6dfa337158b, 0x7ade78c39b5dcdd0, 0xb7cf804d9a2cc84a, 0x20b6bd831b7f7742, 0x75bd331d3a88d272,
103 0x418f6aab4b2d7a5e, 0xd9951cbb6babdaf4, 0xb6318dfde7ff5c90, 0x1f389b112264aa83, 0x492c024284fbaec0,
104 0xe33a0363c608f9a0, 0x2688930408af28a4, 0xc7538a1a341ce4ad, 0x5da8e677ee2171ae, 0x8c9e92254a5c7fc4,
105 0x63d8cd55aae938b5, 0x29ebd8daa97a3706, 0x959827b37be88aa1, 0x1484e4356adadf6e, 0xa7945082199d7d6b,
106 0xbf6ce8a455fa1cd4, 0x9cc542eac9edcae5, 0x79c16f0e1c356ca3, 0x89bfab6fdee48151, 0xd4174d1830c5f0ff,
107 0x9258048415eb419d, 0x6139d72850520d1c, 0x6a85a80c18ec78f1, 0xcd11f88e0171059a, 0xcceff53e7ca29140,
108 0xd229639f2315af19, 0x90b91ef9ef507434, 0x5977d28d074a1be1, 0x311360fce51d56b9, 0xc093a92d5a1f2f91,
109 0x1a19a25bb6dc5416, 0xeb996b8a09de2d3e, 0xfee3820f1ed7668a, 0xd7085ad5b7ad518c, 0x7fff41890fe53345,
110 0xec5948bd67dde602, 0x2fd5f65dbaaa68e0, 0xa5754affe32648c2, 0xf8ddac880d07396c, 0x6fa491468c548664,
111 0x0c7c5c1326bdbed1, 0x4a33158f03930fb3, 0x699abfc19f84d982, 0xe4fa2054a80b329c, 0x6707f9af438252fa,
112 0x08a368e9cfd6d49e, 0x47b1442c58fd25b8, 0xbbb3dc5ebc91769b, 0x1665fe489061eac7, 0x33f27a811fa66310,
113 0x93a609346838d547, 0x30ed6d4c98cec263, 0x1dd9816cd8df9f2a, 0x94662a03063b1e7b, 0x83fdd9fbeb896066,
114 0x7b207573e68e590a, 0x5f49fc0a149a4407, 0x343259b671a5a82c, 0xfbc2bb458a6f981f, 0xc272b350a0a41a38,
115 0x3aaf1fd8ada32354, 0x6cbb868b0b3c2717, 0xa2b569c88d2583fe, 0xf180c9d1bf027928, 0xaf37386bd64ba9f5,
116 0x12bacab2790a8088, 0x4c0d3b0810435055, 0xb2eeb9070e9436df, 0xc5b29067cea7d104, 0xdcb425f1ff132461,
117 0x4f122cc5972bf126, 0xac282fa651230886, 0xe7e537992f6393ef, 0xe61b3a2952b00735, 0x709c0a57ae302ce7,
118 0xe02514ae416058d3, 0xc44c9dd7b37445de, 0x5a68c5408022ba92, 0x1c278cdca50c0bf0, 0x6e5a9cf6f18712be,
119 0x86dce0b17f319ef3, 0x2d34ec2040115d49, 0x4bcd183f7e409b69, 0x2815d56ad4a9a3dc, 0x24698979f2141d0d,
120 0x0000000000000000, 0x1ec696a15fb73e59, 0xd86b110b16784e2e, 0x8e7f8858b0e74a6d, 0x063e2e8713d05fe6,
121 0xe2c40ed3bbdb6d7a, 0xb1f1aeca89fc97ac, 0xe1db191e3cb3cc09, 0x6418ee62c4eaf389, 0xc6ad87aa49cf7077,
122 0xd6f65765ca7ec556, 0x9afb6c6dda3d9503, 0x7ce05644888d9236, 0x8d609f95378feb1e, 0x23a9aa4e9c17d631,
123 0x6226c0e5d73aac6f, 0x56149953a69f0443, 0xeeb852c09d66d3ab, 0x2b0ac2a753c102af, 0x07c023376e03cb3c,
124 0x2ccae1903dc2c993, 0xd3d76e2f5ec63bc3, 0x9e2458973356ff4c, 0xa66a5d32644ee9b1, 0x0a427294356de137,
125 0x783f62be61e6f879, 0x1344c70204d91452, 0x5b96c8f0fdf12e48, 0xa90916ecc59bf613, 0xbe92e5142829880e,
126 0x727d102a548b194e, 0x1be7afebcb0fc0cc, 0x3e702b2244c8491b, 0xd5e940a84d166425, 0x66f9f41f3e51c620,
127 0xabe80c913f20c3ba, 0xf07ec461c2d1edf2, 0xf361d3ac45b94c81, 0x0521394a94b8fe95, 0xadd622162cf09c5c,
128 0xe97871f7f3651897, 0xf4a1f09b2bba87bd, 0x095d6559b2054044, 0x0bbc7f2448be75ed, 0x2af4cf172e129675,
129 0x157ae98517094bb4, 0x9fda55274e856b96, 0x914713499283e0ee, 0xb952c623462a4332, 0x74433ead475b46a8,
130 0x8b5eb112245fb4f8, 0xa34b6478f0f61724, 0x11a5dd7ffe6221fb, 0xc16da49d27ccbb4b, 0x76a224d0bde07301,
131 0x8aa0bca2598c2022, 0x4df336b86d90c48f, 0xea67663a740db9e4, 0xef465f70e0b54771, 0x39b008152acb8227,
132 0x7d1e5bf4f55e06ec, 0x105bd0cf83b1b521, 0x775c2960c033e7db, 0x7e014c397236a79f, 0x811cc386113255cf,
133 0xeda7450d1a0e72d8, 0x5889df3d7a998f3b, 0x2e2bfbedc779fc3a, 0xce0eef438619a4e9, 0x372d4e7bf6cd095f,
134 0x04df34fae96b6a4f, 0xf923a13870d4adb6, 0xa1aa7e050a4d228d, 0xa8f71b5cb84862c9, 0xb52e9a306097fde3,
135 0x0d8251a35b6e2a0b, 0x2257a7fee1c442eb, 0x73831d9a29588d94, 0x51d4ba64c89ccf7f, 0x502ab7d4b54f5ba5,
136 0x97793dce8153bf08, 0xe5042de4d5d8a646, 0x9687307efc802bd2, 0xa05473b5779eb657, 0xb4d097801d446939,
137 0xcff0e2f3fbca3033, 0xc38cbee0dd778ee2, 0x464f499c252eb162, 0xcad1dbb96f72cea6, 0xba4dd1eec142e241,
138 0xb00fa37af42f0376},
139 {0xcce4cd3aa968b245, 0x089d5484e80b7faf, 0x638246c1b3548304, 0xd2fe0ec8c2355492, 0xa7fbdf7ff2374eee,
140 0x4df1600c92337a16, 0x84e503ea523b12fb, 0x0790bbfd53ab0c4a, 0x198a780f38f6ea9d, 0x2ab30c8f55ec48cb,
141 0xe0f7fed6b2c49db5, 0xb6ecf3f422cadbdc, 0x409c9a541358df11, 0xd3ce8a56dfde3fe3, 0xc3e9224312c8c1a0,
142 0x0d6dfa58816ba507, 0xddf3e1b179952777, 0x04c02a42748bb1d9, 0x94c2abff9f2decb8, 0x4f91752da8f8acf4,
143 0x78682befb169bf7b, 0xe1c77a48af2ff6c4, 0x0c5d7ec69c80ce76, 0x4cc1e4928fd81167, 0xfeed3d24d9997b62,
144 0x518bb6dfc3a54a23, 0x6dbf2d26151f9b90, 0xb5bc624b05ea664f, 0xe86aaa525acfe21a, 0x4801ced0fb53a0be,
145 0xc91463e6c00868ed, 0x1027a815cd16fe43, 0xf67069a0319204cd, 0xb04ccc976c8abce7, 0xc0b9b3fc35e87c33,
146 0xf380c77c58f2de65, 0x50bb3241de4e2152, 0xdf93f490435ef195, 0xf1e0d25d62390887, 0xaf668bfb1a3c3141,
147 0xbc11b251f00a7291, 0x73a5eed47e427d47, 0x25bee3f6ee4c3b2e, 0x43cc0beb34786282, 0xc824e778dde3039c,
148 0xf97d86d98a327728, 0xf2b043e24519b514, 0xe297ebf7880f4b57, 0x3a94a49a98fab688, 0x868516cb68f0c419,
149 0xeffa11af0964ee50, 0xa4ab4ec0d517f37d, 0xa9c6b498547c567a, 0x8e18424f80fbbbb6, 0x0bcdc53bcf2bc23c,
150 0x137739aaea3643d0, 0x2c1333ec1bac2ff0, 0x8d48d3f0a7db0625, 0x1e1ac3f26b5de6d7, 0xf520f81f16b2b95e,
151 0x9f0f6ec450062e84, 0x0130849e1deb6b71, 0xd45e31ab8c7533a9, 0x652279a2fd14e43f, 0x3209f01e70f1c927,
152 0xbe71a770cac1a473, 0x0e3d6be7a64b1894, 0x7ec8148cff29d840, 0xcb7476c7fac3be0f, 0x72956a4a63a91636,
153 0x37f95ec21991138f, 0x9e3fea5a4ded45f5, 0x7b38ba50964902e8, 0x222e580bbde73764, 0x61e253e0899f55e6,
154 0xfc8d2805e352ad80, 0x35994be3235ac56d, 0x09add01af5e014de, 0x5e8659a6780539c6, 0xb17c48097161d796,
155 0x026015213acbd6e2, 0xd1ae9f77e515e901, 0xb7dc776a3f21b0ad, 0xaba6a1b96eb78098, 0x9bcf4486248d9f5d,
156 0x582666c536455efd, 0xfdbdac9bfeb9c6f1, 0xc47999be4163cdea, 0x765540081722a7ef, 0x3e548ed8ec710751,
157 0x3d041f67cb51bac2, 0x7958af71ac82d40a, 0x36c9da5c047a78fe, 0xed9a048e33af38b2, 0x26ee7249c96c86bd,
158 0x900281bdeba65d61, 0x11172c8bd0fd9532, 0xea0abf73600434f8, 0x42fc8f75299309f3, 0x34a9cf7d3eb1ae1c,
159 0x2b838811480723ba, 0x5ce64c8742ceef24, 0x1adae9b01fd6570e, 0x3c349bf9d6bad1b3, 0x82453c891c7b75c0,
160 0x97923a40b80d512b, 0x4a61dbf1c198765c, 0xb48ce6d518010d3e, 0xcfb45c858e480fd6, 0xd933cbf30d1e96ae,
161 0xd70ea014ab558e3a, 0xc189376228031742, 0x9262949cd16d8b83, 0xeb3a3bed7def5f89, 0x49314a4ee6b8cbcf,
162 0xdcc3652f647e4c06, 0xda635a4c2a3e2b3d, 0x470c21a940f3d35b, 0x315961a157d174b4, 0x6672e81dda3459ac,
163 0x5b76f77a1165e36e, 0x445cb01667d36ec8, 0xc5491d205c88a69b, 0x456c34887a3805b9, 0xffddb9bac4721013,
164 0x99af51a71e4649bf, 0xa15be01cbc7729d5, 0x52db2760e485f7b0, 0x8c78576eba306d54, 0xae560f6507d75a30,
165 0x95f22f6182c687c9, 0x71c5fbf54489aba5, 0xca44f259e728d57e, 0x88b87d2ccebbdc8d, 0xbab18d32be4a15aa,
166 0x8be8ec93e99b611e, 0x17b713e89ebdf209, 0xb31c5d284baa0174, 0xeeca9531148f8521, 0xb8d198138481c348,
167 0x8988f9b2d350b7fc, 0xb9e11c8d996aa839, 0x5a4673e40c8e881f, 0x1687977683569978, 0xbf4123eed72acf02,
168 0x4ea1f1b3b513c785, 0xe767452be16f91ff, 0x7505d1b730021a7c, 0xa59bca5ec8fc980c, 0xad069eda20f7e7a3,
169 0x38f4b1bba231606a, 0x60d2d77e94743e97, 0x9affc0183966f42c, 0x248e6768f3a7505f, 0xcdd449a4b483d934,
170 0x87b59255751baf68, 0x1bea6d2e023d3c7f, 0x6b1f12455b5ffcab, 0x743555292de9710d, 0xd8034f6d10f5fddf,
171 0xc6198c9f7ba81b08, 0xbb8109aca3a17edb, 0xfa2d1766ad12cabb, 0xc729080166437079, 0x9c5fff7b77269317,
172 0x0000000000000000, 0x15d706c9a47624eb, 0x6fdf38072fd44d72, 0x5fb6dd3865ee52b7, 0xa33bf53d86bcff37,
173 0xe657c1b5fc84fa8e, 0xaa962527735cebe9, 0x39c43525bfda0b1b, 0x204e4d2a872ce186, 0x7a083ece8ba26999,
174 0x554b9c9db72efbfa, 0xb22cd9b656416a05, 0x96a2bedea5e63a5a, 0x802529a826b0a322, 0x8115ad363b5bc853,
175 0x8375b81701901eb1, 0x3069e53f4a3a1fc5, 0xbd2136cfede119e0, 0x18bafc91251d81ec, 0x1d4a524d4c7d5b44,
176 0x05f0aedc6960daa8, 0x29e39d3072ccf558, 0x70f57f6b5962c0d4, 0x989fd53903ad22ce, 0xf84d024797d91c59,
177 0x547b1803aac5908b, 0xf0d056c37fd263f6, 0xd56eb535919e58d8, 0x1c7ad6d351963035, 0x2e7326cd2167f912,
178 0xac361a443d1c8cd2, 0x697f076461942a49, 0x4b515f6fdc731d2d, 0x8ad8680df4700a6f, 0x41ac1eca0eb3b460,
179 0x7d988533d80965d3, 0xa8f6300649973d0b, 0x7765c4960ac9cc9e, 0x7ca801adc5e20ea2, 0xdea3700e5eb59ae4,
180 0xa06b6482a19c42a4, 0x6a2f96db46b497da, 0x27def6d7d487edcc, 0x463ca5375d18b82a, 0xa6cb5be1efdc259f,
181 0x53eba3fef96e9cc1, 0xce84d81b93a364a7, 0xf4107c810b59d22f, 0x333974806d1aa256, 0x0f0def79bba073e5,
182 0x231edc95a00c5c15, 0xe437d494c64f2c6c, 0x91320523f64d3610, 0x67426c83c7df32dd, 0x6eefbc99323f2603,
183 0x9d6f7be56acdf866, 0x5916e25b2bae358c, 0x7ff89012e2c2b331, 0x035091bf2720bd93, 0x561b0d22900e4669,
184 0x28d319ae6f279e29, 0x2f43a2533c8c9263, 0xd09e1be9f8fe8270, 0xf740ed3e2c796fbc, 0xdb53ded237d5404c,
185 0x62b2c25faebfe875, 0x0afd41a5d2c0a94d, 0x6412fd3ce0ff8f4e, 0xe3a76f6995e42026, 0x6c8fa9b808f4f0e1,
186 0xc2d9a6dd0f23aad1, 0x8f28c6d19d10d0c7, 0x85d587744fd0798a, 0xa20b71a39b579446, 0x684f83fa7c7f4138,
187 0xe507500adba4471d, 0x3f640a46f19a6c20, 0x1247bd34f7dd28a1, 0x2d23b77206474481, 0x93521002cc86e0f2,
188 0x572b89bc8de52d18, 0xfb1d93f8b0f9a1ca, 0xe95a2ecc4724896b, 0x3ba420048511ddf9, 0xd63e248ab6bee54b,
189 0x5dd6c8195f258455, 0x06a03f634e40673b, 0x1f2a476c76b68da6, 0x217ec9b49ac78af7, 0xecaa80102e4453c3,
190 0x14e78257b99d4f9a},
191 {0x20329b2cc87bba05, 0x4f5eb6f86546a531, 0xd4f44775f751b6b1, 0x8266a47b850dfa8b, 0xbb986aa15a6ca985,
192 0xc979eb08f9ae0f99, 0x2da6f447a2375ea1, 0x1e74275dcd7d8576, 0xbc20180a800bc5f8, 0xb4a2f701b2dc65be,
193 0xe726946f981b6d66, 0x48e6c453bf21c94c, 0x42cad9930f0a4195, 0xefa47b64aacccd20, 0x71180a8960409a42,
194 0x8bb3329bf6a44e0c, 0xd34c35de2d36dacc, 0xa92f5b7cbc23dc96, 0xb31a85aa68bb09c3, 0x13e04836a73161d2,
195 0xb24dfc4129c51d02, 0x8ae44b70b7da5acd, 0xe671ed84d96579a7, 0xa4bb3417d66f3832, 0x4572ab38d56d2de8,
196 0xb1b47761ea47215c, 0xe81c09cf70aba15d, 0xffbdb872ce7f90ac, 0xa8782297fd5dc857, 0x0d946f6b6a4ce4a4,
197 0xe4df1f4f5b995138, 0x9ebc71edca8c5762, 0x0a2c1dc0b02b88d9, 0x3b503c115d9d7b91, 0xc64376a8111ec3a2,
198 0xcec199a323c963e4, 0xdc76a87ec58616f7, 0x09d596e073a9b487, 0x14583a9d7d560daf, 0xf4c6dc593f2a0cb4,
199 0xdd21d19584f80236, 0x4a4836983ddde1d3, 0xe58866a41ae745f9, 0xf591a5b27e541875, 0x891dc05074586693,
200 0x5b068c651810a89e, 0xa30346bc0c08544f, 0x3dbf3751c684032d, 0x2a1e86ec785032dc, 0xf73f5779fca830ea,
201 0xb60c05ca30204d21, 0x0cc316802b32f065, 0x8770241bdd96be69, 0xb861e18199ee95db, 0xf805cad91418fcd1,
202 0x29e70dccbbd20e82, 0xc7140f435060d763, 0x0f3a9da0e8b0cc3b, 0xa2543f574d76408e, 0xbd7761e1c175d139,
203 0x4b1f4f737ca3f512, 0x6dc2df1f2fc137ab, 0xf1d05c3967b14856, 0xa742bf3715ed046c, 0x654030141d1697ed,
204 0x07b872abda676c7d, 0x3ce84eba87fa17ec, 0xc1fb0403cb79afdf, 0x3e46bc7105063f73, 0x278ae987121cd678,
205 0xa1adb4778ef47cd0, 0x26dd906c5362c2b9, 0x05168060589b44e2, 0xfbfc41f9d79ac08f, 0x0e6de44ba9ced8fa,
206 0x9feb08068bf243a3, 0x7b341749d06b129b, 0x229c69e74a87929a, 0xe09ee6c4427c011b, 0x5692e30e725c4c3a,
207 0xda99a33e5e9f6e4b, 0x353dd85af453a36b, 0x25241b4c90e0fee7, 0x5de987258309d022, 0xe230140fc0802984,
208 0x93281e86a0c0b3c6, 0xf229d719a4337408, 0x6f6c2dd4ad3d1f34, 0x8ea5b2fbae3f0aee, 0x8331dd90c473ee4a,
209 0x346aa1b1b52db7aa, 0xdf8f235e06042aa9, 0xcc6f6b68a1354b7b, 0x6c95a6f46ebf236a, 0x52d31a856bb91c19,
210 0x1a35ded6d498d555, 0xf37eaef2e54d60c9, 0x72e181a9a3c2a61c, 0x98537aad51952fde, 0x16f6c856ffaa2530,
211 0xd960281e9d1d5215, 0x3a0745fa1ce36f50, 0x0b7b642bf1559c18, 0x59a87eae9aec8001, 0x5e100c05408bec7c,
212 0x0441f98b19e55023, 0xd70dcc5534d38aef, 0x927f676de1bea707, 0x9769e70db925e3e5, 0x7a636ea29115065a,
213 0x468b201816ef11b6, 0xab81a9b73edff409, 0xc0ac7de88a07bb1e, 0x1f235eb68c0391b7, 0x6056b074458dd30f,
214 0xbe8eeac102f7ed67, 0xcd381283e04b5fba, 0x5cbefecec277c4e3, 0xd21b4c356c48ce0d, 0x1019c31664b35d8c,
215 0x247362a7d19eea26, 0xebe582efb3299d03, 0x02aef2cb82fc289f, 0x86275df09ce8aaa8, 0x28b07427faac1a43,
216 0x38a9b7319e1f47cf, 0xc82e92e3b8d01b58, 0x06ef0b409b1978bc, 0x62f842bfc771fb90, 0x9904034610eb3b1f,
217 0xded85ab5477a3e68, 0x90d195a663428f98, 0x5384636e2ac708d8, 0xcbd719c37b522706, 0xae9729d76644b0eb,
218 0x7c8c65e20a0c7ee6, 0x80c856b007f1d214, 0x8c0b40302cc32271, 0xdbcedad51fe17a8a, 0x740e8ae938dbdea0,
219 0xa615c6dc549310ad, 0x19cc55f6171ae90b, 0x49b1bdb8fe5fdd8d, 0xed0a89af2830e5bf, 0x6a7aadb4f5a65bd6,
220 0x7e22972988f05679, 0xf952b3325566e810, 0x39fecedadf61530e, 0x6101c99f04f3c7ce, 0x2e5f7f6761b562ff,
221 0xf08725d226cf5c97, 0x63af3b54860fef51, 0x8ff2cb10ef411e2f, 0x884ab9bb35267252, 0x4df04433e7ba8dae,
222 0x9afd8866d3690741, 0x66b9bb34de94abb3, 0x9baaf18d92171380, 0x543c11c5f0a064a5, 0x17a1b1bdbed431f1,
223 0xb5f58eeaf3a2717f, 0xc355f6c849858740, 0xec5df044694ef17e, 0xd83751f5dc6346d4, 0xfc4433520dfdacf2,
224 0x0000000000000000, 0x5a51f58e596ebc5f, 0x3285aaf12e34cf16, 0x8d5c39db6dbd36b0, 0x12b731dde64f7513,
225 0x94906c2d7aa7dfbb, 0x302b583aacc8e789, 0x9d45facd090e6b3c, 0x2165e2c78905aec4, 0x68d45f7f775a7349,
226 0x189b2c1d5664fdca, 0xe1c99f2f030215da, 0x6983269436246788, 0x8489af3b1e148237, 0xe94b702431d5b59c,
227 0x33d2d31a6f4adbd7, 0xbfd9932a4389f9a6, 0xb0e30e8aab39359d, 0xd1e2c715afcaf253, 0x150f43763c28196e,
228 0xc4ed846393e2eb3d, 0x03f98b20c3823c5e, 0xfd134ab94c83b833, 0x556b682eb1de7064, 0x36c4537a37d19f35,
229 0x7559f30279a5ca61, 0x799ae58252973a04, 0x9c12832648707ffd, 0x78cd9c6913e92ec5, 0x1d8dac7d0effb928,
230 0x439da0784e745554, 0x413352b3cc887dcb, 0xbacf134a1b12bd44, 0x114ebafd25cd494d, 0x2f08068c20cb763e,
231 0x76a07822ba27f63f, 0xeab2fb04f25789c2, 0xe3676de481fe3d45, 0x1b62a73d95e6c194, 0x641749ff5c68832c,
232 0xa5ec4dfc97112cf3, 0xf6682e92bdd6242b, 0x3f11c59a44782bb2, 0x317c21d1edb6f348, 0xd65ab5be75ad9e2e,
233 0x6b2dd45fb4d84f17, 0xfaab381296e4d44e, 0xd0b5befeeeb4e692, 0x0882ef0b32d7a046, 0x512a91a5a83b2047,
234 0x963e9ee6f85bf724, 0x4e09cf132438b1f0, 0x77f701c9fb59e2fe, 0x7ddb1c094b726a27, 0x5f4775ee01f5f8bd,
235 0x9186ec4d223c9b59, 0xfeeac1998f01846d, 0xac39db1ce4b89874, 0xb75b7c21715e59e0, 0xafc0503c273aa42a,
236 0x6e3b543fec430bf5, 0x704f7362213e8e83, 0x58ff0745db9294c0, 0x67eec2df9feabf72, 0xa0facd9ccf8a6811,
237 0xb936986ad890811a, 0x95c715c63bd9cb7a, 0xca8060283a2c33c7, 0x507de84ee9453486, 0x85ded6d05f6a96f6,
238 0x1cdad5964f81ade9, 0xd5a33e9eb62fa270, 0x40642b588df6690a, 0x7f75eec2c98e42b8, 0x2cf18dace3494a60,
239 0x23cb100c0bf9865b, 0xeef3028febb2d9e1, 0x4425d2d394133929, 0xaad6d05c7fa1e0c8, 0xad6ea2f7a5c68cb5,
240 0xc2028f2308fb9381, 0x819f2f5b468fc6d5, 0xc5bafd88d29cfffc, 0x47dc59f357910577, 0x2b49ff07392e261d,
241 0x57c59ae5332258fb, 0x73b6f842e2bcb2dd, 0xcf96e04862b77725, 0x4ca73dd8a6c4996f, 0x015779eb417e14c1,
242 0x37932a9176af8bf4},
243 {0x190a2c9b249df23e, 0x2f62f8b62263e1e9, 0x7a7f754740993655, 0x330b7ba4d5564d9f, 0x4c17a16a46672582,
244 0xb22f08eb7d05f5b8, 0x535f47f40bc148cc, 0x3aec5d27d4883037, 0x10ed0a1825438f96, 0x516101f72c233d17,
245 0x13cc6f949fd04eae, 0x739853c441474bfd, 0x653793d90d3f5b1b, 0x5240647b96b0fc2f, 0x0c84890ad27623e0,
246 0xd7189b32703aaea3, 0x2685de3523bd9c41, 0x99317c5b11bffefa, 0x0d9baa854f079703, 0x70b93648fbd48ac5,
247 0xa80441fce30bc6be, 0x7287704bdc36ff1e, 0xb65384ed33dc1f13, 0xd36417343ee34408, 0x39cd38ab6e1bf10f,
248 0x5ab861770a1f3564, 0x0ebacf09f594563b, 0xd04572b884708530, 0x3cae9722bdb3af47, 0x4a556b6f2f5cbaf2,
249 0xe1704f1f76c4bd74, 0x5ec4ed7144c6dfcf, 0x16afc01d4c7810e6, 0x283f113cd629ca7a, 0xaf59a8761741ed2d,
250 0xeed5a3991e215fac, 0x3bf37ea849f984d4, 0xe413e096a56ce33c, 0x2c439d3a98f020d1, 0x637559dc6404c46b,
251 0x9e6c95d1e5f5d569, 0x24bb9836045fe99a, 0x44efa466dac8ecc9, 0xc6eab2a5c80895d6, 0x803b50c035220cc4,
252 0x0321658cba93c138, 0x8f9ebc465dc7ee1c, 0xd15a5137190131d3, 0x0fa5ec8668e5e2d8, 0x91c979578d1037b1,
253 0x0642ca05693b9f70, 0xefca80168350eb4f, 0x38d21b24f36a45ec, 0xbeab81e1af73d658, 0x8cbfd9cae7542f24,
254 0xfd19cc0d81f11102, 0x0ac6430fbb4dbc90, 0x1d76a09d6a441895, 0x2a01573ff1cbbfa1, 0xb572e161894fde2b,
255 0x8124734fa853b827, 0x614b1fdf43e6b1b0, 0x68ac395c4238cc18, 0x21d837bfd7f7b7d2, 0x20c714304a860331,
256 0x5cfaab726324aa14, 0x74c5ba4eb50d606e, 0xf3a3030474654739, 0x23e671bcf015c209, 0x45f087e947b9582a,
257 0xd8bd77b418df4c7b, 0xe06f6c90ebb50997, 0x0bd96080263c0873, 0x7e03f9410e40dcfe, 0xb8e94be4c6484928,
258 0xfb5b0608e8ca8e72, 0x1a2b49179e0e3306, 0x4e29e76961855059, 0x4f36c4e6fcf4e4ba, 0x49740ee395cf7bca,
259 0xc2963ea386d17f7d, 0x90d65ad810618352, 0x12d34c1b02a1fa4d, 0xfa44258775bb3a91, 0x18150f14b9ec46dd,
260 0x1491861e6b9a653d, 0x9a1019d7ab2c3fc2, 0x3668d42d06fe13d7, 0xdcc1fbb25606a6d0, 0x969490dd795a1c22,
261 0x3549b1a1bc6dd2ef, 0xc94f5e23a0ed770e, 0xb9f6686b5b39fdcb, 0xc4d4f4a6efeae00d, 0xe732851a1fff2204,
262 0x94aad6de5eb869f9, 0x3f8ff2ae07206e7f, 0xfe38a9813b62d03a, 0xa7a1ad7a8bee2466, 0x7b6056c8dde882b6,
263 0x302a1e286fc58ca7, 0x8da0fa457a259bc7, 0xb3302b64e074415b, 0x5402ae7eff8b635f, 0x08f8050c9cafc94b,
264 0xae468bf98a3059ce, 0x88c355cca98dc58f, 0xb10e6d67c7963480, 0xbad70de7e1aa3cf3, 0xbfb4a26e320262bb,
265 0xcb711820870f02d5, 0xce12b7a954a75c9d, 0x563ce87dd8691684, 0x9f73b65e7884618a, 0x2b1e74b06cba0b42,
266 0x47cec1ea605b2df1, 0x1c698312f735ac76, 0x5fdbcefed9b76b2c, 0x831a354c8fb1cdfc, 0x820516c312c0791f,
267 0xb74ca762aeadabf0, 0xfc06ef821c80a5e1, 0x5723cbf24518a267, 0x9d4df05d5f661451, 0x588627742dfd40bf,
268 0xda8331b73f3d39a0, 0x17b0e392d109a405, 0xf965400bcf28fba9, 0x7c3dbf4229a2a925, 0x023e460327e275db,
269 0x6cd0b55a0ce126b3, 0xe62da695828e96e7, 0x42ad6e63b3f373b9, 0xe50cc319381d57df, 0xc5cbd729729b54ee,
270 0x46d1e265fd2a9912, 0x6428b056904eeff8, 0x8be23040131e04b7, 0x6709d5da2add2ec0, 0x075de98af44a2b93,
271 0x8447dcc67bfbe66f, 0x6616f655b7ac9a23, 0xd607b8bded4b1a40, 0x0563af89d3a85e48, 0x3db1b4ad20c21ba4,
272 0x11f22997b8323b75, 0x292032b34b587e99, 0x7f1cdace9331681d, 0x8e819fc9c0b65aff, 0xa1e3677fe2d5bb16,
273 0xcd33d225ee349da5, 0xd9a2543b85aef898, 0x795e10cbfa0af76d, 0x25a4bbb9992e5d79, 0x78413344677b438e,
274 0xf0826688cef68601, 0xd27b34bba392f0eb, 0x551d8df162fad7bc, 0x1e57c511d0d7d9ad, 0xdeffbdb171e4d30b,
275 0xf4feea8e802f6caa, 0xa480c8f6317de55e, 0xa0fc44f07fa40ff5, 0x95b5f551c3c9dd1a, 0x22f952336d6476ea,
276 0x0000000000000000, 0xa6be8ef5169f9085, 0xcc2cf1aa73452946, 0x2e7ddb39bf12550a, 0xd526dd3157d8db78,
277 0x486b2d6c08becf29, 0x9b0f3a58365d8b21, 0xac78cdfaadd22c15, 0xbc95c7e28891a383, 0x6a927f5f65dab9c3,
278 0xc3891d2c1ba0cb9e, 0xeaa92f9f50f8b507, 0xcf0d9426c9d6e87e, 0xca6e3baf1a7eb636, 0xab25247059980786,
279 0x69b31ad3df4978fb, 0xe2512a93cc577c4c, 0xff278a0ea61364d9, 0x71a615c766a53e26, 0x89dc764334fc716c,
280 0xf87a638452594f4a, 0xf2bc208be914f3da, 0x8766b94ac1682757, 0xbbc82e687cdb8810, 0x626a7a53f9757088,
281 0xa2c202f358467a2e, 0x4d0882e5db169161, 0x09e7268301de7da8, 0xe897699c771ac0dc, 0xc8507dac3d9cc3ed,
282 0xc0a878a0a1330aa6, 0x978bb352e42ba8c1, 0xe9884a13ea6b743f, 0x279afdbabecc28a2, 0x047c8c064ed9eaab,
283 0x507e2278b15289f4, 0x599904fbb08cf45c, 0xbd8ae46d15e01760, 0x31353da7f2b43844, 0x8558ff49e68a528c,
284 0x76fbfc4d92ef15b5, 0x3456922e211c660c, 0x86799ac55c1993b4, 0x3e90d1219a51da9c, 0x2d5cbeb505819432,
285 0x982e5fd48cce4a19, 0xdb9c1238a24c8d43, 0xd439febecaa96f9b, 0x418c0bef0960b281, 0x158ea591f6ebd1de,
286 0x1f48e69e4da66d4e, 0x8afd13cf8e6fb054, 0xf5e1c9011d5ed849, 0xe34e091c5126c8af, 0xad67ee7530a398f6,
287 0x43b24dec2e82c75a, 0x75da99c1287cd48d, 0x92e81cdb3783f689, 0xa3dd217cc537cecd, 0x60543c50de970553,
288 0x93f73f54aaf2426a, 0xa91b62737e7a725d, 0xf19d4507538732e2, 0x77e4dfc20f9ea156, 0x7d229ccdb4d31dc6,
289 0x1b346a98037f87e5, 0xedf4c615a4b29e94, 0x4093286094110662, 0xb0114ee85ae78063, 0x6ff1d0d6b672e78b,
290 0x6dcf96d591909250, 0xdfe09e3eec9567e8, 0x3214582b4827f97c, 0xb46dc2ee143e6ac8, 0xf6c0ac8da7cd1971,
291 0xebb60c10cd8901e4, 0xf7df8f023abcad92, 0x9c52d3d2c217a0b2, 0x6b8d5cd0f8ab0d20, 0x3777f7a29b8fa734,
292 0x011f238f9d71b4e3, 0xc1b75b2f3c42be45, 0x5de588fdfe551ef7, 0x6eeef3592b035368, 0xaa3a07ffc4e9b365,
293 0xecebe59a39c32a77, 0x5ba742f8976e8187, 0x4b4a48e0b22d0e11, 0xddded83dcb771233, 0xa59feb79ac0c51bd,
294 0xc7f5912a55792135},
295 {0x6d6ae04668a9b08a, 0x3ab3f04b0be8c743, 0xe51e166b54b3c908, 0xbe90a9eb35c2f139, 0xb2c7066637f2bec1,
296 0xaa6945613392202c, 0x9a28c36f3b5201eb, 0xddce5a93ab536994, 0x0e34133ef6382827, 0x52a02ba1ec55048b,
297 0xa2f88f97c4b2a177, 0x8640e513ca2251a5, 0xcdf1d36258137622, 0xfe6cb708dedf8ddb, 0x8a174a9ec8121e5d,
298 0x679896036b81560e, 0x59ed033395795fee, 0x1dd778ab8b74edaf, 0xee533ef92d9f926d, 0x2a8c79baf8a8d8f5,
299 0x6bcf398e69b119f6, 0xe20491742fafdd95, 0x276488e0809c2aec, 0xea955b82d88f5cce, 0x7102c63a99d9e0c4,
300 0xf9763017a5c39946, 0x429fa2501f151b3d, 0x4659c72bea05d59e, 0x984b7fdccf5a6634, 0xf742232953fbb161,
301 0x3041860e08c021c7, 0x747bfd9616cd9386, 0x4bb1367192312787, 0x1b72a1638a6c44d3, 0x4a0e68a6e8359a66,
302 0x169a5039f258b6ca, 0xb98a2ef44edee5a4, 0xd9083fe85e43a737, 0x967f6ce239624e13, 0x8874f62d3c1a7982,
303 0x3c1629830af06e3f, 0x9165ebfd427e5a8e, 0xb5dd81794ceeaa5c, 0x0de8f15a7834f219, 0x70bd98ede3dd5d25,
304 0xaccc9ca9328a8950, 0x56664eda1945ca28, 0x221db34c0f8859ae, 0x26dbd637fa98970d, 0x1acdffb4f068f932,
305 0x4585254f64090fa0, 0x72de245e17d53afa, 0x1546b25d7c546cf4, 0x207e0ffffb803e71, 0xfaaad2732bcf4378,
306 0xb462dfae36ea17bd, 0xcf926fd1ac1b11fd, 0xe0672dc7dba7ba4a, 0xd3fa49ad5d6b41b3, 0x8ba81449b216a3bc,
307 0x14f9ec8a0650d115, 0x40fc1ee3eb1d7ce2, 0x23a2ed9b758ce44f, 0x782c521b14fddc7e, 0x1c68267cf170504e,
308 0xbcf31558c1ca96e6, 0xa781b43b4ba6d235, 0xf6fd7dfe29ff0c80, 0xb0a4bad5c3fad91e, 0xd199f51ea963266c,
309 0x414340349119c103, 0x5405f269ed4dadf7, 0xabd61bb649969dcd, 0x6813dbeae7bdc3c8, 0x65fb2ab09f8931d1,
310 0xf1e7fae152e3181d, 0xc1a67cef5a2339da, 0x7a4feea8e0f5bba1, 0x1e0b9acf05783791, 0x5b8ebf8061713831,
311 0x80e53cdbcb3af8d9, 0x7e898bd315e57502, 0xc6bcfbf0213f2d47, 0x95a38e86b76e942d, 0x092e94218d243cba,
312 0x8339debf453622e7, 0xb11be402b9fe64ff, 0x57d9100d634177c9, 0xcc4e8db52217cbc3, 0x3b0cae9c71ec7aa2,
313 0xfb158ca451cbfe99, 0x2b33276d82ac6514, 0x01bf5ed77a04bde1, 0xc5601994af33f779, 0x75c4a3416cc92e67,
314 0xf3844652a6eb7fc2, 0x3487e375fdd0ef64, 0x18ae430704609eed, 0x4d14efb993298efb, 0x815a620cb13e4538,
315 0x125c354207487869, 0x9eeea614ce42cf48, 0xce2d3106d61fac1c, 0xbbe99247bad6827b, 0x071a871f7b1c149d,
316 0x2e4a1cc10db81656, 0x77a71ff298c149b8, 0x06a5d9c80118a97c, 0xad73c27e488e34b1, 0x443a7b981e0db241,
317 0xe3bbcfa355ab6074, 0x0af276450328e684, 0x73617a896dd1871b, 0x58525de4ef7de20f, 0xb7be3dcab8e6cd83,
318 0x19111dd07e64230c, 0x842359a03e2a367a, 0x103f89f1f3401fb6, 0xdc710444d157d475, 0xb835702334da5845,
319 0x4320fc876511a6dc, 0xd026abc9d3679b8d, 0x17250eee885c0b2b, 0x90dab52a387ae76f, 0x31fed8d972c49c26,
320 0x89cba8fa461ec463, 0x2ff5421677bcabb7, 0x396f122f85e41d7d, 0xa09b332430bac6a8, 0xc888e8ced7070560,
321 0xaeaf201ac682ee8f, 0x1180d7268944a257, 0xf058a43628e7a5fc, 0xbd4c4b8fbbce2b07, 0xa1246df34abe7b49,
322 0x7d5569b79be9af3c, 0xa9b5a705bd9efa12, 0xdb6b835baa4bc0e8, 0x05793bac8f147342, 0x21c1512881848390,
323 0xfdb0556c50d357e5, 0x613d4fcb6a99ff72, 0x03dce2648e0cda3e, 0xe949b9e6568386f0, 0xfc0f0bbb2ad7ea04,
324 0x6a70675913b5a417, 0x7f36d5046fe1c8e3, 0x0c57af8d02304ff8, 0x32223abdfcc84618, 0x0891caf6f720815b,
325 0xa63eeaec31a26fd4, 0x2507345374944d33, 0x49d28ac266394058, 0xf5219f9aa7f3d6be, 0x2d96fea583b4cc68,
326 0x5a31e1571b7585d0, 0x8ed12fe53d02d0fe, 0xdfade6205f5b0e4b, 0x4cabb16ee92d331a, 0x04c6657bf510cea3,
327 0xd73c2cd6a87b8f10, 0xe1d87310a1a307ab, 0x6cd5be9112ad0d6b, 0x97c032354366f3f2, 0xd4e0ceb22677552e,
328 0x0000000000000000, 0x29509bde76a402cb, 0xc27a9e8bd42fe3e4, 0x5ef7842cee654b73, 0xaf107ecdbc86536e,
329 0x3fcacbe784fcb401, 0xd55f90655c73e8cf, 0xe6c2f40fdabf1336, 0xe8f6e7312c873b11, 0xeb2a0555a28be12f,
330 0xe4a148bc2eb774e9, 0x9b979db84156bc0a, 0x6eb60222e6a56ab4, 0x87ffbbc4b026ec44, 0xc703a5275b3b90a6,
331 0x47e699fc9001687f, 0x9c8d1aa73a4aa897, 0x7cea3760e1ed12dd, 0x4ec80ddd1d2554c5, 0x13e36b957d4cc588,
332 0x5d2b66486069914d, 0x92b90999cc7280b0, 0x517cc9c56259deb5, 0xc937b619ad03b881, 0xec30824ad997f5b2,
333 0xa45d565fc5aa080b, 0xd6837201d27f32f1, 0x635ef3789e9198ad, 0x531f75769651b96a, 0x4f77530a6721e924,
334 0x486dd4151c3dfdb9, 0x5f48dafb9461f692, 0x375b011173dc355a, 0x3da9775470f4d3de, 0x8d0dcd81b30e0ac0,
335 0x36e45fc609d888bb, 0x55baacbe97491016, 0x8cb29356c90ab721, 0x76184125e2c5f459, 0x99f4210bb55edbd5,
336 0x6f095cf59ca1d755, 0x9f51f8c3b44672a9, 0x3538bda287d45285, 0x50c39712185d6354, 0xf23b1885dcefc223,
337 0x79930ccc6ef9619f, 0xed8fdc9da3934853, 0xcb540aaa590bdf5e, 0x5c94389f1a6d2cac, 0xe77daad8a0bbaed7,
338 0x28efc5090ca0bf2a, 0xbf2ff73c4fc64cd8, 0xb37858b14df60320, 0xf8c96ec0dfc724a7, 0x828680683f329f06,
339 0x941cd051cd6a29cc, 0xc3c5c05cae2b5e05, 0xb601631dc2e27062, 0xc01922382027843b, 0x24b86a840e90f0d2,
340 0xd245177a276ffc52, 0x0f8b4de98c3c95c6, 0x3e759530fef809e0, 0x0b4d2892792c5b65, 0xc4df4743d5374a98,
341 0xa5e20888bfaeb5ea, 0xba56cc90c0d23f9a, 0x38d04cf8ffe0a09c, 0x62e1adafe495254c, 0x0263bcb3f40867df,
342 0xcaeb547d230f62bf, 0x6082111c109d4293, 0xdad4dd8cd04f7d09, 0xefec602e579b2f8c, 0x1fb4c4187f7c8a70,
343 0xffd3e9dfa4db303a, 0x7bf0b07f9af10640, 0xf49ec14dddf76b5f, 0x8f6e713247066d1f, 0x339d646a86ccfbf9,
344 0x64447467e58d8c30, 0x2c29a072f9b07189, 0xd8b7613f24471ad6, 0x6627c8d41185ebef, 0xa347d140beb61c96,
345 0xde12b8f7255fb3aa, 0x9d324470404e1576, 0x9306574eb6763d51, 0xa80af9d2c79a47f3, 0x859c0777442e8b9b,
346 0x69ac853d9db97e29},
347 {0xc3407dfc2de6377e, 0x5b9e93eea4256f77, 0xadb58fdd50c845e0, 0x5219ff11a75bed86, 0x356b61cfd90b1de9,
348 0xfb8f406e25abe037, 0x7a5a0231c0f60796, 0x9d3cd216e1f5020b, 0x0c6550fb6b48d8f3, 0xf57508c427ff1c62,
349 0x4ad35ffa71cb407d, 0x6290a2da1666aa6d, 0xe284ec2349355f9f, 0xb3c307c53d7c84ec, 0x05e23c0468365a02,
350 0x190bac4d6c9ebfa8, 0x94bbbee9e28b80fa, 0xa34fc777529cb9b5, 0xcc7b39f095bcd978, 0x2426addb0ce532e3,
351 0x7e79329312ce4fc7, 0xab09a72eebec2917, 0xf8d15499f6b9d6c2, 0x1a55b8babf8c895d, 0xdb8add17fb769a85,
352 0xb57f2f368658e81b, 0x8acd36f18f3f41f6, 0x5ce3b7bba50f11d3, 0x114dcc14d5ee2f0a, 0xb91a7fcded1030e8,
353 0x81d5425fe55de7a1, 0xb6213bc1554adeee, 0x80144ef95f53f5f2, 0x1e7688186db4c10c, 0x3b912965db5fe1bc,
354 0xc281715a97e8252d, 0x54a5d7e21c7f8171, 0x4b12535ccbc5522e, 0x1d289cefbea6f7f9, 0x6ef5f2217d2e729e,
355 0xe6a7dc819b0d17ce, 0x1b94b41c05829b0e, 0x33d7493c622f711e, 0xdcf7f942fa5ce421, 0x600fba8b7f7a8ecb,
356 0x46b60f011a83988e, 0x235b898e0dcf4c47, 0x957ab24f588592a9, 0x4354330572b5c28c, 0xa5f3ef84e9b8d542,
357 0x8c711e02341b2d01, 0x0b1874ae6a62a657, 0x1213d8e306fc19ff, 0xfe6d7c6a4d9dba35, 0x65ed868f174cd4c9,
358 0x88522ea0e6236550, 0x899322065c2d7703, 0xc01e690bfef4018b, 0x915982ed8abddaf8, 0xbe675b98ec3a4e4c,
359 0xa996bf7f82f00db1, 0xe1daf8d49a27696a, 0x2effd5d3dc8986e7, 0xd153a51f2b1a2e81, 0x18caa0ebd690adfb,
360 0x390e3134b243c51a, 0x2778b92cdff70416, 0x029f1851691c24a6, 0x5e7cafeacc133575, 0xfa4e4cc89fa5f264,
361 0x5a5f9f481e2b7d24, 0x484c47ab18d764db, 0x400a27f2a1a7f479, 0xaeeb9b2a83da7315, 0x721c626879869734,
362 0x042330a2d2384851, 0x85f672fd3765aff0, 0xba446b3a3e02061d, 0x73dd6ecec3888567, 0xffac70ccf793a866,
363 0xdfa9edb5294ed2d4, 0x6c6aea7014325638, 0x834a5a0e8c41c307, 0xcdba35562fb2cb2b, 0x0ad97808d06cb404,
364 0x0f3b440cb85aee06, 0xe5f9c876481f213b, 0x98deee1289c35809, 0x59018bbfcd394bd1, 0xe01bf47220297b39,
365 0xde68e1139340c087, 0x9fa3ca4788e926ad, 0xbb85679c840c144e, 0x53d8f3b71d55ffd5, 0x0da45c5dd146caa0,
366 0x6f34fe87c72060cd, 0x57fbc315cf6db784, 0xcee421a1fca0fdde, 0x3d2d0196607b8d4b, 0x642c8a29ad42c69a,
367 0x14aff010bdd87508, 0xac74837beac657b3, 0x3216459ad821634d, 0x3fb219c70967a9ed, 0x06bc28f3bb246cf7,
368 0xf2082c9126d562c6, 0x66b39278c45ee23c, 0xbd394f6f3f2878b9, 0xfd33689d9e8f8cc0, 0x37f4799eb017394f,
369 0x108cc0b26fe03d59, 0xda4bd1b1417888d6, 0xb09d1332ee6eb219, 0x2f3ed975668794b4, 0x58c0871977375982,
370 0x7561463d78ace990, 0x09876cff037e82f1, 0x7fb83e35a8c05d94, 0x26b9b58a65f91645, 0xef20b07e9873953f,
371 0x3148516d0b3355b8, 0x41cb2b541ba9e62a, 0x790416c613e43163, 0xa011d380818e8f40, 0x3a5025c36151f3ef,
372 0xd57095bdf92266d0, 0x498d4b0da2d97688, 0x8b0c3a57353153a5, 0x21c491df64d368e1, 0x8f2f0af5e7091bf4,
373 0x2da1c1240f9bb012, 0xc43d59a92ccc49da, 0xbfa6573e56345c1f, 0x828b56a8364fd154, 0x9a41f643e0df7caf,
374 0xbcf843c985266aea, 0x2b1de9d7b4bfdce5, 0x20059d79dedd7ab2, 0x6dabe6d6ae3c446b, 0x45e81bf6c991ae7b,
375 0x6351ae7cac68b83e, 0xa432e32253b6c711, 0xd092a9b991143cd2, 0xcac711032e98b58f, 0xd8d4c9e02864ac70,
376 0xc5fc550f96c25b89, 0xd7ef8dec903e4276, 0x67729ede7e50f06f, 0xeac28c7af045cf3d, 0xb15c1f945460a04a,
377 0x9cfddeb05bfb1058, 0x93c69abce3a1fe5e, 0xeb0380dc4a4bdd6e, 0xd20db1e8f8081874, 0x229a8528b7c15e14,
378 0x44291750739fbc28, 0xd3ccbd4e42060a27, 0xf62b1c33f4ed2a97, 0x86a8660ae4779905, 0xd62e814a2a305025,
379 0x477703a7a08d8add, 0x7b9b0e977af815c5, 0x78c51a60a9ea2330, 0xa6adfb733aaae3b7, 0x97e5aa1e3199b60f,
380 0x0000000000000000, 0xf4b404629df10e31, 0x5564db44a6719322, 0x9207961a59afec0d, 0x9624a6b88b97a45c,
381 0x363575380a192b1c, 0x2c60cd82b595a241, 0x7d272664c1dc7932, 0x7142769faa94a1c1, 0xa1d0df263b809d13,
382 0x1630e841d4c451ae, 0xc1df65ad44fa13d8, 0x13d2d445bcf20bac, 0xd915c546926abe23, 0x38cf3d92084dd749,
383 0xe766d0272103059d, 0xc7634d5effde7f2f, 0x077d2455012a7ea4, 0xedbfa82ff16fb199, 0xaf2a978c39d46146,
384 0x42953fa3c8bbd0df, 0xcb061da59496a7dc, 0x25e7a17db6eb20b0, 0x34aa6d6963050fba, 0xa76cf7d580a4f1e4,
385 0xf7ea10954ee338c4, 0xfcf2643b24819e93, 0xcf252d0746aeef8d, 0x4ef06f58a3f3082c, 0x563acfb37563a5d7,
386 0x5086e740ce47c920, 0x2982f186dda3f843, 0x87696aac5e798b56, 0x5d22bb1d1f010380, 0x035e14f7d31236f5,
387 0x3cec0d30da759f18, 0xf3c920379cdb7095, 0xb8db736b571e22bb, 0xdd36f5e44052f672, 0xaac8ab8851e23b44,
388 0xa857b3d938fe1fe2, 0x17f1e4e76eca43fd, 0xec7ea4894b61a3ca, 0x9e62c6e132e734fe, 0xd4b1991b432c7483,
389 0x6ad6c283af163acf, 0x1ce9904904a8e5aa, 0x5fbda34c761d2726, 0xf910583f4cb7c491, 0xc6a241f845d06d7c,
390 0x4f3163fe19fd1a7f, 0xe99c988d2357f9c8, 0x8eee06535d0709a7, 0x0efa48aa0254fc55, 0xb4be23903c56fa48,
391 0x763f52caabbedf65, 0xeee1bcd8227d876c, 0xe345e085f33b4dcc, 0x3e731561b369bbbe, 0x2843fd2067adea10,
392 0x2adce5710eb1ceb6, 0xb7e03767ef44ccbd, 0x8db012a48e153f52, 0x61ceb62dc5749c98, 0xe85d942b9959eb9b,
393 0x4c6f7709caef2c8a, 0x84377e5b8d6bbda3, 0x30895dcbb13d47eb, 0x74a04a9bc2a2fbc3, 0x6b17ce251518289c,
394 0xe438c4d0f2113368, 0x1fb784bed7bad35f, 0x9b80fae55ad16efc, 0x77fe5e6c11b0cd36, 0xc858095247849129,
395 0x08466059b97090a2, 0x01c10ca6ba0e1253, 0x6988d6747c040c3a, 0x6849dad2c60a1e69, 0x5147ebe67449db73,
396 0xc99905f4fd8a837a, 0x991fe2b433cd4a5a, 0xf09734c04fc94660, 0xa28ecbd1e892abe6, 0xf1563866f5c75433,
397 0x4dae7baf70e13ed9, 0x7ce62ac27bd26b61, 0x70837a39109ab392, 0x90988e4b30b3c8ab, 0xb2020b63877296bf,
398 0x156efcb607d6675b},
399 {0xe63f55ce97c331d0, 0x25b506b0015bba16, 0xc8706e29e6ad9ba8, 0x5b43d3775d521f6a, 0x0bfa3d577035106e,
400 0xab95fc172afb0e66, 0xf64b63979e7a3276, 0xf58b4562649dad4b, 0x48f7c3dbae0c83f1, 0xff31916642f5c8c5,
401 0xcbb048dc1c4a0495, 0x66b8f83cdf622989, 0x35c130e908e2b9b0, 0x7c761a61f0b34fa1, 0x3601161cf205268d,
402 0x9e54ccfe2219b7d6, 0x8b7d90a538940837, 0x9cd403588ea35d0b, 0xbc3c6fea9ccc5b5a, 0xe5ff733b6d24aeed,
403 0xceed22de0f7eb8d2, 0xec8581cab1ab545e, 0xb96105e88ff8e71d, 0x8ca03501871a5ead, 0x76ccce65d6db2a2f,
404 0x5883f582a7b58057, 0x3f7be4ed2e8adc3e, 0x0fe7be06355cd9c9, 0xee054e6c1d11be83, 0x1074365909b903a6,
405 0x5dde9f80b4813c10, 0x4a770c7d02b6692c, 0x5379c8d5d7809039, 0xb4067448161ed409, 0x5f5e5026183bd6cd,
406 0xe898029bf4c29df9, 0x7fb63c940a54d09c, 0xc5171f897f4ba8bc, 0xa6f28db7b31d3d72, 0x2e4f3be7716eaa78,
407 0x0d6771a099e63314, 0x82076254e41bf284, 0x2f0fd2b42733df98, 0x5c9e76d3e2dc49f0, 0x7aeb569619606cdb,
408 0x83478b07b2468764, 0xcfadcb8d5923cd32, 0x85dac7f05b95a41e, 0xb5469d1b4043a1e9, 0xb821ecbbd9a592fd,
409 0x1b8e0b0e798c13c8, 0x62a57b6d9a0be02e, 0xfcf1b793b81257f8, 0x9d94ea0bd8fe28eb, 0x4cea408aeb654a56,
410 0x23284a47e888996c, 0x2d8f1d128b893545, 0xf4cbac3132c0d8ab, 0xbd7c86b9ca912eba, 0x3a268eef3dbe6079,
411 0xf0d62f6077a9110c, 0x2735c916ade150cb, 0x89fd5f03942ee2ea, 0x1acee25d2fd16628, 0x90f39bab41181bff,
412 0x430dfe8cde39939f, 0xf70b8ac4c8274796, 0x1c53aeaac6024552, 0x13b410acf35e9c9b, 0xa532ab4249faa24f,
413 0x2b1251e5625a163f, 0xd7e3e676da4841c7, 0xa7b264e4e5404892, 0xda8497d643ae72d3, 0x861ae105a1723b23,
414 0x38a6414991048aa4, 0x6578dec92585b6b4, 0x0280cfa6acbaeadd, 0x88bdb650c273970a, 0x9333bd5ebbff84c2,
415 0x4e6a8f2c47dfa08b, 0x321c954db76cef2a, 0x418d312a72837942, 0xb29b38bfffcdf773, 0x6c022c38f90a4c07,
416 0x5a033a240b0f6a8a, 0x1f93885f3ce5da6f, 0xc38a537e96988bc6, 0x39e6a81ac759ff44, 0x29929e43cee0fce2,
417 0x40cdd87924de0ca2, 0xe9d8ebc8a29fe819, 0x0c2798f3cfbb46f4, 0x55e484223e53b343, 0x4650948ecd0d2fd8,
418 0x20e86cb2126f0651, 0x6d42c56baf5739e7, 0xa06fc1405ace1e08, 0x7babbfc54f3d193b, 0x424d17df8864e67f,
419 0xd8045870ef14980e, 0xc6d7397c85ac3781, 0x21a885e1443273b1, 0x67f8116f893f5c69, 0x24f5efe35706cff6,
420 0xd56329d076f2ab1a, 0x5e1eb9754e66a32d, 0x28d2771098bd8902, 0x8f6013f47dfdc190, 0x17a993fdb637553c,
421 0xe0a219397e1012aa, 0x786b9930b5da8606, 0x6e82e39e55b0a6da, 0x875a0856f72f4ec3, 0x3741ff4fa458536d,
422 0xac4859b3957558fc, 0x7ef6d5c75c09a57c, 0xc04a758b6c7f14fb, 0xf9acdd91ab26ebbf, 0x7391a467c5ef9668,
423 0x335c7c1ee1319aca, 0xa91533b18641e4bb, 0xe4bf9a683b79db0d, 0x8e20faa72ba0b470, 0x51f907737b3a7ae4,
424 0x2268a314bed5ec8c, 0xd944b123b949edee, 0x31dcb3b84d8b7017, 0xd3fe65279f218860, 0x097af2f1dc8ffab3,
425 0x9b09a6fc312d0b91, 0xcc6ded78a3c4520f, 0x3481d9ba5ebfcc50, 0x4f2a667f1182d56b, 0xdfd9fdd4509ace94,
426 0x26752045fbbc252b, 0xbffc491f662bc467, 0xdd593272fc202449, 0x3cbbc218d46d4303, 0x91b372f817456e1f,
427 0x681faf69bc6385a0, 0xb686bbeebaa43ed4, 0x1469b5084cd0ca01, 0x98c98009cbca94ac, 0x6438379a73d8c354,
428 0xc2caba2dc0c5fe26, 0x3e3b0dbe78d7a9de, 0x50b9ee202d670f04, 0x4590b27b37eab0e5, 0x6025b4cb36b10af3,
429 0xfb2c1237079c0162, 0xa12f28130c936be8, 0x4b37e52e54eb1ccc, 0x083a1ba28ad28f53, 0xc10a9cd83a22611b,
430 0x9f1425ad7444c236, 0x069d4cf7e9d3237a, 0xedc56899e7f621be, 0x778c273680865fcf, 0x309c5aeb1bd605f7,
431 0x8de0dc52d1472b4d, 0xf8ec34c2fd7b9e5f, 0xea18cd3d58787724, 0xaad515447ca67b86, 0x9989695a9d97e14c,
432 0x0000000000000000, 0xf196c63321f464ec, 0x71116bc169557cb5, 0xaf887f466f92c7c1, 0x972e3e0ffe964d65,
433 0x190ec4a8d536f915, 0x95aef1a9522ca7b8, 0xdc19db21aa7d51a9, 0x94ee18fa0471d258, 0x8087adf248a11859,
434 0xc457f6da2916dd5c, 0xfa6cfb6451c17482, 0xf256e0c6db13fbd1, 0x6a9f60cf10d96f7d, 0x4daaa9d9bd383fb6,
435 0x03c026f5fae79f3d, 0xde99148706c7bb74, 0x2a52b8b6340763df, 0x6fc20acd03edd33a, 0xd423c08320afdefa,
436 0xbbe1ca4e23420dc0, 0x966ed75ca8cb3885, 0xeb58246e0e2502c4, 0x055d6a021334bc47, 0xa47242111fa7d7af,
437 0xe3623fcc84f78d97, 0x81c744a11efc6db9, 0xaec8961539cfb221, 0xf31609958d4e8e31, 0x63e5923ecc5695ce,
438 0x47107ddd9b505a38, 0xa3afe7b5a0298135, 0x792b7063e387f3e6, 0x0140e953565d75e0, 0x12f4f9ffa503e97b,
439 0x750ce8902c3cb512, 0xdbc47e8515f30733, 0x1ed3610c6ab8af8f, 0x5239218681dde5d9, 0xe222d69fd2aaf877,
440 0xfe71783514a8bd25, 0xcaf0a18f4a177175, 0x61655d9860ec7f13, 0xe77fbc9dc19e4430, 0x2ccff441ddd440a5,
441 0x16e97aaee06a20dc, 0xa855dae2d01c915b, 0x1d1347f9905f30b2, 0xb7c652bdecf94b34, 0xd03e43d265c6175d,
442 0xfdb15ec0ee4f2218, 0x57644b8492e9599e, 0x07dda5a4bf8e569a, 0x54a46d71680ec6a3, 0x5624a2d7c4b42c7e,
443 0xbebca04c3076b187, 0x7d36f332a6ee3a41, 0x3b6667bc6be31599, 0x695f463aea3ef040, 0xad08b0e0c3282d1c,
444 0xb15b1e4a052a684e, 0x44d05b2861b7c505, 0x15295c5b1a8dbfe1, 0x744c01c37a61c0f2, 0x59c31cd1f1e8f5b7,
445 0xef45a73f4b4ccb63, 0x6bdf899c46841a9d, 0x3dfb2b4b823036e3, 0xa2ef0ee6f674f4d5, 0x184e2dfb836b8cf5,
446 0x1134df0a5fe47646, 0xbaa1231d751f7820, 0xd17eaa81339b62bd, 0xb01bf71953771dae, 0x849a2ea30dc8d1fe,
447 0x705182923f080955, 0x0ea757556301ac29, 0x041d83514569c9a7, 0x0abad4042668658e, 0x49b72a88f851f611,
448 0x8a3d79f66ec97dd7, 0xcd2d042bf59927ef, 0xc930877ab0f0ee48, 0x9273540deda2f122, 0xc797d02fd3f14261,
449 0xe1e2f06a284d674a, 0xd2be8c74c97cfd80, 0x9a494faf67707e71, 0xb3dbd1eca9908293, 0x72d14d3493b2e388,
450 0xd6a30f258c153427}};
◆ STREEBOG_C
|
extern |
Definition at line 452 of file streebog_precalc.cpp.
452 {{0xdd806559f2a64507,
453 0x05767436cc744d23,
454 0xa2422a08a460d315,
455 0x4b7ce09192676901,
456 0x714eb88d7585c4fc,
457 0x2f6a76432e45d016,
458 0xebcb2f81c0657c1f,
459 0xb1085bda1ecadae9},
460 {0xe679047021b19bb7,
461 0x55dda21bd7cbcd56,
462 0x5cb561c2db0aa7ca,
463 0x9ab5176b12d69958,
464 0x61d55e0f16b50131,
465 0xf3feea720a232b98,
466 0x4fe39d460f70b5d7,
467 0x6fa3b58aa99d2f1a},
468 {0x991e96f50aba0ab2,
469 0xc2b6f443867adb31,
470 0xc1c93a376062db09,
471 0xd3e20fe490359eb1,
472 0xf2ea7514b1297b7b,
473 0x06f15e5f529c1f8b,
474 0x0a39fc286a3d8435,
475 0xf574dcac2bce2fc7},
476 {0x220cbebc84e3d12e,
477 0x3453eaa193e837f1,
478 0xd8b71333935203be,
479 0xa9d72c82ed03d675,
480 0x9d721cad685e353f,
481 0x488e857e335c3c7d,
482 0xf948e1a05d71e4dd,
483 0xef1fdfb3e81566d2},
484 {0x601758fd7c6cfe57,
485 0x7a56a27ea9ea63f5,
486 0xdfff00b723271a16,
487 0xbfcd1747253af5a3,
488 0x359e35d7800fffbd,
489 0x7f151c1f1686104a,
490 0x9a3f410c6ca92363,
491 0x4bea6bacad474799},
492 {0xfa68407a46647d6e,
493 0xbf71c57236904f35,
494 0x0af21f66c2bec6b6,
495 0xcffaa6b71c9ab7b4,
496 0x187f9ab49af08ec6,
497 0x2d66c4f95142a46c,
498 0x6fa4c33b7a3039c0,
499 0xae4faeae1d3ad3d9},
500 {0x8886564d3a14d493,
501 0x3517454ca23c4af3,
502 0x06476983284a0504,
503 0x0992abc52d822c37,
504 0xd3473e33197a93c9,
505 0x399ec6c7e6bf87c9,
506 0x51ac86febf240954,
507 0xf4c70e16eeaac5ec},
508 {0xa47f0dd4bf02e71e,
509 0x36acc2355951a8d9,
510 0x69d18d2bd1a5c42f,
511 0xf4892bcb929b0690,
512 0x89b4443b4ddbc49a,
513 0x4eb7f8719c36de1e,
514 0x03e7aa020c6e4141,
515 0x9b1f5b424d93c9a7},
516 {0x7261445183235adb,
517 0x0e38dc92cb1f2a60,
518 0x7b2b8a9aa6079c54,
519 0x800a440bdbb2ceb1,
520 0x3cd955b7e00d0984,
521 0x3a7d3a1b25894224,
522 0x944c9ad8ec165fde,
523 0x378f5a541631229b},
524 {0x74b4c7fb98459ced,
525 0x3698fad1153bb6c3,
526 0x7a1e6c303b7652f4,
527 0x9fe76702af69334b,
528 0x1fffe18a1b336103,
529 0x8941e71cff8a78db,
530 0x382ae548b2e4f3f3,
531 0xabbedea680056f52},
532 {0x6bcaa4cd81f32d1b,
533 0xdea2594ac06fd85d,
534 0xefbacd1d7d476e98,
535 0x8a1d71efea48b9ca,
536 0x2001802114846679,
537 0xd8fa6bbbebab0761,
538 0x3002c6cd635afe94,
539 0x7bcd9ed0efc889fb},
540 {0x48bc924af11bd720,
541 0xfaf417d5d9b21b99,
542 0xe71da4aa88e12852,
543 0x5d80ef9d1891cc86,
544 0xf82012d430219f9b,
545 0xcda43c32bcdf1d77,
546 0xd21380b00449b17a,
547 0x378ee767f11631ba}};
Referenced by Botan::Streebog::compress_64().
◆ WORDS_448
|
constexpr |
Definition at line 22 of file curve448_gf.h.
Referenced by Botan::Gf448Elem::bytes_are_canonical_representation(), Botan::Gf448Elem::ct_cond_assign(), Botan::Gf448Elem::ct_cond_swap(), Botan::Gf448Elem::is_zero(), and Botan::Gf448Elem::operator==().
◆ X448_LEN
|
constexpr |
Definition at line 16 of file x448_internal.h.
Referenced by Botan::X448_PrivateKey::check_key(), decode_point(), decode_scalar(), Botan::X448_PrivateKey::X448_PrivateKey(), and Botan::X448_PublicKey::X448_PublicKey().
Generated by
1.12.0