Botan 3.4.0
Crypto and TLS for C&
nistp_redc.cpp
Go to the documentation of this file.
1/*
2* NIST prime reductions
3* (C) 2014,2015,2018 Jack Lloyd
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/internal/curve_nistp.h>
9
10#include <botan/internal/ct_utils.h>
11#include <botan/internal/mp_core.h>
12
13namespace Botan {
14
15const BigInt& prime_p521() {
16 static const BigInt p521(
17 "0x1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
18 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
19
20 return p521;
21}
22
23void redc_p521(BigInt& x, secure_vector<word>& ws) {
24 BOTAN_DEBUG_ASSERT(x.is_positive());
25
26 const size_t p_full_words = 521 / BOTAN_MP_WORD_BITS;
27 const size_t p_top_bits = 521 % BOTAN_MP_WORD_BITS;
28 const size_t p_words = p_full_words + 1;
29
30 static const constinit auto p521_words = hex_to_words<word>(
31 "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
32 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF");
33
34 if(ws.size() < p_words + 1) {
35 ws.resize(p_words + 1);
36 }
37
38 clear_mem(ws.data(), ws.size());
39 bigint_shr2(ws.data(), x.data(), std::min(x.size(), 2 * p_words), 521);
40
41 x.mask_bits(521);
42 x.grow_to(p_words);
43
44 // Word-level carry will be zero
45 word carry = bigint_add3_nc(x.mutable_data(), x.data(), p_words, ws.data(), p_words);
46 BOTAN_ASSERT_EQUAL(carry, 0, "Final carry in P-521 reduction");
47
48 const word top_word = x.word_at(p_full_words);
49
50 /*
51 * Check if we need to reduce modulo P
52 * There are two possible cases:
53 * - The result overflowed past 521 bits, in which case bit 522 will be set
54 * - The result is exactly 2**521 - 1
55 */
56 const auto bit_522_set = CT::Mask<word>::expand(top_word >> p_top_bits);
57
58 const word max = WordInfo<word>::max;
59 word and_512 = max;
60 for(size_t i = 0; i != p_full_words; ++i) {
61 and_512 &= x.word_at(i);
62 }
63 const auto all_512_low_bits_set = CT::Mask<word>::is_equal(and_512, max);
64 const auto has_p521_top_word = CT::Mask<word>::is_equal(top_word, 0x1FF);
65 const auto is_p521 = all_512_low_bits_set & has_p521_top_word;
66
67 const auto needs_reduction = is_p521 | bit_522_set;
68
69 bigint_cnd_sub(needs_reduction.value(), x.mutable_data(), p521_words.data(), p_words);
70}
71
72namespace {
73
74/**
75* Treating this MPI as a sequence of 32-bit words in big-endian
76* order, return word i. The array is assumed to be large enough.
77*/
78inline uint32_t get_uint32(const word xw[], size_t i) {
79#if(BOTAN_MP_WORD_BITS == 32)
80 return xw[i];
81#else
82 return static_cast<uint32_t>(xw[i / 2] >> ((i % 2) * 32));
83#endif
84}
85
86inline void set_words(word x[], size_t i, uint32_t R0, uint32_t R1) {
87#if(BOTAN_MP_WORD_BITS == 32)
88 x[i] = R0;
89 x[i + 1] = R1;
90#else
91 x[i / 2] = (static_cast<uint64_t>(R1) << 32) | R0;
92#endif
93}
94
95} // namespace
96
97const BigInt& prime_p192() {
98 static const BigInt p192("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF");
99 return p192;
100}
101
102void redc_p192(BigInt& x, secure_vector<word>& ws) {
103 BOTAN_DEBUG_ASSERT(x.is_positive());
104
105 BOTAN_UNUSED(ws);
106
107 static const size_t p192_limbs = 192 / BOTAN_MP_WORD_BITS;
108
109 x.grow_to(2 * p192_limbs);
110 word* xw = x.mutable_data();
111
112 const uint64_t X00 = get_uint32(xw, 0);
113 const uint64_t X01 = get_uint32(xw, 1);
114 const uint64_t X02 = get_uint32(xw, 2);
115 const uint64_t X03 = get_uint32(xw, 3);
116 const uint64_t X04 = get_uint32(xw, 4);
117 const uint64_t X05 = get_uint32(xw, 5);
118 const uint64_t X06 = get_uint32(xw, 6);
119 const uint64_t X07 = get_uint32(xw, 7);
120 const uint64_t X08 = get_uint32(xw, 8);
121 const uint64_t X09 = get_uint32(xw, 9);
122 const uint64_t X10 = get_uint32(xw, 10);
123 const uint64_t X11 = get_uint32(xw, 11);
124
125 const uint64_t S0 = X00 + X06 + X10;
126 const uint64_t S1 = X01 + X07 + X11;
127 const uint64_t S2 = X02 + X06 + X08 + X10;
128 const uint64_t S3 = X03 + X07 + X09 + X11;
129 const uint64_t S4 = X04 + X08 + X10;
130 const uint64_t S5 = X05 + X09 + X11;
131
132 uint64_t S = 0;
133 uint32_t R0 = 0, R1 = 0;
134
135 S += S0;
136 R0 = static_cast<uint32_t>(S);
137 S >>= 32;
138
139 S += S1;
140 R1 = static_cast<uint32_t>(S);
141 S >>= 32;
142
143 set_words(xw, 0, R0, R1);
144
145 S += S2;
146 R0 = static_cast<uint32_t>(S);
147 S >>= 32;
148
149 S += S3;
150 R1 = static_cast<uint32_t>(S);
151 S >>= 32;
152
153 set_words(xw, 2, R0, R1);
154
155 S += S4;
156 R0 = static_cast<uint32_t>(S);
157 S >>= 32;
158
159 S += S5;
160 R1 = static_cast<uint32_t>(S);
161 S >>= 32;
162
163 set_words(xw, 4, R0, R1);
164
165 // No underflow possible
166
167 /*
168 This is a table of (i*P-192) % 2**192 for i in 1...3
169 */
170 static const constinit std::array<word, p192_limbs> p192_mults[3] = {
171 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF"),
172 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFFFFFFFFFE"),
173 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFFFFFFFFFFFFFFFD"),
174 };
175
176 CT::unpoison(S);
177 BOTAN_ASSERT(S <= 2, "Expected overflow");
178
179 BOTAN_ASSERT_NOMSG(x.size() >= p192_limbs + 1);
180 x.mask_bits(192);
181 word borrow = bigint_sub2(x.mutable_data(), p192_limbs + 1, p192_mults[S].data(), p192_limbs);
182 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
183 bigint_cnd_add(borrow, x.mutable_data(), p192_limbs + 1, p192_mults[0].data(), p192_limbs);
184}
185
186const BigInt& prime_p224() {
187 static const BigInt p224("0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001");
188 return p224;
189}
190
191void redc_p224(BigInt& x, secure_vector<word>& ws) {
192 BOTAN_DEBUG_ASSERT(x.is_positive());
193
194 static const size_t p224_limbs = (BOTAN_MP_WORD_BITS == 32) ? 7 : 4;
195
196 BOTAN_UNUSED(ws);
197
198 x.grow_to(2 * p224_limbs);
199 word* xw = x.mutable_data();
200
201 const int64_t X00 = get_uint32(xw, 0);
202 const int64_t X01 = get_uint32(xw, 1);
203 const int64_t X02 = get_uint32(xw, 2);
204 const int64_t X03 = get_uint32(xw, 3);
205 const int64_t X04 = get_uint32(xw, 4);
206 const int64_t X05 = get_uint32(xw, 5);
207 const int64_t X06 = get_uint32(xw, 6);
208 const int64_t X07 = get_uint32(xw, 7);
209 const int64_t X08 = get_uint32(xw, 8);
210 const int64_t X09 = get_uint32(xw, 9);
211 const int64_t X10 = get_uint32(xw, 10);
212 const int64_t X11 = get_uint32(xw, 11);
213 const int64_t X12 = get_uint32(xw, 12);
214 const int64_t X13 = get_uint32(xw, 13);
215
216 // One full copy of P224 is added, so the result is always positive
217
218 const int64_t S0 = 0x00000001 + X00 - X07 - X11;
219 const int64_t S1 = 0x00000000 + X01 - X08 - X12;
220 const int64_t S2 = 0x00000000 + X02 - X09 - X13;
221 const int64_t S3 = 0xFFFFFFFF + X03 + X07 + X11 - X10;
222 const int64_t S4 = 0xFFFFFFFF + X04 + X08 + X12 - X11;
223 const int64_t S5 = 0xFFFFFFFF + X05 + X09 + X13 - X12;
224 const int64_t S6 = 0xFFFFFFFF + X06 + X10 - X13;
225
226 int64_t S = 0;
227 uint32_t R0 = 0, R1 = 0;
228
229 S += S0;
230 R0 = static_cast<uint32_t>(S);
231 S >>= 32;
232
233 S += S1;
234 R1 = static_cast<uint32_t>(S);
235 S >>= 32;
236
237 set_words(xw, 0, R0, R1);
238
239 S += S2;
240 R0 = static_cast<uint32_t>(S);
241 S >>= 32;
242
243 S += S3;
244 R1 = static_cast<uint32_t>(S);
245 S >>= 32;
246
247 set_words(xw, 2, R0, R1);
248
249 S += S4;
250 R0 = static_cast<uint32_t>(S);
251 S >>= 32;
252
253 S += S5;
254 R1 = static_cast<uint32_t>(S);
255 S >>= 32;
256
257 set_words(xw, 4, R0, R1);
258
259 S += S6;
260 R0 = static_cast<uint32_t>(S);
261 S >>= 32;
262
263 set_words(xw, 6, R0, 0);
264
265 static const constinit std::array<word, p224_limbs> p224_mults[3] = {
266 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001"),
267 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE000000000000000000000002"),
268 hex_to_words<word>("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFD000000000000000000000003"),
269 };
270
271 CT::unpoison(S);
272 BOTAN_ASSERT(S >= 0 && S <= 2, "Expected overflow");
273
274 BOTAN_ASSERT_NOMSG(x.size() >= p224_limbs + 1);
275 x.mask_bits(224);
276 word borrow = bigint_sub2(x.mutable_data(), p224_limbs + 1, p224_mults[S].data(), p224_limbs);
277 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
278 bigint_cnd_add(borrow, x.mutable_data(), p224_limbs + 1, p224_mults[0].data(), p224_limbs);
279}
280
281const BigInt& prime_p256() {
282 static const BigInt p256("0xFFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF");
283 return p256;
284}
285
286void redc_p256(BigInt& x, secure_vector<word>& ws) {
287 BOTAN_DEBUG_ASSERT(x.is_positive());
288
289 static const size_t p256_limbs = (BOTAN_MP_WORD_BITS == 32) ? 8 : 4;
290
291 BOTAN_UNUSED(ws);
292
293 x.grow_to(2 * p256_limbs);
294 word* xw = x.mutable_data();
295
296 const int64_t X00 = get_uint32(xw, 0);
297 const int64_t X01 = get_uint32(xw, 1);
298 const int64_t X02 = get_uint32(xw, 2);
299 const int64_t X03 = get_uint32(xw, 3);
300 const int64_t X04 = get_uint32(xw, 4);
301 const int64_t X05 = get_uint32(xw, 5);
302 const int64_t X06 = get_uint32(xw, 6);
303 const int64_t X07 = get_uint32(xw, 7);
304 const int64_t X08 = get_uint32(xw, 8);
305 const int64_t X09 = get_uint32(xw, 9);
306 const int64_t X10 = get_uint32(xw, 10);
307 const int64_t X11 = get_uint32(xw, 11);
308 const int64_t X12 = get_uint32(xw, 12);
309 const int64_t X13 = get_uint32(xw, 13);
310 const int64_t X14 = get_uint32(xw, 14);
311 const int64_t X15 = get_uint32(xw, 15);
312
313 // Adds 6 * P-256 to prevent underflow
314 const int64_t S0 = 0xFFFFFFFA + X00 + X08 + X09 - (X11 + X12 + X13) - X14;
315 const int64_t S1 = 0xFFFFFFFF + X01 + X09 + X10 - X12 - (X13 + X14 + X15);
316 const int64_t S2 = 0xFFFFFFFF + X02 + X10 + X11 - (X13 + X14 + X15);
317 const int64_t S3 = 0x00000005 + X03 + (X11 + X12) * 2 + X13 - X15 - X08 - X09;
318 const int64_t S4 = 0x00000000 + X04 + (X12 + X13) * 2 + X14 - X09 - X10;
319 const int64_t S5 = 0x00000000 + X05 + (X13 + X14) * 2 + X15 - X10 - X11;
320 const int64_t S6 = 0x00000006 + X06 + X13 + X14 * 3 + X15 * 2 - X08 - X09;
321 const int64_t S7 = 0xFFFFFFFA + X07 + X15 * 3 + X08 - X10 - (X11 + X12 + X13);
322
323 int64_t S = 0;
324
325 uint32_t R0 = 0, R1 = 0;
326
327 S += S0;
328 R0 = static_cast<uint32_t>(S);
329 S >>= 32;
330
331 S += S1;
332 R1 = static_cast<uint32_t>(S);
333 S >>= 32;
334
335 set_words(xw, 0, R0, R1);
336
337 S += S2;
338 R0 = static_cast<uint32_t>(S);
339 S >>= 32;
340
341 S += S3;
342 R1 = static_cast<uint32_t>(S);
343 S >>= 32;
344
345 set_words(xw, 2, R0, R1);
346
347 S += S4;
348 R0 = static_cast<uint32_t>(S);
349 S >>= 32;
350
351 S += S5;
352 R1 = static_cast<uint32_t>(S);
353 S >>= 32;
354
355 set_words(xw, 4, R0, R1);
356
357 S += S6;
358 R0 = static_cast<uint32_t>(S);
359 S >>= 32;
360
361 S += S7;
362 R1 = static_cast<uint32_t>(S);
363 S >>= 32;
364 set_words(xw, 6, R0, R1);
365
366 S += 5; // the top digits of 6*P-256
367
368 /*
369 This is a table of (i*P-256) % 2**256 for i in 1...10
370 */
371 static const constinit std::array<word, p256_limbs> p256_mults[11] = {
372 hex_to_words<word>("FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF"),
373 hex_to_words<word>("FFFFFFFE00000002000000000000000000000001FFFFFFFFFFFFFFFFFFFFFFFE"),
374 hex_to_words<word>("FFFFFFFD00000003000000000000000000000002FFFFFFFFFFFFFFFFFFFFFFFD"),
375 hex_to_words<word>("FFFFFFFC00000004000000000000000000000003FFFFFFFFFFFFFFFFFFFFFFFC"),
376 hex_to_words<word>("FFFFFFFB00000005000000000000000000000004FFFFFFFFFFFFFFFFFFFFFFFB"),
377 hex_to_words<word>("FFFFFFFA00000006000000000000000000000005FFFFFFFFFFFFFFFFFFFFFFFA"),
378 hex_to_words<word>("FFFFFFF900000007000000000000000000000006FFFFFFFFFFFFFFFFFFFFFFF9"),
379 hex_to_words<word>("FFFFFFF800000008000000000000000000000007FFFFFFFFFFFFFFFFFFFFFFF8"),
380 hex_to_words<word>("FFFFFFF700000009000000000000000000000008FFFFFFFFFFFFFFFFFFFFFFF7"),
381 hex_to_words<word>("FFFFFFF60000000A000000000000000000000009FFFFFFFFFFFFFFFFFFFFFFF6"),
382 hex_to_words<word>("FFFFFFF50000000B00000000000000000000000AFFFFFFFFFFFFFFFFFFFFFFF5"),
383 };
384
385 CT::unpoison(S);
386 BOTAN_ASSERT(S >= 0 && S <= 10, "Expected overflow");
387
388 BOTAN_ASSERT_NOMSG(x.size() >= p256_limbs + 1);
389 x.mask_bits(256);
390 word borrow = bigint_sub2(x.mutable_data(), p256_limbs + 1, p256_mults[S].data(), p256_limbs);
391 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
392 bigint_cnd_add(borrow, x.mutable_data(), p256_limbs + 1, p256_mults[0].data(), p256_limbs);
393}
394
395const BigInt& prime_p384() {
396 static const BigInt p384(
397 "0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF");
398 return p384;
399}
400
401void redc_p384(BigInt& x, secure_vector<word>& ws) {
402 BOTAN_DEBUG_ASSERT(x.is_positive());
403
404 BOTAN_UNUSED(ws);
405
406 static const size_t p384_limbs = (BOTAN_MP_WORD_BITS == 32) ? 12 : 6;
407
408 x.grow_to(2 * p384_limbs);
409 word* xw = x.mutable_data();
410
411 const int64_t X00 = get_uint32(xw, 0);
412 const int64_t X01 = get_uint32(xw, 1);
413 const int64_t X02 = get_uint32(xw, 2);
414 const int64_t X03 = get_uint32(xw, 3);
415 const int64_t X04 = get_uint32(xw, 4);
416 const int64_t X05 = get_uint32(xw, 5);
417 const int64_t X06 = get_uint32(xw, 6);
418 const int64_t X07 = get_uint32(xw, 7);
419 const int64_t X08 = get_uint32(xw, 8);
420 const int64_t X09 = get_uint32(xw, 9);
421 const int64_t X10 = get_uint32(xw, 10);
422 const int64_t X11 = get_uint32(xw, 11);
423 const int64_t X12 = get_uint32(xw, 12);
424 const int64_t X13 = get_uint32(xw, 13);
425 const int64_t X14 = get_uint32(xw, 14);
426 const int64_t X15 = get_uint32(xw, 15);
427 const int64_t X16 = get_uint32(xw, 16);
428 const int64_t X17 = get_uint32(xw, 17);
429 const int64_t X18 = get_uint32(xw, 18);
430 const int64_t X19 = get_uint32(xw, 19);
431 const int64_t X20 = get_uint32(xw, 20);
432 const int64_t X21 = get_uint32(xw, 21);
433 const int64_t X22 = get_uint32(xw, 22);
434 const int64_t X23 = get_uint32(xw, 23);
435
436 // One copy of P-384 is added to prevent underflow
437 const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23;
438 const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20;
439 const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21;
440 const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23;
441 const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21 * 2 + X22 - X15 - X23 * 2;
442 const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22 * 2 + X23 - X16;
443 const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23 * 2 - X17;
444 const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18;
445 const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19;
446 const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20;
447 const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21;
448 const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22;
449
450 int64_t S = 0;
451
452 uint32_t R0 = 0, R1 = 0;
453
454 S += S0;
455 R0 = static_cast<uint32_t>(S);
456 S >>= 32;
457
458 S += S1;
459 R1 = static_cast<uint32_t>(S);
460 S >>= 32;
461
462 set_words(xw, 0, R0, R1);
463
464 S += S2;
465 R0 = static_cast<uint32_t>(S);
466 S >>= 32;
467
468 S += S3;
469 R1 = static_cast<uint32_t>(S);
470 S >>= 32;
471
472 set_words(xw, 2, R0, R1);
473
474 S += S4;
475 R0 = static_cast<uint32_t>(S);
476 S >>= 32;
477
478 S += S5;
479 R1 = static_cast<uint32_t>(S);
480 S >>= 32;
481
482 set_words(xw, 4, R0, R1);
483
484 S += S6;
485 R0 = static_cast<uint32_t>(S);
486 S >>= 32;
487
488 S += S7;
489 R1 = static_cast<uint32_t>(S);
490 S >>= 32;
491
492 set_words(xw, 6, R0, R1);
493
494 S += S8;
495 R0 = static_cast<uint32_t>(S);
496 S >>= 32;
497
498 S += S9;
499 R1 = static_cast<uint32_t>(S);
500 S >>= 32;
501
502 set_words(xw, 8, R0, R1);
503
504 S += SA;
505 R0 = static_cast<uint32_t>(S);
506 S >>= 32;
507
508 S += SB;
509 R1 = static_cast<uint32_t>(S);
510 S >>= 32;
511
512 set_words(xw, 10, R0, R1);
513
514 /*
515 This is a table of (i*P-384) % 2**384 for i in 1...4
516 */
517 static const constinit std::array<word, p384_limbs> p384_mults[5] = {
518 hex_to_words<word>(
519 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF"),
520 hex_to_words<word>(
521 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFE0000000000000001FFFFFFFE"),
522 hex_to_words<word>(
523 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFCFFFFFFFD0000000000000002FFFFFFFD"),
524 hex_to_words<word>(
525 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFBFFFFFFFC0000000000000003FFFFFFFC"),
526 hex_to_words<word>(
527 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFAFFFFFFFB0000000000000004FFFFFFFB"),
528 };
529
530 CT::unpoison(S);
531 BOTAN_ASSERT(S >= 0 && S <= 4, "Expected overflow");
532
533 BOTAN_ASSERT_NOMSG(x.size() >= p384_limbs + 1);
534 x.mask_bits(384);
535 word borrow = bigint_sub2(x.mutable_data(), p384_limbs + 1, p384_mults[S].data(), p384_limbs);
536 BOTAN_DEBUG_ASSERT(borrow == 0 || borrow == 1);
537 bigint_cnd_add(borrow, x.mutable_data(), p384_limbs + 1, p384_mults[0].data(), p384_limbs);
538}
539
540} // namespace Botan
BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:118
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
BOTAN_ASSERT_EQUAL
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
Definition assert.h:68
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::BigInt::mutable_data
word * mutable_data()
Definition bigint.h:609
Botan::BigInt::size
size_t size() const
Definition bigint.h:578
Botan::BigInt::grow_to
void grow_to(size_t n) const
Definition bigint.h:631
Botan::BigInt::data
const word * data() const
Definition bigint.h:615
Botan::BigInt::word_at
word word_at(size_t n) const
Definition bigint.h:518
Botan::BigInt::mask_bits
void mask_bits(size_t n)
Definition bigint.h:460
Botan::BigInt::is_positive
bool is_positive() const
Definition bigint.h:534
Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:115
Botan::CT::Mask::is_equal
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:134
BOTAN_MP_WORD_BITS
#define BOTAN_MP_WORD_BITS
Definition build.h:50
Botan::CT::unpoison
constexpr void unpoison(const T *p, size_t n)
Definition ct_utils.h:57
Botan::redc_p521
BOTAN_TEST_API void redc_p521(BigInt &x, secure_vector< word > &ws)
Definition nistp_redc.cpp:23
Botan::bigint_shr2
constexpr void bigint_shr2(W y[], const W x[], size_t x_size, size_t shift)
Definition mp_core.h:517
Botan::redc_p192
BOTAN_TEST_API void redc_p192(BigInt &x, secure_vector< word > &ws)
Definition nistp_redc.cpp:102
Botan::redc_p256
BOTAN_TEST_API void redc_p256(BigInt &x, secure_vector< word > &ws)
Definition nistp_redc.cpp:286
Botan::redc_p224
BOTAN_TEST_API void redc_p224(BigInt &x, secure_vector< word > &ws)
Definition nistp_redc.cpp:191
Botan::prime_p384
BOTAN_TEST_API const BigInt & prime_p384()
Definition nistp_redc.cpp:395
Botan::prime_p224
BOTAN_TEST_API const BigInt & prime_p224()
Definition nistp_redc.cpp:186
Botan::redc_p384
BOTAN_TEST_API void redc_p384(BigInt &x, secure_vector< word > &ws)
Definition nistp_redc.cpp:401
Botan::bigint_cnd_sub
constexpr auto bigint_cnd_sub(W cnd, W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:83
Botan::bigint_cnd_add
constexpr W bigint_cnd_add(W cnd, W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:41
Botan::carry
void carry(int64_t &h0, int64_t &h1)
Definition ed25519_internal.h:28
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::bigint_sub2
constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:285
Botan::prime_p256
BOTAN_TEST_API const BigInt & prime_p256()
Definition nistp_redc.cpp:281
Botan::prime_p192
BOTAN_TEST_API const BigInt & prime_p192()
Definition nistp_redc.cpp:97
Botan::prime_p521
BOTAN_TEST_API const BigInt & prime_p521()
Definition nistp_redc.cpp:15
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120
Botan::bigint_add3_nc
constexpr auto bigint_add3_nc(W z[], const W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:237
Generated by doxygen 1.10.0