Botan 3.6.1
Crypto and TLS for C&
pcurves_secp256r1.cpp
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/pcurves_instance.h>
8
9#include <botan/internal/pcurves_solinas.h>
10#include <botan/internal/pcurves_wrap.h>
11
12namespace Botan::PCurve {
13
14namespace {
15
16template <typename Params>
17class Secp256r1Rep final {
18 public:
19 static constexpr auto P = Params::P;
20 static constexpr size_t N = Params::N;
21 typedef typename Params::W W;
22
23 // Adds 4 * P-256 to prevent underflow
24 static constexpr auto P256_4 =
25 hex_to_words<uint32_t>("0x3fffffffc00000004000000000000000000000003fffffffffffffffffffffffc");
26
27 constexpr static std::array<W, N> redc(const std::array<W, 2 * N>& z) {
28 const int64_t X00 = get_uint32(z.data(), 0);
29 const int64_t X01 = get_uint32(z.data(), 1);
30 const int64_t X02 = get_uint32(z.data(), 2);
31 const int64_t X03 = get_uint32(z.data(), 3);
32 const int64_t X04 = get_uint32(z.data(), 4);
33 const int64_t X05 = get_uint32(z.data(), 5);
34 const int64_t X06 = get_uint32(z.data(), 6);
35 const int64_t X07 = get_uint32(z.data(), 7);
36 const int64_t X08 = get_uint32(z.data(), 8);
37 const int64_t X09 = get_uint32(z.data(), 9);
38 const int64_t X10 = get_uint32(z.data(), 10);
39 const int64_t X11 = get_uint32(z.data(), 11);
40 const int64_t X12 = get_uint32(z.data(), 12);
41 const int64_t X13 = get_uint32(z.data(), 13);
42 const int64_t X14 = get_uint32(z.data(), 14);
43 const int64_t X15 = get_uint32(z.data(), 15);
44
45 // See SP 800-186 section G.1.2
46 const int64_t S0 = P256_4[0] + X00 + X08 + X09 - (X11 + X12 + X13 + X14);
47 const int64_t S1 = P256_4[1] + X01 + X09 + X10 - (X12 + X13 + X14 + X15);
48 const int64_t S2 = P256_4[2] + X02 + X10 + X11 - (X13 + X14 + X15);
49 const int64_t S3 = P256_4[3] + X03 + 2 * (X11 + X12) + X13 - (X15 + X08 + X09);
50 const int64_t S4 = P256_4[4] + X04 + 2 * (X12 + X13) + X14 - (X09 + X10);
51 const int64_t S5 = P256_4[5] + X05 + 2 * (X13 + X14) + X15 - (X10 + X11);
52 const int64_t S6 = P256_4[6] + X06 + X13 + X14 * 3 + X15 * 2 - (X08 + X09);
53 const int64_t S7 = P256_4[7] + X07 + X15 * 3 + X08 - (X10 + X11 + X12 + X13);
54 const int64_t S8 = P256_4[8];
55
56 std::array<W, N> r = {};
57
58 SolinasAccum sum(r);
59
60 sum.accum(S0);
61 sum.accum(S1);
62 sum.accum(S2);
63 sum.accum(S3);
64 sum.accum(S4);
65 sum.accum(S5);
66 sum.accum(S6);
67 sum.accum(S7);
68 const auto S = sum.final_carry(S8);
69
70 BOTAN_DEBUG_ASSERT(S <= 8);
71
72 const auto correction = p256_mul_mod_256(S);
73 W borrow = bigint_sub2(r.data(), N, correction.data(), N);
74
75 bigint_cnd_add(borrow, r.data(), N, P.data(), N);
76
77 return r;
78 }
79
80 constexpr static std::array<W, N> one() { return std::array<W, N>{1}; }
81
82 constexpr static std::array<W, N> to_rep(const std::array<W, N>& x) { return x; }
83
84 constexpr static std::array<W, N> wide_to_rep(const std::array<W, 2 * N>& x) { return redc(x); }
85
86 constexpr static std::array<W, N> from_rep(const std::array<W, N>& z) { return z; }
87
88 private:
89 // Return (i*P-256) % 2**256
90 //
91 // Assumes i is small
92 constexpr static std::array<W, N> p256_mul_mod_256(W i) {
93 static_assert(WordInfo<W>::bits == 32 || WordInfo<W>::bits == 64);
94
95 // For small i, multiples of P-256 have a simple structure so it's faster to
96 // compute the value directly vs a (constant time) table lookup
97
98 auto r = P;
99 if constexpr(WordInfo<W>::bits == 32) {
100 r[7] -= i;
101 r[6] += i;
102 r[3] += i;
103 r[0] -= i;
104 } else {
105 const uint64_t i32 = static_cast<uint64_t>(i) << 32;
106 r[3] -= i32;
107 r[3] += i;
108 r[1] += i32;
109 r[0] -= i;
110 }
111 return r;
112 }
113};
114
115namespace secp256r1 {
116
117// clang-format off
118class Params final : public EllipticCurveParameters<
119 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF",
120 "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC",
121 "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B",
122 "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E84F3B9CAC2FC632551",
123 "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296",
124 "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5",
125 -10> {
126};
127
128// clang-format on
129
130class Curve final : public EllipticCurve<Params, Secp256r1Rep> {
131 public:
132 // Return the square of the inverse of x
133 static FieldElement fe_invert2(const FieldElement& x) {
134 // Generated using https://github.com/mmcloughlin/addchain
135
136 auto z = x.square();
137 z *= x;
138 z = z.square();
139 z *= x;
140 auto t0 = z;
141 t0.square_n(3);
142 t0 *= z;
143 auto t1 = t0;
144 t1.square_n(6);
145 t0 *= t1;
146 t0.square_n(3);
147 z *= t0;
148 t0 = z.square();
149 t0 *= x;
150 t1 = t0;
151 t1.square_n(16);
152 t0 *= t1;
153 t0.square_n(15);
154 z *= t0;
155 t0.square_n(17);
156 t0 *= x;
157 t0.square_n(143);
158 t0 *= z;
159 t0.square_n(47);
160 z *= t0;
161 z.square_n(2);
162
163 return z;
164 }
165
166 static Scalar scalar_invert(const Scalar& x) {
167 auto t1 = x.square();
168 auto t5 = t1.square();
169 auto t2 = t5 * x;
170 auto t10 = t2 * x;
171 auto t3 = t2 * t5;
172 auto z = t10 * t3;
173 auto t9 = t3.square();
174 auto t4 = t10 * z;
175 auto t0 = t10 * t9;
176 auto t13 = t0 * t1;
177 auto t8 = t13 * t4;
178 t4 = t3 * t8;
179 auto t7 = t2 * t4;
180 t2 = t1 * t7;
181 auto t6 = t7 * t9;
182 t3 = t6 * t9;
183 t1 *= t3;
184 auto t12 = t3 * t9;
185 t5 *= t12;
186 auto t11 = t10 * t5;
187 t0 *= t11;
188 t9 *= t0;
189 t10 *= t9;
190 t4 *= t10;
191 t13 *= t4;
192 auto t14 = t13;
193 t14.square_n(8);
194 t13 *= t14;
195 t14 = t13;
196 t14.square_n(16);
197 t14 *= t13;
198 t14.square_n(48);
199 t14 *= t13;
200 t14.square_n(16);
201 t14 *= t13;
202 t14.square_n(16);
203 t14 *= t13;
204 t14.square_n(16);
205 t13 *= t14;
206 t13.square_n(6);
207 t13 *= t8;
208 t13.square_n(9);
209 t12 *= t13;
210 t12.square_n(8);
211 t11 *= t12;
212 t11.square_n(9);
213 t10 *= t11;
214 t10.square_n(8);
215 t9 *= t10;
216 t9.square_n(9);
217 t8 *= t9;
218 t8.square_n(8);
219 t7 *= t8;
220 t7.square_n(11);
221 t6 *= t7;
222 t6.square_n(9);
223 t5 *= t6;
224 t5.square_n(10);
225 t4 *= t5;
226 t4.square_n(8);
227 t3 *= t4;
228 t3.square_n(7);
229 t2 *= t3;
230 t2.square_n(10);
231 t1 *= t2;
232 t1.square_n(10);
233 t0 *= t1;
234 t0.square_n(6);
235 z *= t0;
236
237 return z;
238 }
239};
240
241} // namespace secp256r1
242
243} // namespace
244
245std::shared_ptr<const PrimeOrderCurve> PCurveInstance::secp256r1() {
246 return PrimeOrderCurveImpl<secp256r1::Curve>::instance();
247}
248
249} // namespace Botan::PCurve
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
Botan::PCurve::PCurveInstance::secp256r1
static std::shared_ptr< const PrimeOrderCurve > secp256r1()
Definition pcurves.cpp:33
Botan::PCurve::PrimeOrderCurveImpl::instance
static std::shared_ptr< const PrimeOrderCurve > instance()
Definition pcurves_wrap.h:293
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::get_uint32
constexpr uint32_t get_uint32(const W xw[], size_t i)
Definition pcurves_solinas.h:33
Botan::bigint_cnd_add
constexpr W bigint_cnd_add(W cnd, W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:42
Botan::bigint_sub2
constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:291
Botan::hex_to_words
constexpr auto hex_to_words(const char(&s)[N])
Definition mp_core.h:890
Generated by doxygen 1.12.0