Botan 3.6.1
Crypto and TLS for C&
pcurves_secp384r1.cpp
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/internal/pcurves_instance.h>
8
9#include <botan/internal/pcurves_solinas.h>
10#include <botan/internal/pcurves_wrap.h>
11
12namespace Botan::PCurve {
13
14namespace {
15
16template <typename Params>
17class Secp384r1Rep final {
18 public:
19 static constexpr auto P = Params::P;
20 static constexpr size_t N = Params::N;
21 typedef typename Params::W W;
22
23 constexpr static std::array<W, N> redc(const std::array<W, 2 * N>& z) {
24 const int64_t X00 = get_uint32(z.data(), 0);
25 const int64_t X01 = get_uint32(z.data(), 1);
26 const int64_t X02 = get_uint32(z.data(), 2);
27 const int64_t X03 = get_uint32(z.data(), 3);
28 const int64_t X04 = get_uint32(z.data(), 4);
29 const int64_t X05 = get_uint32(z.data(), 5);
30 const int64_t X06 = get_uint32(z.data(), 6);
31 const int64_t X07 = get_uint32(z.data(), 7);
32 const int64_t X08 = get_uint32(z.data(), 8);
33 const int64_t X09 = get_uint32(z.data(), 9);
34 const int64_t X10 = get_uint32(z.data(), 10);
35 const int64_t X11 = get_uint32(z.data(), 11);
36 const int64_t X12 = get_uint32(z.data(), 12);
37 const int64_t X13 = get_uint32(z.data(), 13);
38 const int64_t X14 = get_uint32(z.data(), 14);
39 const int64_t X15 = get_uint32(z.data(), 15);
40 const int64_t X16 = get_uint32(z.data(), 16);
41 const int64_t X17 = get_uint32(z.data(), 17);
42 const int64_t X18 = get_uint32(z.data(), 18);
43 const int64_t X19 = get_uint32(z.data(), 19);
44 const int64_t X20 = get_uint32(z.data(), 20);
45 const int64_t X21 = get_uint32(z.data(), 21);
46 const int64_t X22 = get_uint32(z.data(), 22);
47 const int64_t X23 = get_uint32(z.data(), 23);
48
49 // One copy of P-384 is added to prevent underflow
50 const int64_t S0 = 0xFFFFFFFF + X00 + X12 + X20 + X21 - X23;
51 const int64_t S1 = 0x00000000 + X01 + X13 + X22 + X23 - X12 - X20;
52 const int64_t S2 = 0x00000000 + X02 + X14 + X23 - X13 - X21;
53 const int64_t S3 = 0xFFFFFFFF + X03 + X12 + X15 + X20 + X21 - X14 - X22 - X23;
54 const int64_t S4 = 0xFFFFFFFE + X04 + X12 + X13 + X16 + X20 + X21 * 2 + X22 - X15 - X23 * 2;
55 const int64_t S5 = 0xFFFFFFFF + X05 + X13 + X14 + X17 + X21 + X22 * 2 + X23 - X16;
56 const int64_t S6 = 0xFFFFFFFF + X06 + X14 + X15 + X18 + X22 + X23 * 2 - X17;
57 const int64_t S7 = 0xFFFFFFFF + X07 + X15 + X16 + X19 + X23 - X18;
58 const int64_t S8 = 0xFFFFFFFF + X08 + X16 + X17 + X20 - X19;
59 const int64_t S9 = 0xFFFFFFFF + X09 + X17 + X18 + X21 - X20;
60 const int64_t SA = 0xFFFFFFFF + X10 + X18 + X19 + X22 - X21;
61 const int64_t SB = 0xFFFFFFFF + X11 + X19 + X20 + X23 - X22;
62
63 std::array<W, N> r = {};
64
65 SolinasAccum sum(r);
66
67 sum.accum(S0);
68 sum.accum(S1);
69 sum.accum(S2);
70 sum.accum(S3);
71 sum.accum(S4);
72 sum.accum(S5);
73 sum.accum(S6);
74 sum.accum(S7);
75 sum.accum(S8);
76 sum.accum(S9);
77 sum.accum(SA);
78 sum.accum(SB);
79 const auto S = sum.final_carry(0);
80
81 BOTAN_DEBUG_ASSERT(S <= 4);
82
83 const auto correction = p384_mul_mod_384(S);
84 W borrow = bigint_sub2(r.data(), N, correction.data(), N);
85
86 bigint_cnd_add(borrow, r.data(), N, P.data(), N);
87
88 return r;
89 }
90
91 constexpr static std::array<W, N> one() { return std::array<W, N>{1}; }
92
93 constexpr static std::array<W, N> to_rep(const std::array<W, N>& x) { return x; }
94
95 constexpr static std::array<W, N> wide_to_rep(const std::array<W, 2 * N>& x) { return redc(x); }
96
97 constexpr static std::array<W, N> from_rep(const std::array<W, N>& z) { return z; }
98
99 private:
100 // Return (i*P-384) % 2**384
101 //
102 // Assumes i is small
103 constexpr static std::array<W, N> p384_mul_mod_384(W i) {
104 static_assert(WordInfo<W>::bits == 32 || WordInfo<W>::bits == 64);
105
106 // For small i, multiples of P-384 have a simple structure so it's faster to
107 // compute the value directly vs a (constant time) table lookup
108
109 auto r = P;
110 if constexpr(WordInfo<W>::bits == 32) {
111 r[4] -= i;
112 r[3] -= i;
113 r[1] += i;
114 r[0] -= i;
115 } else {
116 const uint64_t i32 = static_cast<uint64_t>(i) << 32;
117 r[2] -= i;
118 r[1] -= i32;
119 r[0] += i32;
120 r[0] -= i;
121 }
122 return r;
123 }
124};
125
126// clang-format off
127namespace secp384r1 {
128
129class Params final : public EllipticCurveParameters<
130 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF",
131 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC",
132 "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF",
133 "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973",
134 "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B9859F741E082542A385502F25DBF55296C3A545E3872760AB7",
135 "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A147CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F",
136 -12> {
137};
138
139// clang-format on
140
141class Curve final : public EllipticCurve<Params, Secp384r1Rep> {
142 public:
143 // Return the square of the inverse of x
144 static FieldElement fe_invert2(const FieldElement& x) {
145 // From https://briansmith.org/ecc-inversion-addition-chains-01
146
147 FieldElement r = x.square();
148 r *= x;
149 const auto x2 = r;
150 r = r.square();
151 r *= x;
152 const auto x3 = r;
153 r.square_n(3);
154 r *= x3;
155 auto rl = r;
156 r.square_n(6);
157 r *= rl;
158 r.square_n(3);
159 r *= x3;
160 const auto x15 = r;
161 r.square_n(15);
162 r *= x15;
163 const auto x30 = r;
164 r.square_n(30);
165 r *= x30;
166 rl = r;
167 r.square_n(60);
168 r *= rl;
169 rl = r;
170 r.square_n(120);
171 r *= rl;
172 r.square_n(15);
173 r *= x15;
174 r.square_n(31);
175 r *= x30;
176 r.square_n(2);
177 r *= x2;
178 r.square_n(94);
179 r *= x30;
180 r.square_n(2);
181
182 return r;
183 }
184
185 static Scalar scalar_invert(const Scalar& x) {
186 // Generated using https://github.com/mmcloughlin/addchain
187
188 auto t3 = x.square();
189 auto t1 = x * t3;
190 auto t0 = t3 * t1;
191 auto t2 = t3 * t0;
192 auto t4 = t3 * t2;
193 auto z = t3 * t4;
194 auto t5 = t3 * z;
195 t3 *= t5;
196 auto t6 = t3.square();
197 t6 *= x;
198 auto t8 = t6;
199 t8.square_n(2);
200 auto t9 = t8.square();
201 auto t7 = t9.square();
202 auto t10 = t7;
203 t10.square_n(5);
204 t7 *= t10;
205 t10 = t7;
206 t10.square_n(10);
207 t7 *= t10;
208 t10 = t7;
209 t10.square_n(4);
210 t9 *= t10;
211 t9.square_n(21);
212 t7 *= t9;
213 t9 = t7;
214 t9.square_n(3);
215 t8 *= t9;
216 t8.square_n(47);
217 t7 *= t8;
218 t8 = t7;
219 t8.square_n(95);
220 t7 *= t8;
221 t7 *= t3;
222 t7.square_n(6);
223 t7 *= t2;
224 t7.square_n(3);
225 t7 *= t1;
226 t7.square_n(7);
227 t7 *= t5;
228 t7.square_n(6);
229 t7 *= t5;
230 t7 = t7.square();
231 t7 *= x;
232 t7.square_n(11);
233 t7 *= t6;
234 t7.square_n(2);
235 t7 *= x;
236 t7.square_n(8);
237 t7 *= t5;
238 t7.square_n(2);
239 t7 *= t1;
240 t7.square_n(6);
241 t7 *= z;
242 t7.square_n(4);
243 t7 *= t2;
244 t7.square_n(6);
245 t6 *= t7;
246 t6.square_n(5);
247 t6 *= z;
248 t6.square_n(10);
249 t6 *= t5;
250 t6.square_n(9);
251 t5 *= t6;
252 t5.square_n(4);
253 t5 *= z;
254 t5.square_n(6);
255 t4 *= t5;
256 t4.square_n(3);
257 t4 *= x;
258 t4.square_n(7);
259 t4 *= z;
260 t4.square_n(7);
261 t4 *= t0;
262 t4.square_n(5);
263 t4 *= t2;
264 t4.square_n(5);
265 t3 *= t4;
266 t3.square_n(5);
267 t3 *= z;
268 t3.square_n(4);
269 t3 *= z;
270 t3.square_n(5);
271 t2 *= t3;
272 t2.square_n(3);
273 t2 *= t1;
274 t2.square_n(7);
275 t2 *= t1;
276 t2.square_n(6);
277 t2 *= z;
278 t2.square_n(4);
279 t2 *= t0;
280 t2.square_n(3);
281 t2 *= t1;
282 t2.square_n(4);
283 t2 *= t1;
284 t2.square_n(4);
285 t1 *= t2;
286 t1.square_n(6);
287 t1 *= t0;
288 t1.square_n(5);
289 t0 *= t1;
290 t0.square_n(6);
291 z *= t0;
292 z = z.square();
293 z *= x;
294 z.square_n(4);
295 z *= x;
296
297 return z;
298 }
299};
300
301} // namespace secp384r1
302
303} // namespace
304
305std::shared_ptr<const PrimeOrderCurve> PCurveInstance::secp384r1() {
306 return PrimeOrderCurveImpl<secp384r1::Curve>::instance();
307}
308
309} // namespace Botan::PCurve
BOTAN_DEBUG_ASSERT
#define BOTAN_DEBUG_ASSERT(expr)
Definition assert.h:98
Botan::PCurve::PCurveInstance::secp384r1
static std::shared_ptr< const PrimeOrderCurve > secp384r1()
Definition pcurves.cpp:40
Botan::PCurve::PrimeOrderCurveImpl::instance
static std::shared_ptr< const PrimeOrderCurve > instance()
Definition pcurves_wrap.h:293
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::get_uint32
constexpr uint32_t get_uint32(const W xw[], size_t i)
Definition pcurves_solinas.h:33
Botan::bigint_cnd_add
constexpr W bigint_cnd_add(W cnd, W x[], size_t x_size, const W y[], size_t y_size)
Definition mp_core.h:42
Botan::bigint_sub2
constexpr auto bigint_sub2(W x[], size_t x_size, const W y[], size_t y_size) -> W
Definition mp_core.h:291
Generated by doxygen 1.12.0