Botan 3.5.0
Crypto and TLS for C&
pcurves_wrap.h
Go to the documentation of this file.
1/*
2* (C) 2024 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#ifndef BOTAN_PCURVES_WRAP_H_
8#define BOTAN_PCURVES_WRAP_H_
9
10#include <botan/internal/pcurves.h>
11#include <botan/internal/pcurves_impl.h>
12
13namespace Botan::PCurve {
14
15template <typename C>
16class PrimeOrderCurveImpl final : public PrimeOrderCurve {
17 public:
18 class PrecomputedMul2TableC final : public PrimeOrderCurve::PrecomputedMul2Table {
19 public:
20 static constexpr size_t WindowBits = 4;
21
22 const WindowedMul2Table<C, WindowBits>& table() const { return m_table; }
23
24 explicit PrecomputedMul2TableC(const typename C::AffinePoint& x, const typename C::AffinePoint& y) :
25 m_table(x, y) {}
26
27 private:
28 WindowedMul2Table<C, WindowBits> m_table;
29 };
30
31 static_assert(C::OrderBits <= PrimeOrderCurve::MaximumBitLength);
32 static_assert(C::PrimeFieldBits <= PrimeOrderCurve::MaximumBitLength);
33
34 size_t order_bits() const override { return C::OrderBits; }
35
36 size_t scalar_bytes() const override { return C::Scalar::BYTES; }
37
38 size_t field_element_bytes() const override { return C::FieldElement::BYTES; }
39
40 ProjectivePoint mul_by_g(const Scalar& scalar, RandomNumberGenerator& rng) const override {
41 return stash(m_mul_by_g.mul(from_stash(scalar), rng));
42 }
43
44 ProjectivePoint mul(const AffinePoint& pt, const Scalar& scalar, RandomNumberGenerator& rng) const override {
45 auto tbl = WindowedMulTable<C, 4>(from_stash(pt));
46 return stash(tbl.mul(from_stash(scalar), rng));
47 }
48
49 std::unique_ptr<const PrecomputedMul2Table> mul2_setup(const AffinePoint& x,
50 const AffinePoint& y) const override {
51 return std::make_unique<PrecomputedMul2TableC>(from_stash(x), from_stash(y));
52 }
53
54 std::optional<ProjectivePoint> mul2_vartime(const PrecomputedMul2Table& tableb,
55 const Scalar& s1,
56 const Scalar& s2) const override {
57 try {
58 const auto& table = dynamic_cast<const PrecomputedMul2TableC&>(tableb);
59 auto pt = table.table().mul2_vartime(from_stash(s1), from_stash(s2));
60 if(pt.is_identity().as_bool()) {
61 return {};
62 } else {
63 return stash(pt);
64 }
65 } catch(std::bad_cast&) {
66 throw Invalid_Argument("Curve mismatch");
67 }
68 }
69
70 std::optional<Scalar> mul2_vartime_x_mod_order(const PrecomputedMul2Table& tableb,
71 const Scalar& s1,
72 const Scalar& s2) const override {
73 try {
74 const auto& table = dynamic_cast<const PrecomputedMul2TableC&>(tableb);
75 const auto pt = table.table().mul2_vartime(from_stash(s1), from_stash(s2));
76 // Variable time here, so the early return is fine
77 if(pt.is_identity().as_bool()) {
78 return {};
79 }
80 std::array<uint8_t, C::FieldElement::BYTES> x_bytes;
81 pt.to_affine().x().serialize_to(std::span{x_bytes});
82 return stash(C::Scalar::from_wide_bytes(std::span<const uint8_t, C::FieldElement::BYTES>{x_bytes}));
83 } catch(std::bad_cast&) {
84 throw Invalid_Argument("Curve mismatch");
85 }
86 }
87
88 Scalar base_point_mul_x_mod_order(const Scalar& scalar, RandomNumberGenerator& rng) const override {
89 auto pt = m_mul_by_g.mul(from_stash(scalar), rng);
90 std::array<uint8_t, C::FieldElement::BYTES> x_bytes;
91 pt.to_affine().x().serialize_to(std::span{x_bytes});
92 return stash(C::Scalar::from_wide_bytes(std::span<const uint8_t, C::FieldElement::BYTES>{x_bytes}));
93 }
94
95 AffinePoint generator() const override { return stash(C::G); }
96
97 AffinePoint point_to_affine(const ProjectivePoint& pt) const override {
98 return stash(from_stash(pt).to_affine());
99 }
100
101 ProjectivePoint point_to_projective(const AffinePoint& pt) const override {
102 return stash(C::ProjectivePoint::from_affine(from_stash(pt)));
103 }
104
105 ProjectivePoint point_double(const ProjectivePoint& pt) const override { return stash(from_stash(pt).dbl()); }
106
107 ProjectivePoint point_add(const ProjectivePoint& a, const ProjectivePoint& b) const override {
108 return stash(from_stash(a) + from_stash(b));
109 }
110
111 ProjectivePoint point_add_mixed(const ProjectivePoint& a, const AffinePoint& b) const override {
112 return stash(from_stash(a) + from_stash(b));
113 }
114
115 ProjectivePoint point_negate(const ProjectivePoint& pt) const override { return stash(from_stash(pt).negate()); }
116
117 bool affine_point_is_identity(const AffinePoint& pt) const override {
118 return from_stash(pt).is_identity().as_bool();
119 }
120
121 void serialize_point(std::span<uint8_t> bytes, const AffinePoint& pt) const override {
122 BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::BYTES, "Invalid length for serialize_point");
123 from_stash(pt).serialize_to(bytes.subspan<0, C::AffinePoint::BYTES>());
124 }
125
126 void serialize_point_compressed(std::span<uint8_t> bytes, const AffinePoint& pt) const override {
127 BOTAN_ARG_CHECK(bytes.size() == C::AffinePoint::COMPRESSED_BYTES,
128 "Invalid length for serialize_point_compressed");
129 from_stash(pt).serialize_compressed_to(bytes.subspan<0, C::AffinePoint::COMPRESSED_BYTES>());
130 }
131
132 void serialize_point_x(std::span<uint8_t> bytes, const AffinePoint& pt) const override {
133 BOTAN_ARG_CHECK(bytes.size() == C::FieldElement::BYTES, "Invalid length for serialize_point_x");
134 from_stash(pt).x().serialize_to(bytes.subspan<0, C::FieldElement::BYTES>());
135 }
136
137 void serialize_scalar(std::span<uint8_t> bytes, const Scalar& scalar) const override {
138 BOTAN_ARG_CHECK(bytes.size() == C::Scalar::BYTES, "Invalid length to serialize_scalar");
139 return from_stash(scalar).serialize_to(bytes.subspan<0, C::Scalar::BYTES>());
140 }
141
142 std::optional<Scalar> deserialize_scalar(std::span<const uint8_t> bytes) const override {
143 if(auto scalar = C::Scalar::deserialize(bytes)) {
144 if(!scalar->is_zero().as_bool()) {
145 return stash(*scalar);
146 }
147 }
148
149 return {};
150 }
151
152 Scalar scalar_from_bits_with_trunc(std::span<const uint8_t> bytes) const override {
153 return stash(C::Scalar::from_bits_with_trunc(bytes));
154 }
155
156 std::optional<Scalar> scalar_from_wide_bytes(std::span<const uint8_t> bytes) const override {
157 if(auto s = C::Scalar::from_wide_bytes_varlen(bytes)) {
158 return stash(*s);
159 } else {
160 return {};
161 }
162 }
163
164 std::optional<AffinePoint> deserialize_point(std::span<const uint8_t> bytes) const override {
165 if(auto pt = C::AffinePoint::deserialize(bytes)) {
166 return stash(*pt);
167 } else {
168 return {};
169 }
170 }
171
172 ProjectivePoint hash_to_curve(std::string_view hash,
173 std::span<const uint8_t> input,
174 std::span<const uint8_t> domain_sep,
175 bool random_oracle) const override {
176 if constexpr(C::ValidForSswuHash) {
177 return stash(hash_to_curve_sswu<C>(hash, random_oracle, input, domain_sep));
178 } else {
179 throw Not_Implemented("Hash to curve is not implemented for this curve");
180 }
181 }
182
183 Scalar scalar_add(const Scalar& a, const Scalar& b) const override {
184 return stash(from_stash(a) + from_stash(b));
185 }
186
187 Scalar scalar_sub(const Scalar& a, const Scalar& b) const override {
188 return stash(from_stash(a) - from_stash(b));
189 }
190
191 Scalar scalar_mul(const Scalar& a, const Scalar& b) const override {
192 return stash(from_stash(a) * from_stash(b));
193 }
194
195 Scalar scalar_square(const Scalar& s) const override { return stash(from_stash(s).square()); }
196
197 Scalar scalar_invert(const Scalar& s) const override { return stash(from_stash(s).invert()); }
198
199 Scalar scalar_negate(const Scalar& s) const override { return stash(from_stash(s).negate()); }
200
201 bool scalar_is_zero(const Scalar& s) const override { return from_stash(s).is_zero().as_bool(); }
202
203 bool scalar_equal(const Scalar& a, const Scalar& b) const override {
204 return (from_stash(a) == from_stash(b)).as_bool();
205 }
206
207 Scalar scalar_zero() const override { return stash(C::Scalar::zero()); }
208
209 Scalar scalar_one() const override { return stash(C::Scalar::one()); }
210
211 Scalar scalar_from_u32(uint32_t x) const override { return stash(C::Scalar::from_word(x)); }
212
213 Scalar random_scalar(RandomNumberGenerator& rng) const override { return stash(C::Scalar::random(rng)); }
214
215 PrimeOrderCurveImpl() : m_mul_by_g(C::G) {}
216
217 static std::shared_ptr<const PrimeOrderCurve> instance() {
218 static auto g_curve = std::make_shared<const PrimeOrderCurveImpl<C>>();
219 return g_curve;
220 }
221
222 private:
223 static Scalar stash(const typename C::Scalar& s) {
224 return Scalar::_create(instance(), s.template stash_value<StorageWords>());
225 }
226
227 static typename C::Scalar from_stash(const Scalar& s) {
228 if(s._curve() != instance()) {
229 throw Invalid_Argument("Curve mismatch");
230 }
231 return C::Scalar::from_stash(s._value());
232 }
233
234 static AffinePoint stash(const typename C::AffinePoint& pt) {
235 auto x_w = pt.x().template stash_value<StorageWords>();
236 auto y_w = pt.y().template stash_value<StorageWords>();
237 return AffinePoint::_create(instance(), x_w, y_w);
238 }
239
240 static typename C::AffinePoint from_stash(const AffinePoint& pt) {
241 if(pt._curve() != instance()) {
242 throw Invalid_Argument("Curve mismatch");
243 }
244 auto x = C::FieldElement::from_stash(pt._x());
245 auto y = C::FieldElement::from_stash(pt._y());
246 return typename C::AffinePoint(x, y);
247 }
248
249 static ProjectivePoint stash(const typename C::ProjectivePoint& pt) {
250 auto x_w = pt.x().template stash_value<StorageWords>();
251 auto y_w = pt.y().template stash_value<StorageWords>();
252 auto z_w = pt.z().template stash_value<StorageWords>();
253 return ProjectivePoint::_create(instance(), x_w, y_w, z_w);
254 }
255
256 static typename C::ProjectivePoint from_stash(const ProjectivePoint& pt) {
257 if(pt._curve() != instance()) {
258 throw Invalid_Argument("Curve mismatch");
259 }
260 auto x = C::FieldElement::from_stash(pt._x());
261 auto y = C::FieldElement::from_stash(pt._y());
262 auto z = C::FieldElement::from_stash(pt._z());
263 return typename C::ProjectivePoint(x, y, z);
264 }
265
266 private:
267 const PrecomputedBaseMulTable<C, 5> m_mul_by_g;
268};
269
270} // namespace Botan::PCurve
271
272#endif
BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Not_Implemented
Definition exceptn.h:334
Botan::PCurve::PrimeOrderCurveImpl::PrecomputedMul2TableC::PrecomputedMul2TableC
PrecomputedMul2TableC(const typename C::AffinePoint &x, const typename C::AffinePoint &y)
Definition pcurves_wrap.h:24
Botan::PCurve::PrimeOrderCurveImpl::PrecomputedMul2TableC::table
const WindowedMul2Table< C, WindowBits > & table() const
Definition pcurves_wrap.h:22
Botan::PCurve::PrimeOrderCurveImpl::field_element_bytes
size_t field_element_bytes() const override
Definition pcurves_wrap.h:38
Botan::PCurve::PrimeOrderCurveImpl::scalar_zero
Scalar scalar_zero() const override
Definition pcurves_wrap.h:207
Botan::PCurve::PrimeOrderCurveImpl::scalar_equal
bool scalar_equal(const Scalar &a, const Scalar &b) const override
Definition pcurves_wrap.h:203
Botan::PCurve::PrimeOrderCurveImpl::serialize_scalar
void serialize_scalar(std::span< uint8_t > bytes, const Scalar &scalar) const override
Definition pcurves_wrap.h:137
Botan::PCurve::PrimeOrderCurveImpl::affine_point_is_identity
bool affine_point_is_identity(const AffinePoint &pt) const override
Definition pcurves_wrap.h:117
Botan::PCurve::PrimeOrderCurveImpl::scalar_from_u32
Scalar scalar_from_u32(uint32_t x) const override
Definition pcurves_wrap.h:211
Botan::PCurve::PrimeOrderCurveImpl::hash_to_curve
ProjectivePoint hash_to_curve(std::string_view hash, std::span< const uint8_t > input, std::span< const uint8_t > domain_sep, bool random_oracle) const override
Definition pcurves_wrap.h:172
Botan::PCurve::PrimeOrderCurveImpl::scalar_sub
Scalar scalar_sub(const Scalar &a, const Scalar &b) const override
Definition pcurves_wrap.h:187
Botan::PCurve::PrimeOrderCurveImpl::order_bits
size_t order_bits() const override
Return the bit length of the group order.
Definition pcurves_wrap.h:34
Botan::PCurve::PrimeOrderCurveImpl::serialize_point_x
void serialize_point_x(std::span< uint8_t > bytes, const AffinePoint &pt) const override
Definition pcurves_wrap.h:132
Botan::PCurve::PrimeOrderCurveImpl::generator
AffinePoint generator() const override
Return the standard generator.
Definition pcurves_wrap.h:95
Botan::PCurve::PrimeOrderCurveImpl::mul_by_g
ProjectivePoint mul_by_g(const Scalar &scalar, RandomNumberGenerator &rng) const override
Definition pcurves_wrap.h:40
Botan::PCurve::PrimeOrderCurveImpl::scalar_from_bits_with_trunc
Scalar scalar_from_bits_with_trunc(std::span< const uint8_t > bytes) const override
Definition pcurves_wrap.h:152
Botan::PCurve::PrimeOrderCurveImpl::scalar_bytes
size_t scalar_bytes() const override
Return the byte length of the scalar element.
Definition pcurves_wrap.h:36
Botan::PCurve::PrimeOrderCurveImpl::scalar_is_zero
bool scalar_is_zero(const Scalar &s) const override
Definition pcurves_wrap.h:201
Botan::PCurve::PrimeOrderCurveImpl::scalar_invert
Scalar scalar_invert(const Scalar &s) const override
Definition pcurves_wrap.h:197
Botan::PCurve::PrimeOrderCurveImpl::scalar_one
Scalar scalar_one() const override
Definition pcurves_wrap.h:209
Botan::PCurve::PrimeOrderCurveImpl::point_negate
ProjectivePoint point_negate(const ProjectivePoint &pt) const override
Definition pcurves_wrap.h:115
Botan::PCurve::PrimeOrderCurveImpl::mul2_vartime_x_mod_order
std::optional< Scalar > mul2_vartime_x_mod_order(const PrecomputedMul2Table &tableb, const Scalar &s1, const Scalar &s2) const override
Definition pcurves_wrap.h:70
Botan::PCurve::PrimeOrderCurveImpl::instance
static std::shared_ptr< const PrimeOrderCurve > instance()
Definition pcurves_wrap.h:217
Botan::PCurve::PrimeOrderCurveImpl::scalar_from_wide_bytes
std::optional< Scalar > scalar_from_wide_bytes(std::span< const uint8_t > bytes) const override
Definition pcurves_wrap.h:156
Botan::PCurve::PrimeOrderCurveImpl::mul2_setup
std::unique_ptr< const PrecomputedMul2Table > mul2_setup(const AffinePoint &x, const AffinePoint &y) const override
Setup a table for 2-ary multiplication.
Definition pcurves_wrap.h:49
Botan::PCurve::PrimeOrderCurveImpl::base_point_mul_x_mod_order
Scalar base_point_mul_x_mod_order(const Scalar &scalar, RandomNumberGenerator &rng) const override
Definition pcurves_wrap.h:88
Botan::PCurve::PrimeOrderCurveImpl::point_double
ProjectivePoint point_double(const ProjectivePoint &pt) const override
Definition pcurves_wrap.h:105
Botan::PCurve::PrimeOrderCurveImpl::deserialize_scalar
std::optional< Scalar > deserialize_scalar(std::span< const uint8_t > bytes) const override
Definition pcurves_wrap.h:142
Botan::PCurve::PrimeOrderCurveImpl::scalar_add
Scalar scalar_add(const Scalar &a, const Scalar &b) const override
Definition pcurves_wrap.h:183
Botan::PCurve::PrimeOrderCurveImpl::scalar_negate
Scalar scalar_negate(const Scalar &s) const override
Definition pcurves_wrap.h:199
Botan::PCurve::PrimeOrderCurveImpl::mul2_vartime
std::optional< ProjectivePoint > mul2_vartime(const PrecomputedMul2Table &tableb, const Scalar &s1, const Scalar &s2) const override
Definition pcurves_wrap.h:54
Botan::PCurve::PrimeOrderCurveImpl::deserialize_point
std::optional< AffinePoint > deserialize_point(std::span< const uint8_t > bytes) const override
Definition pcurves_wrap.h:164
Botan::PCurve::PrimeOrderCurveImpl::random_scalar
Scalar random_scalar(RandomNumberGenerator &rng) const override
Definition pcurves_wrap.h:213
Botan::PCurve::PrimeOrderCurveImpl::point_add
ProjectivePoint point_add(const ProjectivePoint &a, const ProjectivePoint &b) const override
Definition pcurves_wrap.h:107
Botan::PCurve::PrimeOrderCurveImpl::serialize_point
void serialize_point(std::span< uint8_t > bytes, const AffinePoint &pt) const override
Definition pcurves_wrap.h:121
Botan::PCurve::PrimeOrderCurveImpl::scalar_square
Scalar scalar_square(const Scalar &s) const override
Definition pcurves_wrap.h:195
Botan::PCurve::PrimeOrderCurveImpl::point_to_projective
ProjectivePoint point_to_projective(const AffinePoint &pt) const override
Definition pcurves_wrap.h:101
Botan::PCurve::PrimeOrderCurveImpl::scalar_mul
Scalar scalar_mul(const Scalar &a, const Scalar &b) const override
Definition pcurves_wrap.h:191
Botan::PCurve::PrimeOrderCurveImpl::point_to_affine
AffinePoint point_to_affine(const ProjectivePoint &pt) const override
Definition pcurves_wrap.h:97
Botan::PCurve::PrimeOrderCurveImpl::point_add_mixed
ProjectivePoint point_add_mixed(const ProjectivePoint &a, const AffinePoint &b) const override
Definition pcurves_wrap.h:111
Botan::PCurve::PrimeOrderCurveImpl::mul
ProjectivePoint mul(const AffinePoint &pt, const Scalar &scalar, RandomNumberGenerator &rng) const override
Definition pcurves_wrap.h:44
Botan::PCurve::PrimeOrderCurveImpl::serialize_point_compressed
void serialize_point_compressed(std::span< uint8_t > bytes, const AffinePoint &pt) const override
Definition pcurves_wrap.h:126
Botan::PCurve::PrimeOrderCurve::MaximumBitLength
static const size_t MaximumBitLength
Definition pcurves.h:37
Botan::PrecomputedBaseMulTable::mul
ProjectivePoint mul(const Scalar &s, RandomNumberGenerator &rng) const
Definition pcurves_impl.h:1113
Botan::WindowedMul2Table::mul2_vartime
ProjectivePoint mul2_vartime(const Scalar &s1, const Scalar &s2) const
Definition pcurves_impl.h:1348
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::hash_to_curve_sswu
auto hash_to_curve_sswu(std::string_view hash, bool random_oracle, std::span< const uint8_t > pw, std::span< const uint8_t > dst) -> typename C::ProjectivePoint
Definition pcurves_impl.h:1407
Botan::square
BigInt square(const BigInt &x)
Definition numthry.cpp:157
Generated by doxygen 1.11.0