doxygen/reducer_8cpp_source.html

/*

* Modular Reducer

* (C) 1999-2011,2018 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/reducer.h>


#include <botan/internal/ct_utils.h>

#include <botan/internal/divide.h>

#include <botan/internal/mp_core.h>


namespace Botan {


/*

* Modular_Reducer Constructor

*/


Modular_Reducer::Modular_Reducer(const BigInt& mod) {

   if(mod < 0) {

      throw Invalid_Argument("Modular_Reducer: modulus must be positive");

   }


   // Left uninitialized if mod == 0

   m_mod_words = 0;


   if(mod > 0) {

      m_modulus = mod;

      m_mod_words = m_modulus.sig_words();


      // Compute mu = floor(2^{2k} / m)

      m_mu.set_bit(2 * BOTAN_MP_WORD_BITS * m_mod_words);

      m_mu = ct_divide(m_mu, m_modulus);

   }

}


BigInt Modular_Reducer::reduce(const BigInt& x) const {

   BigInt r;

   secure_vector<word> ws;

   reduce(r, x, ws);

   return r;

}


namespace {


/*

* Like if(cnd) x.rev_sub(...) but in const time

*/

void cnd_rev_sub(bool cnd, BigInt& x, const word y[], size_t y_sw, secure_vector<word>& ws) {

   if(x.sign() != BigInt::Positive) {

      throw Invalid_State("BigInt::sub_rev requires this is positive");

   }


   const size_t x_sw = x.sig_words();


   const size_t max_words = std::max(x_sw, y_sw);

   ws.resize(std::max(x_sw, y_sw));

   clear_mem(ws.data(), ws.size());

   x.grow_to(max_words);


   const int32_t relative_size = bigint_sub_abs(ws.data(), x._data(), x_sw, y, y_sw);


   x.cond_flip_sign((relative_size > 0) && cnd);

   bigint_cnd_swap(static_cast<word>(cnd), x.mutable_data(), ws.data(), max_words);

}


}  // namespace


void Modular_Reducer::reduce(BigInt& t1, const BigInt& x, secure_vector<word>& ws) const {

   if(&t1 == &x) {

      throw Invalid_State("Modular_Reducer arguments cannot alias");

   }

   if(m_mod_words == 0) {

      throw Invalid_State("Modular_Reducer: Never initalized");

   }


   const size_t x_sw = x.sig_words();


   if(x_sw > 2 * m_mod_words) {

      // too big, fall back to slow boat division

      t1 = ct_modulo(x, m_modulus);

      return;

   }


   t1 = x;

   t1.set_sign(BigInt::Positive);

   t1 >>= (BOTAN_MP_WORD_BITS * (m_mod_words - 1));


   t1.mul(m_mu, ws);

   t1 >>= (BOTAN_MP_WORD_BITS * (m_mod_words + 1));


   // TODO add masked mul to avoid computing high bits

   t1.mul(m_modulus, ws);

   t1.mask_bits(BOTAN_MP_WORD_BITS * (m_mod_words + 1));


   t1.rev_sub(x._data(), std::min(x_sw, m_mod_words + 1), ws);


   /*

   * If t1 < 0 then we must add b^(k+1) where b = 2^w. To avoid a

   * side channel perform the addition unconditionally, with ws set

   * to either b^(k+1) or else 0.

   */

   const word t1_neg = t1.is_negative();


   if(ws.size() < m_mod_words + 2) {

      ws.resize(m_mod_words + 2);

   }

   clear_mem(ws.data(), ws.size());

   ws[m_mod_words + 1] = t1_neg;


   t1.add(ws.data(), m_mod_words + 2, BigInt::Positive);


   // Per HAC this step requires at most 2 subtractions

   t1.ct_reduce_below(m_modulus, ws, 2);


   cnd_rev_sub(t1.is_nonzero() && x.is_negative(), t1, m_modulus._data(), m_modulus.size(), ws);

}


}  // namespace Botan

Botan::BigInt
Definition bigint.h:26

Botan::BigInt::sig_words
size_t sig_words() const
Definition bigint.h:616

Botan::BigInt::mutable_data
word * mutable_data()
Definition bigint.h:641

Botan::BigInt::size
size_t size() const
Definition bigint.h:610

Botan::BigInt::rev_sub
BigInt & rev_sub(const word y[], size_t y_words, secure_vector< word > &ws)
Definition big_ops2.cpp:130

Botan::BigInt::grow_to
void grow_to(size_t n) const
Definition bigint.h:667

Botan::BigInt::ct_reduce_below
void ct_reduce_below(const BigInt &mod, secure_vector< word > &ws, size_t bound)
Definition bigint.cpp:349

Botan::BigInt::mul
BigInt & mul(const BigInt &y, secure_vector< word > &ws)
Definition big_ops2.cpp:156

Botan::BigInt::set_bit
void set_bit(size_t n)
Definition bigint.h:464

Botan::BigInt::mask_bits
void mask_bits(size_t n)
Definition bigint.h:490

Botan::BigInt::cond_flip_sign
void cond_flip_sign(bool predicate)
Definition bigint.cpp:488

Botan::BigInt::_data
const word * _data() const
Definition bigint.h:936

Botan::BigInt::sign
Sign sign() const
Definition bigint.h:572

Botan::BigInt::add
BigInt & add(const word y[], size_t y_words, Sign sign)
Definition big_ops2.cpp:16

Botan::BigInt::Positive
@ Positive
Definition bigint.h:40

Botan::BigInt::is_negative
bool is_negative() const
Definition bigint.h:560

Botan::BigInt::is_nonzero
bool is_nonzero() const
Definition bigint.h:452

Botan::BigInt::set_sign
void set_sign(Sign sign)
Definition bigint.h:593

Botan::Invalid_Argument
Definition exceptn.h:131

Botan::Invalid_State
Definition exceptn.h:206

Botan::Modular_Reducer::Modular_Reducer
Modular_Reducer()
Definition reducer.h:64

Botan::Modular_Reducer::reduce
BigInt reduce(const BigInt &x) const
Definition reducer.cpp:37

BOTAN_MP_WORD_BITS
#define BOTAN_MP_WORD_BITS
Definition build.h:71

Botan
Definition alg_id.cpp:13

Botan::bigint_cnd_swap
constexpr void bigint_cnd_swap(W cnd, W x[], W y[], size_t size)
Definition mp_core.h:30

Botan::ct_modulo
BigInt ct_modulo(const BigInt &x, const BigInt &y)
Definition divide.cpp:117

Botan::ct_divide
void ct_divide(const BigInt &x, const BigInt &y, BigInt &q_out, BigInt &r_out)
Definition divide.cpp:48

Botan::bigint_sub_abs
constexpr auto bigint_sub_abs(W z[], const W x[], const W y[], size_t N, W ws[]) -> CT::Mask< W >
Definition mp_core.h:439

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61

Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120