doxygen/x448__internal_8cpp_source.html

/*

* X448 Internal

* (C) 2024 Jack Lloyd

*     2024 Fabian Albert - Rohde & Schwarz Cybersecurity

*

* Botan is released under the Simplified BSD License (see license.txt)

*/

#include <botan/internal/x448_internal.h>


#include <botan/internal/ct_utils.h>

#include <botan/internal/curve448_gf.h>


namespace Botan {


namespace {

uint64_t get_bit(const ScalarX448& scalar, size_t bit) {

   return (scalar[bit / 8] >> (bit % 8)) & 1;

}

}  // namespace


secure_vector<uint8_t> encode_point(const Point448& p) {

   return {p.begin(), p.end()};

}


Point448 decode_point(std::span<const uint8_t> p_bytes) {

   BOTAN_ARG_CHECK(p_bytes.size() == X448_LEN, "Invalid size for X448 point");

   return typecast_copy<Point448>(p_bytes);

}


ScalarX448 decode_scalar(std::span<const uint8_t> scalar_bytes) {

   BOTAN_ARG_CHECK(scalar_bytes.size() == X448_LEN, "Invalid size for X448 scalar");

   auto buf = typecast_copy<ScalarX448>(scalar_bytes);


   buf[0] &= 0xfc;

   buf[55] |= 0x80;


   return buf;

}


/// Multiply a scalar with the base group element (5)


Point448 x448_basepoint(const ScalarX448& k) {

   const Point448 u({5});

   return x448(k, u);

}


// Algorithm see RFC 7748, Section 5:

// https://datatracker.ietf.org/doc/html/rfc7748#section-5


Point448 x448(const ScalarX448& k, const Point448& u) {

   const Gf448Elem x_1 = Gf448Elem(u.get());

   Gf448Elem x_2 = Gf448Elem::one();

   Gf448Elem z_2 = Gf448Elem::zero();

   Gf448Elem x_3 = Gf448Elem(u.get());

   Gf448Elem z_3 = Gf448Elem::one();

   auto swap = CT::Mask<uint64_t>::cleared();


   for(int16_t t = 448 - 1; t >= 0; --t) {

      auto k_t = CT::Mask<uint64_t>::expand(get_bit(k, t));

      swap ^= k_t;


      x_2.ct_cond_swap(swap, x_3);

      z_2.ct_cond_swap(swap, z_3);

      swap = k_t;


      const auto A = x_2 + z_2;

      const auto AA = square(A);

      const auto B = x_2 - z_2;

      const auto BB = square(B);

      const auto E = AA - BB;

      const auto C = x_3 + z_3;

      const auto D = x_3 - z_3;

      const auto DA = D * A;

      const auto CB = C * B;

      x_3 = square(DA + CB);

      z_3 = x_1 * square(DA - CB);

      x_2 = AA * BB;

      z_2 = E * (AA + mul_a24(E));

   }


   x_2.ct_cond_swap(swap, x_3);

   z_2.ct_cond_swap(swap, z_3);


   const auto res = x_2 / z_2;


   return Point448(res.to_bytes());

}


}  // namespace Botan

BOTAN_ARG_CHECK
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33

Botan::CT::Mask::expand
static constexpr Mask< T > expand(T v)
Definition ct_utils.h:392

Botan::CT::Mask::cleared
static constexpr Mask< T > cleared()
Definition ct_utils.h:387

Botan::Gf448Elem
Definition curve448_gf.h:36

Botan::Gf448Elem::zero
static Gf448Elem zero()
Definition curve448_gf.h:59

Botan::Gf448Elem::ct_cond_swap
void ct_cond_swap(CT::Mask< uint64_t > mask, Gf448Elem &other)
Swap this and other if mask is set. Constant time.
Definition curve448_gf.cpp:375

Botan::Gf448Elem::one
static Gf448Elem one()
Definition curve448_gf.h:64

Botan::detail::Container_Strong_Adapter_Base::begin
decltype(auto) begin() noexcept(noexcept(this->get().begin()))
Definition strong_type.h:125

Botan::detail::Container_Strong_Adapter_Base::end
decltype(auto) end() noexcept(noexcept(this->get().end()))
Definition strong_type.h:129

Botan::detail::Strong_Base::get
constexpr T & get() &
Definition strong_type.h:85

Botan
Definition alg_id.cpp:13

Botan::mul_a24
Gf448Elem mul_a24(const Gf448Elem &a)
Multiply a field element by the Curve448 constant a24 = 39081.
Definition curve448_gf.cpp:439

Botan::x448_basepoint
Point448 x448_basepoint(const ScalarX448 &k)
Multiply a scalar with the base group element (5).
Definition x448_internal.cpp:41

Botan::square
BigInt square(const BigInt &x)
Definition numthry.cpp:184

Botan::Point448
Strong< std::array< uint8_t, X448_LEN >, struct Point448_ > Point448
Definition x448_internal.h:18

Botan::ScalarX448
Strong< std::array< uint8_t, X448_LEN >, struct ScalarX448_ > ScalarX448
Definition x448_internal.h:24

Botan::decode_point
Point448 decode_point(std::span< const uint8_t > p_bytes)
Decode a point from a byte array. RFC 7748 Section 5 (decodeUCoordinate).
Definition x448_internal.cpp:25

Botan::X448_LEN
constexpr size_t X448_LEN
Definition x448_internal.h:16

Botan::encode_point
secure_vector< uint8_t > encode_point(const Point448 &p)
Encode a point to a 56 byte vector. RFC 7748 Section 5 (encodeUCoordinate).
Definition x448_internal.cpp:21

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68

Botan::typecast_copy
constexpr void typecast_copy(ToR &&out, const FromR &in)
Definition mem_ops.h:176

Botan::decode_scalar
ScalarX448 decode_scalar(std::span< const uint8_t > scalar_bytes)
Decode a scalar from a byte array. RFC 7748 Section 5 (decodeScalar448).
Definition x448_internal.cpp:30

Botan::x448
Point448 x448(const ScalarX448 &k, const Point448 &u)
Multiply a scalar k with a point u.
Definition x448_internal.cpp:48