Coverage Report

Created: 2020-06-30 13:58

/src/botan/src/lib/math/numbertheory/monty_exp.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* Montgomery Exponentiation
3
* (C) 1999-2010,2012,2018 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/monty_exp.h>
10
#include <botan/internal/ct_utils.h>
11
#include <botan/internal/rounding.h>
12
#include <botan/numthry.h>
13
#include <botan/reducer.h>
14
#include <botan/monty.h>
15
16
namespace Botan {
17
18
class Montgomery_Exponentation_State
19
   {
20
   public:
21
      Montgomery_Exponentation_State(std::shared_ptr<const Montgomery_Params> params,
22
                                     const BigInt& g,
23
                                     size_t window_bits,
24
                                     bool const_time);
25
26
      BigInt exponentiation(const BigInt& k, size_t max_k_bits) const;
27
28
      BigInt exponentiation_vartime(const BigInt& k) const;
29
   private:
30
      std::shared_ptr<const Montgomery_Params> m_params;
31
      std::vector<Montgomery_Int> m_g;
32
      size_t m_window_bits;
33
      bool m_const_time;
34
   };
35
36
Montgomery_Exponentation_State::Montgomery_Exponentation_State(std::shared_ptr<const Montgomery_Params> params,
37
                                                               const BigInt& g,
38
                                                               size_t window_bits,
39
                                                               bool const_time) :
40
   m_params(params),
41
   m_window_bits(window_bits == 0 ? 4 : window_bits),
42
   m_const_time(const_time)
43
90.0k
   {
44
90.0k
   BOTAN_ARG_CHECK(g < m_params->p(), "Montgomery base too big");
45
90.0k
46
90.0k
   if(m_window_bits < 1 || m_window_bits > 12) // really even 8 is too large ...
47
0
      throw Invalid_Argument("Invalid window bits for Montgomery exponentiation");
48
89.9k
49
89.9k
   const size_t window_size = (static_cast<size_t>(1) << m_window_bits);
50
89.9k
51
89.9k
   m_g.reserve(window_size);
52
89.9k
53
89.9k
   m_g.push_back(Montgomery_Int(m_params, m_params->R1(), false));
54
89.9k
55
89.9k
   m_g.push_back(Montgomery_Int(m_params, g));
56
89.9k
57
1.26M
   for(size_t i = 2; i != window_size; ++i)
58
1.17M
      {
59
1.17M
      m_g.push_back(m_g[1] * m_g[i - 1]);
60
1.17M
      }
61
89.9k
62
89.9k
   // Resize each element to exactly p words
63
1.44M
   for(size_t i = 0; i != window_size; ++i)
64
1.35M
      {
65
1.35M
      m_g[i].fix_size();
66
1.35M
      if(const_time)
67
1.33M
         m_g[i].const_time_poison();
68
1.35M
      }
69
89.9k
   }
70
71
namespace {
72
73
void const_time_lookup(secure_vector<word>& output,
74
                       const std::vector<Montgomery_Int>& g,
75
                       size_t nibble)
76
2.84M
   {
77
2.84M
   BOTAN_ASSERT_NOMSG(g.size() % 2 == 0); // actually a power of 2
78
2.84M
79
2.84M
   const size_t words = output.size();
80
2.84M
81
2.84M
   clear_mem(output.data(), output.size());
82
2.84M
83
25.5M
   for(size_t i = 0; i != g.size(); i += 2)
84
22.7M
      {
85
22.7M
      const secure_vector<word>& vec_0 = g[i  ].repr().get_word_vector();
86
22.7M
      const secure_vector<word>& vec_1 = g[i+1].repr().get_word_vector();
87
22.7M
88
22.7M
      BOTAN_ASSERT_NOMSG(vec_0.size() >= words && vec_1.size() >= words);
89
22.7M
90
22.7M
      const auto mask_0 = CT::Mask<word>::is_equal(nibble, i);
91
22.7M
      const auto mask_1 = CT::Mask<word>::is_equal(nibble, i+1);
92
22.7M
93
416M
      for(size_t w = 0; w != words; ++w)
94
394M
         {
95
394M
         output[w] |= mask_0.if_set_return(vec_0[w]);
96
394M
         output[w] |= mask_1.if_set_return(vec_1[w]);
97
394M
         }
98
22.7M
      }
99
2.84M
   }
100
101
}
102
103
BigInt Montgomery_Exponentation_State::exponentiation(const BigInt& scalar, size_t max_k_bits) const
104
83.3k
   {
105
83.3k
   BOTAN_DEBUG_ASSERT(scalar.bits() <= max_k_bits);
106
83.3k
   // TODO add a const-time implementation of above assert and use it in release builds
107
83.3k
108
83.3k
   const size_t exp_nibbles = (max_k_bits + m_window_bits - 1) / m_window_bits;
109
83.3k
110
83.3k
   if(exp_nibbles == 0)
111
6
      return 1;
112
83.3k
113
83.3k
   secure_vector<word> e_bits(m_params->p_words());
114
83.3k
   secure_vector<word> ws;
115
83.3k
116
83.3k
   const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits*(exp_nibbles-1), m_window_bits));
117
83.3k
   Montgomery_Int x(m_params, e_bits.data(), e_bits.size(), false);
118
83.3k
119
2.84M
   for(size_t i = exp_nibbles - 1; i > 0; --i)
120
2.75M
      {
121
2.75M
      x.square_this_n_times(ws, m_window_bits);
122
2.75M
      const_time_lookup(e_bits, m_g, scalar.get_substring(m_window_bits*(i-1), m_window_bits));
123
2.75M
      x.mul_by(e_bits, ws);
124
2.75M
      }
125
83.3k
126
83.3k
   x.const_time_unpoison();
127
83.3k
   return x.value();
128
83.3k
   }
129
130
BigInt Montgomery_Exponentation_State::exponentiation_vartime(const BigInt& scalar) const
131
6.29k
   {
132
6.29k
   BOTAN_ASSERT_NOMSG(m_const_time == false);
133
6.29k
134
6.29k
   const size_t exp_nibbles = (scalar.bits() + m_window_bits - 1) / m_window_bits;
135
6.29k
136
6.29k
   secure_vector<word> ws;
137
6.29k
138
6.29k
   if(exp_nibbles == 0)
139
0
      return 1;
140
6.29k
141
6.29k
   Montgomery_Int x = m_g[scalar.get_substring(m_window_bits*(exp_nibbles-1), m_window_bits)];
142
6.29k
143
350k
   for(size_t i = exp_nibbles - 1; i > 0; --i)
144
343k
      {
145
343k
      x.square_this_n_times(ws, m_window_bits);
146
343k
147
343k
      const uint32_t nibble = scalar.get_substring(m_window_bits*(i-1), m_window_bits);
148
343k
      if(nibble > 0)
149
76.6k
         x.mul_by(m_g[nibble], ws);
150
343k
      }
151
6.29k
152
6.29k
   x.const_time_unpoison();
153
6.29k
   return x.value();
154
6.29k
   }
155
156
std::shared_ptr<const Montgomery_Exponentation_State>
157
monty_precompute(std::shared_ptr<const Montgomery_Params> params,
158
                 const BigInt& g,
159
                 size_t window_bits,
160
                 bool const_time)
161
90.0k
   {
162
90.0k
   return std::make_shared<const Montgomery_Exponentation_State>(params, g, window_bits, const_time);
163
90.0k
   }
164
165
BigInt monty_execute(const Montgomery_Exponentation_State& precomputed_state,
166
                     const BigInt& k, size_t max_k_bits)
167
83.3k
   {
168
83.3k
   return precomputed_state.exponentiation(k, max_k_bits);
169
83.3k
   }
170
171
BigInt monty_execute_vartime(const Montgomery_Exponentation_State& precomputed_state,
172
                             const BigInt& k)
173
6.29k
   {
174
6.29k
   return precomputed_state.exponentiation_vartime(k);
175
6.29k
   }
176
177
BigInt monty_multi_exp(std::shared_ptr<const Montgomery_Params> params_p,
178
                       const BigInt& x_bn,
179
                       const BigInt& z1,
180
                       const BigInt& y_bn,
181
                       const BigInt& z2)
182
98
   {
183
98
   if(z1.is_negative() || z2.is_negative())
184
0
      throw Invalid_Argument("multi_exponentiate exponents must be positive");
185
98
186
98
   const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
187
98
188
98
   secure_vector<word> ws;
189
98
190
98
   const Montgomery_Int one(params_p, params_p->R1(), false);
191
98
   //const Montgomery_Int one(params_p, 1);
192
98
193
98
   const Montgomery_Int x1(params_p, x_bn);
194
98
   const Montgomery_Int x2 = x1.square(ws);
195
98
   const Montgomery_Int x3 = x2.mul(x1, ws);
196
98
197
98
   const Montgomery_Int y1(params_p, y_bn);
198
98
   const Montgomery_Int y2 = y1.square(ws);
199
98
   const Montgomery_Int y3 = y2.mul(y1, ws);
200
98
201
98
   const Montgomery_Int y1x1 = y1.mul(x1, ws);
202
98
   const Montgomery_Int y1x2 = y1.mul(x2, ws);
203
98
   const Montgomery_Int y1x3 = y1.mul(x3, ws);
204
98
205
98
   const Montgomery_Int y2x1 = y2.mul(x1, ws);
206
98
   const Montgomery_Int y2x2 = y2.mul(x2, ws);
207
98
   const Montgomery_Int y2x3 = y2.mul(x3, ws);
208
98
209
98
   const Montgomery_Int y3x1 = y3.mul(x1, ws);
210
98
   const Montgomery_Int y3x2 = y3.mul(x2, ws);
211
98
   const Montgomery_Int y3x3 = y3.mul(x3, ws);
212
98
213
98
   const Montgomery_Int* M[16] = {
214
98
      &one,
215
98
      &x1,                    // 0001
216
98
      &x2,                    // 0010
217
98
      &x3,                    // 0011
218
98
      &y1,                    // 0100
219
98
      &y1x1,
220
98
      &y1x2,
221
98
      &y1x3,
222
98
      &y2,                    // 1000
223
98
      &y2x1,
224
98
      &y2x2,
225
98
      &y2x3,
226
98
      &y3,                    // 1100
227
98
      &y3x1,
228
98
      &y3x2,
229
98
      &y3x3
230
98
   };
231
98
232
98
   Montgomery_Int H = one;
233
98
234
34.8k
   for(size_t i = 0; i != z_bits; i += 2)
235
34.7k
      {
236
34.7k
      if(i > 0)
237
34.7k
         {
238
34.7k
         H.square_this(ws);
239
34.7k
         H.square_this(ws);
240
34.7k
         }
241
34.7k
242
34.7k
      const uint32_t z1_b = z1.get_substring(z_bits - i - 2, 2);
243
34.7k
      const uint32_t z2_b = z2.get_substring(z_bits - i - 2, 2);
244
34.7k
245
34.7k
      const uint32_t z12 = (4*z2_b) + z1_b;
246
34.7k
247
34.7k
      H.mul_by(*M[z12], ws);
248
34.7k
      }
249
98
250
98
   return H.value();
251
98
   }
252
253
}
254