Coverage Report

Created: 2026-06-30 06:41

next uncovered line (L), next uncovered region (R), next uncovered branch (B)
/src/botan/build/include/public/botan/ec_scalar.h
Line
Count
Source
1
/*
2
* (C) 2024 Jack Lloyd
3
*
4
* Botan is released under the Simplified BSD License (see license.txt)
5
*/
6
7
#ifndef BOTAN_EC_SCALAR_H_
8
#define BOTAN_EC_SCALAR_H_
9
10
#include <botan/concepts.h>
11
#include <botan/types.h>
12
#include <memory>
13
#include <optional>
14
#include <span>
15
#include <vector>
16
17
namespace Botan {
18
19
class BigInt;
20
class RandomNumberGenerator;
21
class EC_Group;
22
class EC_Group_Data;
23
class EC_Scalar_Data;
24
25
/**
26
* Represents an integer modulo the prime group order of an elliptic curve
27
*/
28
class BOTAN_PUBLIC_API(3, 6) EC_Scalar final {
29
   public:
30
      /**
31
      * Deserialize a scalar
32
      *
33
      * The span must be exactly bytes() long; this function does not accept
34
      * either short inputs (eg [1] to encode the integer 1) or inputs with
35
      * excess leading zero bytes.
36
      *
37
      * Returns nullopt if the length is incorrect or if the integer is not
38
      * within the range [0,n) where n is the group order.
39
      */
40
      static std::optional<EC_Scalar> deserialize(const EC_Group& group, std::span<const uint8_t> bytes);
41
42
      /**
43
      * Convert a bytestring to an EC_Scalar
44
      *
45
      * This uses the truncation rules from ECDSA
46
      */
47
      static EC_Scalar from_bytes_with_trunc(const EC_Group& group, std::span<const uint8_t> bytes);
48
49
      /**
50
      * Convert a bytestring to an EC_Scalar
51
      *
52
      * This reduces the bytes modulo the group order. The input can be at most
53
      * 2*bytes() long
54
      */
55
      static EC_Scalar from_bytes_mod_order(const EC_Group& group, std::span<const uint8_t> bytes);
56
57
      /**
58
      * Hash to scalar following RFC 9380
59
      *
60
      * This requires XMD. Unlike hash2curve, any group is supported
61
      */
62
      static EC_Scalar hash(const EC_Group& group,
63
                            std::string_view hash_fn,
64
                            std::span<const uint8_t> input,
65
                            std::span<const uint8_t> domain_sep);
66
67
      /**
68
      * Convert a bytestring to an EC_Scalar
69
      *
70
      * This is similar to deserialize but instead of returning nullopt if the input
71
      * is invalid, it will throw an exception.
72
      */
73
      BOTAN_DEPRECATED("Use EC_Scalar::deserialize") EC_Scalar(const EC_Group& group, std::span<const uint8_t> bytes);
74
75
      /**
76
      * Deserialize a pair of scalars
77
      *
78
      * Returns nullopt if the length is not 2*bytes(), or if either scalar is
79
      * out of range or zero
80
      */
81
      static std::optional<std::pair<EC_Scalar, EC_Scalar>> deserialize_pair(const EC_Group& group,
82
                                                                             std::span<const uint8_t> bytes);
83
84
      /**
85
      * Return a new random scalar value
86
      */
87
      static EC_Scalar random(const EC_Group& group, RandomNumberGenerator& rng);
88
89
      /**
90
      * Return the scalar value 1
91
      */
92
      static EC_Scalar one(const EC_Group& group);
93
94
      /**
95
      * Convert from the argument BigInt to a EC_Scalar
96
      *
97
      * Throws an exception if the provided bn is negative or too large
98
      */
99
      static EC_Scalar from_bigint(const EC_Group& group, const BigInt& bn);
100
101
      /**
102
      * Compute the elliptic curve scalar multiplication (g*k) where g is the
103
      * standard base point on the curve. Then extract the x coordinate of
104
      * the resulting point, and reduce it modulo the group order.
105
      */
106
      static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng);
107
108
      BOTAN_DEPRECATED("Use version without workspace arg")
109
      static EC_Scalar
110
0
         gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& /*ws*/) {
111
0
         return EC_Scalar::gk_x_mod_order(scalar, rng);
112
0
      }
113
114
      /**
115
      * Return the byte size of this scalar
116
      */
117
      size_t bytes() const;
118
119
      /**
120
      * Write the fixed length serialization to bytes
121
      *
122
      * The provided span must be exactly bytes() long
123
      */
124
      void serialize_to(std::span<uint8_t> bytes) const;
125
126
      /**
127
      * Return the bytes of the encoded scalar in a container
128
      */
129
      template <concepts::resizable_byte_buffer T = std::vector<uint8_t>>
130
      T serialize() const {
131
         T s(this->bytes());
132
         this->serialize_to(s);
133
         return s;
134
      }
135
136
      /**
137
      * Write the fixed length serialization to bytes
138
      *
139
      * The provided span must be exactly 2*bytes() long
140
      */
141
      static void serialize_pair_to(std::span<uint8_t> bytes, const EC_Scalar& r, const EC_Scalar& s);
142
143
      /**
144
      * Return the bytes of the encoded scalar in a container
145
      */
146
      template <concepts::resizable_byte_buffer T = std::vector<uint8_t>>
147
0
      static T serialize_pair(const EC_Scalar& r, const EC_Scalar& s) {
148
0
         T bytes(r.bytes() + s.bytes());
149
0
         serialize_pair_to(bytes, r, s);
150
0
         return bytes;
151
0
      }
152
153
      /**
154
      * Return true if this EC_Scalar is zero
155
      */
156
      bool is_zero() const;
157
158
      /**
159
      * Return true if this EC_Scalar is not zero
160
      */
161
389
      bool is_nonzero() const { return !is_zero(); }
162
163
      /**
164
      * Constant time modular inversion
165
      *
166
      * Return the modular inverse of this EC_Scalar
167
      *
168
      * If *this is zero, then invert() returns zero
169
      */
170
      EC_Scalar invert() const;
171
172
      /**
173
      * Variable time modular inversion
174
      *
175
      * Return the modular inverse of this EC_Scalar
176
      *
177
      * If *this is zero, then invert_vartime() returns zero
178
      */
179
      EC_Scalar invert_vartime() const;
180
181
      /**
182
      * Return the additive inverse of *this
183
      */
184
      EC_Scalar negate() const;
185
186
      /**
187
      * Scalar addition (modulo group order)
188
      */
189
      EC_Scalar add(const EC_Scalar& x) const;
190
191
      /**
192
      * Scalar subtraction (modulo group order)
193
      */
194
      EC_Scalar sub(const EC_Scalar& x) const;
195
196
      /**
197
      * Scalar multiplication (modulo group order)
198
      */
199
      EC_Scalar mul(const EC_Scalar& x) const;
200
201
      /**
202
      * Assign a scalar
203
      */
204
      void assign(const EC_Scalar& x);
205
206
      /**
207
      * Equivalent to assigning a zero value, but also does so in a way that
208
      * attempts to ensure the write always occurs even if a compiler can deduce
209
      * the assignment is otherwise unnecessary.
210
      */
211
      void zeroize();
212
213
      /**
214
      * Set *this to its own square modulo the group order
215
      */
216
      void square_self();
217
218
      /**
219
      * Test for equality
220
      */
221
      bool is_eq(const EC_Scalar& x) const;
222
223
      /**
224
      * Convert *this to a BigInt
225
      */
226
      BigInt to_bigint() const;
227
228
0
      friend EC_Scalar operator+(const EC_Scalar& x, const EC_Scalar& y) { return x.add(y); }
229
230
0
      friend EC_Scalar operator-(const EC_Scalar& x, const EC_Scalar& y) { return x.sub(y); }
231
232
0
      friend EC_Scalar operator*(const EC_Scalar& x, const EC_Scalar& y) { return x.mul(y); }
233
234
0
      friend bool operator==(const EC_Scalar& x, const EC_Scalar& y) { return x.is_eq(y); }
235
236
      EC_Scalar(const EC_Scalar& other);
237
      EC_Scalar(EC_Scalar&& other) noexcept;
238
239
      EC_Scalar& operator=(const EC_Scalar& other);
240
      EC_Scalar& operator=(EC_Scalar&& other) noexcept;
241
242
      ~EC_Scalar();
243
244
509
      const EC_Scalar_Data& _inner() const { return inner(); }
245
246
      static EC_Scalar _from_inner(std::unique_ptr<EC_Scalar_Data> inner);
247
248
   private:
249
      friend class EC_AffinePoint;
250
251
      explicit EC_Scalar(std::unique_ptr<EC_Scalar_Data> scalar);
252
253
1.28k
      const EC_Scalar_Data& inner() const { return *m_scalar; }
254
255
      std::unique_ptr<EC_Scalar_Data> m_scalar;
256
};
257
258
}  // namespace Botan
259
260
#endif