/src/botan/build/include/public/botan/ec_scalar.h
Line | Count | Source |
1 | | /* |
2 | | * (C) 2024 Jack Lloyd |
3 | | * |
4 | | * Botan is released under the Simplified BSD License (see license.txt) |
5 | | */ |
6 | | |
7 | | #ifndef BOTAN_EC_SCALAR_H_ |
8 | | #define BOTAN_EC_SCALAR_H_ |
9 | | |
10 | | #include <botan/concepts.h> |
11 | | #include <botan/types.h> |
12 | | #include <memory> |
13 | | #include <optional> |
14 | | #include <span> |
15 | | #include <vector> |
16 | | |
17 | | namespace Botan { |
18 | | |
19 | | class BigInt; |
20 | | class RandomNumberGenerator; |
21 | | class EC_Group; |
22 | | class EC_Group_Data; |
23 | | class EC_Scalar_Data; |
24 | | |
25 | | /** |
26 | | * Represents an integer modulo the prime group order of an elliptic curve |
27 | | */ |
28 | | class BOTAN_PUBLIC_API(3, 6) EC_Scalar final { |
29 | | public: |
30 | | /** |
31 | | * Deserialize a scalar |
32 | | * |
33 | | * The span must be exactly bytes() long; this function does not accept |
34 | | * either short inputs (eg [1] to encode the integer 1) or inputs with |
35 | | * excess leading zero bytes. |
36 | | * |
37 | | * Returns nullopt if the length is incorrect or if the integer is not |
38 | | * within the range [0,n) where n is the group order. |
39 | | */ |
40 | | static std::optional<EC_Scalar> deserialize(const EC_Group& group, std::span<const uint8_t> bytes); |
41 | | |
42 | | /** |
43 | | * Convert a bytestring to an EC_Scalar |
44 | | * |
45 | | * This uses the truncation rules from ECDSA |
46 | | */ |
47 | | static EC_Scalar from_bytes_with_trunc(const EC_Group& group, std::span<const uint8_t> bytes); |
48 | | |
49 | | /** |
50 | | * Convert a bytestring to an EC_Scalar |
51 | | * |
52 | | * This reduces the bytes modulo the group order. The input can be at most |
53 | | * 2*bytes() long |
54 | | */ |
55 | | static EC_Scalar from_bytes_mod_order(const EC_Group& group, std::span<const uint8_t> bytes); |
56 | | |
57 | | /** |
58 | | * Hash to scalar following RFC 9380 |
59 | | * |
60 | | * This requires XMD. Unlike hash2curve, any group is supported |
61 | | */ |
62 | | static EC_Scalar hash(const EC_Group& group, |
63 | | std::string_view hash_fn, |
64 | | std::span<const uint8_t> input, |
65 | | std::span<const uint8_t> domain_sep); |
66 | | |
67 | | /** |
68 | | * Convert a bytestring to an EC_Scalar |
69 | | * |
70 | | * This is similar to deserialize but instead of returning nullopt if the input |
71 | | * is invalid, it will throw an exception. |
72 | | */ |
73 | | BOTAN_DEPRECATED("Use EC_Scalar::deserialize") EC_Scalar(const EC_Group& group, std::span<const uint8_t> bytes); |
74 | | |
75 | | /** |
76 | | * Deserialize a pair of scalars |
77 | | * |
78 | | * Returns nullopt if the length is not 2*bytes(), or if either scalar is |
79 | | * out of range or zero |
80 | | */ |
81 | | static std::optional<std::pair<EC_Scalar, EC_Scalar>> deserialize_pair(const EC_Group& group, |
82 | | std::span<const uint8_t> bytes); |
83 | | |
84 | | /** |
85 | | * Return a new random scalar value |
86 | | */ |
87 | | static EC_Scalar random(const EC_Group& group, RandomNumberGenerator& rng); |
88 | | |
89 | | /** |
90 | | * Return the scalar value 1 |
91 | | */ |
92 | | static EC_Scalar one(const EC_Group& group); |
93 | | |
94 | | /** |
95 | | * Convert from the argument BigInt to a EC_Scalar |
96 | | * |
97 | | * Throws an exception if the provided bn is negative or too large |
98 | | */ |
99 | | static EC_Scalar from_bigint(const EC_Group& group, const BigInt& bn); |
100 | | |
101 | | /** |
102 | | * Compute the elliptic curve scalar multiplication (g*k) where g is the |
103 | | * standard base point on the curve. Then extract the x coordinate of |
104 | | * the resulting point, and reduce it modulo the group order. |
105 | | */ |
106 | | static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng); |
107 | | |
108 | | BOTAN_DEPRECATED("Use version without workspace arg") |
109 | | static EC_Scalar |
110 | 0 | gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& /*ws*/) { |
111 | 0 | return EC_Scalar::gk_x_mod_order(scalar, rng); |
112 | 0 | } |
113 | | |
114 | | /** |
115 | | * Return the byte size of this scalar |
116 | | */ |
117 | | size_t bytes() const; |
118 | | |
119 | | /** |
120 | | * Write the fixed length serialization to bytes |
121 | | * |
122 | | * The provided span must be exactly bytes() long |
123 | | */ |
124 | | void serialize_to(std::span<uint8_t> bytes) const; |
125 | | |
126 | | /** |
127 | | * Return the bytes of the encoded scalar in a container |
128 | | */ |
129 | | template <concepts::resizable_byte_buffer T = std::vector<uint8_t>> |
130 | | T serialize() const { |
131 | | T s(this->bytes()); |
132 | | this->serialize_to(s); |
133 | | return s; |
134 | | } |
135 | | |
136 | | /** |
137 | | * Write the fixed length serialization to bytes |
138 | | * |
139 | | * The provided span must be exactly 2*bytes() long |
140 | | */ |
141 | | static void serialize_pair_to(std::span<uint8_t> bytes, const EC_Scalar& r, const EC_Scalar& s); |
142 | | |
143 | | /** |
144 | | * Return the bytes of the encoded scalar in a container |
145 | | */ |
146 | | template <concepts::resizable_byte_buffer T = std::vector<uint8_t>> |
147 | 0 | static T serialize_pair(const EC_Scalar& r, const EC_Scalar& s) { |
148 | 0 | T bytes(r.bytes() + s.bytes()); |
149 | 0 | serialize_pair_to(bytes, r, s); |
150 | 0 | return bytes; |
151 | 0 | } |
152 | | |
153 | | /** |
154 | | * Return true if this EC_Scalar is zero |
155 | | */ |
156 | | bool is_zero() const; |
157 | | |
158 | | /** |
159 | | * Return true if this EC_Scalar is not zero |
160 | | */ |
161 | 389 | bool is_nonzero() const { return !is_zero(); } |
162 | | |
163 | | /** |
164 | | * Constant time modular inversion |
165 | | * |
166 | | * Return the modular inverse of this EC_Scalar |
167 | | * |
168 | | * If *this is zero, then invert() returns zero |
169 | | */ |
170 | | EC_Scalar invert() const; |
171 | | |
172 | | /** |
173 | | * Variable time modular inversion |
174 | | * |
175 | | * Return the modular inverse of this EC_Scalar |
176 | | * |
177 | | * If *this is zero, then invert_vartime() returns zero |
178 | | */ |
179 | | EC_Scalar invert_vartime() const; |
180 | | |
181 | | /** |
182 | | * Return the additive inverse of *this |
183 | | */ |
184 | | EC_Scalar negate() const; |
185 | | |
186 | | /** |
187 | | * Scalar addition (modulo group order) |
188 | | */ |
189 | | EC_Scalar add(const EC_Scalar& x) const; |
190 | | |
191 | | /** |
192 | | * Scalar subtraction (modulo group order) |
193 | | */ |
194 | | EC_Scalar sub(const EC_Scalar& x) const; |
195 | | |
196 | | /** |
197 | | * Scalar multiplication (modulo group order) |
198 | | */ |
199 | | EC_Scalar mul(const EC_Scalar& x) const; |
200 | | |
201 | | /** |
202 | | * Assign a scalar |
203 | | */ |
204 | | void assign(const EC_Scalar& x); |
205 | | |
206 | | /** |
207 | | * Equivalent to assigning a zero value, but also does so in a way that |
208 | | * attempts to ensure the write always occurs even if a compiler can deduce |
209 | | * the assignment is otherwise unnecessary. |
210 | | */ |
211 | | void zeroize(); |
212 | | |
213 | | /** |
214 | | * Set *this to its own square modulo the group order |
215 | | */ |
216 | | void square_self(); |
217 | | |
218 | | /** |
219 | | * Test for equality |
220 | | */ |
221 | | bool is_eq(const EC_Scalar& x) const; |
222 | | |
223 | | /** |
224 | | * Convert *this to a BigInt |
225 | | */ |
226 | | BigInt to_bigint() const; |
227 | | |
228 | 0 | friend EC_Scalar operator+(const EC_Scalar& x, const EC_Scalar& y) { return x.add(y); } |
229 | | |
230 | 0 | friend EC_Scalar operator-(const EC_Scalar& x, const EC_Scalar& y) { return x.sub(y); } |
231 | | |
232 | 0 | friend EC_Scalar operator*(const EC_Scalar& x, const EC_Scalar& y) { return x.mul(y); } |
233 | | |
234 | 0 | friend bool operator==(const EC_Scalar& x, const EC_Scalar& y) { return x.is_eq(y); } |
235 | | |
236 | | EC_Scalar(const EC_Scalar& other); |
237 | | EC_Scalar(EC_Scalar&& other) noexcept; |
238 | | |
239 | | EC_Scalar& operator=(const EC_Scalar& other); |
240 | | EC_Scalar& operator=(EC_Scalar&& other) noexcept; |
241 | | |
242 | | ~EC_Scalar(); |
243 | | |
244 | 509 | const EC_Scalar_Data& _inner() const { return inner(); } |
245 | | |
246 | | static EC_Scalar _from_inner(std::unique_ptr<EC_Scalar_Data> inner); |
247 | | |
248 | | private: |
249 | | friend class EC_AffinePoint; |
250 | | |
251 | | explicit EC_Scalar(std::unique_ptr<EC_Scalar_Data> scalar); |
252 | | |
253 | 1.28k | const EC_Scalar_Data& inner() const { return *m_scalar; } |
254 | | |
255 | | std::unique_ptr<EC_Scalar_Data> m_scalar; |
256 | | }; |
257 | | |
258 | | } // namespace Botan |
259 | | |
260 | | #endif |