Coverage Report

Created: 2024-11-21 07:03

/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c.inc
Line
Count
Source (jump to first uncovered line)
1
/* Copyright 2016 Brian Smith.
2
 *
3
 * Permission to use, copy, modify, and/or distribute this software for any
4
 * purpose with or without fee is hereby granted, provided that the above
5
 * copyright notice and this permission notice appear in all copies.
6
 *
7
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10
 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12
 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13
 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15
#include <openssl/bn.h>
16
17
#include <assert.h>
18
19
#include "internal.h"
20
#include "../../internal.h"
21
22
23
static uint64_t bn_neg_inv_mod_r_u64(uint64_t n);
24
25
static_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
26
              "BN_MONT_CTX_N0_LIMBS value is invalid");
27
static_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),
28
              "uint64_t is insufficient precision for n0");
29
30
// LG_LITTLE_R is log_2(r).
31
57.4k
#define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)
32
33
871
uint64_t bn_mont_n0(const BIGNUM *n) {
34
  // These conditions are checked by the caller, |BN_MONT_CTX_set| or
35
  // |BN_MONT_CTX_new_consttime|.
36
871
  assert(!BN_is_zero(n));
37
871
  assert(!BN_is_negative(n));
38
871
  assert(BN_is_odd(n));
39
40
  // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This
41
  // ensures that we can do integer division by |r| by simply ignoring
42
  // |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo
43
  // |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is
44
  // what makes Montgomery multiplication efficient.
45
  //
46
  // As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography
47
  // with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a
48
  // multi-limb Montgomery multiplication of |a * b (mod n)|, given the
49
  // unreduced product |t == a * b|, we repeatedly calculate:
50
  //
51
  //    t1 := t % r         |t1| is |t|'s lowest limb (see previous paragraph).
52
  //    t2 := t1*n0*n
53
  //    t3 := t + t2
54
  //    t := t3 / r         copy all limbs of |t3| except the lowest to |t|.
55
  //
56
  // In the last step, it would only make sense to ignore the lowest limb of
57
  // |t3| if it were zero. The middle steps ensure that this is the case:
58
  //
59
  //                            t3 ==  0 (mod r)
60
  //                        t + t2 ==  0 (mod r)
61
  //                   t + t1*n0*n ==  0 (mod r)
62
  //                       t1*n0*n == -t (mod r)
63
  //                        t*n0*n == -t (mod r)
64
  //                          n0*n == -1 (mod r)
65
  //                            n0 == -1/n (mod r)
66
  //
67
  // Thus, in each iteration of the loop, we multiply by the constant factor
68
  // |n0|, the negative inverse of n (mod r).
69
70
  // n_mod_r = n % r. As explained above, this is done by taking the lowest
71
  // |BN_MONT_CTX_N0_LIMBS| limbs of |n|.
72
871
  uint64_t n_mod_r = n->d[0];
73
#if BN_MONT_CTX_N0_LIMBS == 2
74
  if (n->width > 1) {
75
    n_mod_r |= (uint64_t)n->d[1] << BN_BITS2;
76
  }
77
#endif
78
79
871
  return bn_neg_inv_mod_r_u64(n_mod_r);
80
871
}
81
82
// bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
83
// such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
84
// must be odd.
85
//
86
// This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
87
// Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
88
// It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
89
// Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
90
// (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
91
//
92
// This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
93
// (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
94
// constant-time with respect to |n|. We assume uint64_t additions,
95
// subtractions, shifts, and bitwise operations are all constant time, which
96
// may be a large leap of faith on 32-bit targets. We avoid division and
97
// multiplication, which tend to be the most problematic in terms of timing
98
// leaks.
99
//
100
// Most GCD implementations return values such that |u*r + v*n == 1|, so the
101
// caller would have to negate the resultant |v| for the purpose of Montgomery
102
// multiplication. This implementation does the negation implicitly by doing
103
// the computations as a difference instead of a sum.
104
871
static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
105
871
  assert(n % 2 == 1);
106
107
  // alpha == 2**(lg r - 1) == r / 2.
108
871
  static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
109
110
871
  const uint64_t beta = n;
111
112
871
  uint64_t u = 1;
113
871
  uint64_t v = 0;
114
115
  // The invariant maintained from here on is:
116
  // 2**(lg r - i) == u*2*alpha - v*beta.
117
56.6k
  for (size_t i = 0; i < LG_LITTLE_R; ++i) {
118
55.7k
#if BN_BITS2 == 64 && defined(BN_ULLONG)
119
55.7k
    assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
120
55.7k
           ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
121
55.7k
#endif
122
123
    // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
124
    // |u = (u + beta) / 2| and |v = (v / 2) + alpha|.
125
126
55.7k
    uint64_t u_is_odd = UINT64_C(0) - (u & 1);  // Either 0xff..ff or 0.
127
128
    // The addition can overflow, so use Dietz's method for it.
129
    //
130
    // Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all
131
    // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
132
    // (embedded in 64 bits to so that overflow can be ignored):
133
    //
134
    // (declare-fun x () (_ BitVec 64))
135
    // (declare-fun y () (_ BitVec 64))
136
    // (assert (let (
137
    //    (one (_ bv1 64))
138
    //    (thirtyTwo (_ bv32 64)))
139
    //    (and
140
    //      (bvult x (bvshl one thirtyTwo))
141
    //      (bvult y (bvshl one thirtyTwo))
142
    //      (not (=
143
    //        (bvadd (bvlshr (bvxor x y) one) (bvand x y))
144
    //        (bvlshr (bvadd x y) one)))
145
    // )))
146
    // (check-sat)
147
55.7k
    uint64_t beta_if_u_is_odd = beta & u_is_odd;  // Either |beta| or 0.
148
55.7k
    u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);
149
150
55.7k
    uint64_t alpha_if_u_is_odd = alpha & u_is_odd;  // Either |alpha| or 0.
151
55.7k
    v = (v >> 1) + alpha_if_u_is_odd;
152
55.7k
  }
153
154
  // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
155
871
#if BN_BITS2 == 64 && defined(BN_ULLONG)
156
871
  declassify_assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
157
871
#endif
158
159
871
  return v;
160
871
}
161
162
798
int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx) {
163
798
  assert(!BN_is_zero(&mont->N));
164
798
  assert(!BN_is_negative(&mont->N));
165
798
  assert(BN_is_odd(&mont->N));
166
798
  assert(bn_minimal_width(&mont->N) == mont->N.width);
167
168
798
  unsigned n_bits = BN_num_bits(&mont->N);
169
798
  assert(n_bits != 0);
170
798
  if (n_bits == 1) {
171
0
    BN_zero(&mont->RR);
172
0
    return bn_resize_words(&mont->RR, mont->N.width);
173
0
  }
174
175
798
  unsigned lgBigR = mont->N.width * BN_BITS2;
176
798
  assert(lgBigR >= n_bits);
177
178
  // RR is R, or 2^lgBigR, in the Montgomery domain. We can compute 2 in the
179
  // Montgomery domain, 2R or 2^(lgBigR+1), and then use Montgomery
180
  // square-and-multiply to exponentiate.
181
  //
182
  // The square steps take 2^n R to (2^n)*(2^n) R = 2^2n R. This is the same as
183
  // doubling 2^n R, n times (doubling any x, n times, computes 2^n * x). When n
184
  // is below some threshold, doubling is faster; when above, squaring is
185
  // faster. From benchmarking various 32-bit and 64-bit architectures, the word
186
  // count seems to work well as a threshold. (Doubling scales linearly and
187
  // Montgomery reduction scales quadratically, so the threshold should scale
188
  // roughly linearly.)
189
  //
190
  // The multiply steps take 2^n R to 2*2^n R = 2^(n+1) R. It is faster to
191
  // double the value instead, so the square-and-multiply exponentiation would
192
  // become square-and-double. However, when using the word count as the
193
  // threshold, it turns out that no multiply/double steps will be needed at
194
  // all, because squaring any x, i times, computes x^(2^i):
195
  //
196
  //   (2^threshold)^(2^BN_BITS2_LG) R
197
  //   (2^mont->N.width)^BN_BITS2 R
198
  // = 2^(mont->N.width*BN_BITS2) R
199
  // = 2^lgBigR R
200
  // = RR
201
798
  int threshold = mont->N.width;
202
203
  // Calculate 2^threshold R = 2^(threshold + lgBigR) by doubling. The
204
  // first n_bits - 1 doubles can be skipped because we don't need to reduce.
205
798
  if (!BN_set_bit(&mont->RR, n_bits - 1) ||
206
798
      !bn_mod_lshift_consttime(&mont->RR, &mont->RR,
207
798
                               threshold + (lgBigR - (n_bits - 1)),
208
798
                               &mont->N, ctx)) {
209
0
    return 0;
210
0
  }
211
212
  // The above steps are the same regardless of the threshold. The steps below
213
  // need to be modified if the threshold changes.
214
798
  assert(threshold == mont->N.width);
215
5.58k
  for (unsigned i = 0; i < BN_BITS2_LG; i++) {
216
4.78k
    if (!BN_mod_mul_montgomery(&mont->RR, &mont->RR, &mont->RR, mont, ctx)) {
217
0
      return 0;
218
0
    }
219
4.78k
  }
220
221
798
  return bn_resize_words(&mont->RR, mont->N.width);
222
798
}