/src/boringssl/crypto/fipsmodule/bn/montgomery_inv.c.inc
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright 2016 Brian Smith. |
2 | | * |
3 | | * Permission to use, copy, modify, and/or distribute this software for any |
4 | | * purpose with or without fee is hereby granted, provided that the above |
5 | | * copyright notice and this permission notice appear in all copies. |
6 | | * |
7 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
8 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
10 | | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 | | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 | | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
14 | | |
15 | | #include <openssl/bn.h> |
16 | | |
17 | | #include <assert.h> |
18 | | |
19 | | #include "internal.h" |
20 | | #include "../../internal.h" |
21 | | |
22 | | |
23 | | static uint64_t bn_neg_inv_mod_r_u64(uint64_t n); |
24 | | |
25 | | static_assert(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2, |
26 | | "BN_MONT_CTX_N0_LIMBS value is invalid"); |
27 | | static_assert(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t), |
28 | | "uint64_t is insufficient precision for n0"); |
29 | | |
30 | | // LG_LITTLE_R is log_2(r). |
31 | 57.4k | #define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2) |
32 | | |
33 | 871 | uint64_t bn_mont_n0(const BIGNUM *n) { |
34 | | // These conditions are checked by the caller, |BN_MONT_CTX_set| or |
35 | | // |BN_MONT_CTX_new_consttime|. |
36 | 871 | assert(!BN_is_zero(n)); |
37 | 871 | assert(!BN_is_negative(n)); |
38 | 871 | assert(BN_is_odd(n)); |
39 | | |
40 | | // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This |
41 | | // ensures that we can do integer division by |r| by simply ignoring |
42 | | // |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo |
43 | | // |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is |
44 | | // what makes Montgomery multiplication efficient. |
45 | | // |
46 | | // As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography |
47 | | // with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a |
48 | | // multi-limb Montgomery multiplication of |a * b (mod n)|, given the |
49 | | // unreduced product |t == a * b|, we repeatedly calculate: |
50 | | // |
51 | | // t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph). |
52 | | // t2 := t1*n0*n |
53 | | // t3 := t + t2 |
54 | | // t := t3 / r copy all limbs of |t3| except the lowest to |t|. |
55 | | // |
56 | | // In the last step, it would only make sense to ignore the lowest limb of |
57 | | // |t3| if it were zero. The middle steps ensure that this is the case: |
58 | | // |
59 | | // t3 == 0 (mod r) |
60 | | // t + t2 == 0 (mod r) |
61 | | // t + t1*n0*n == 0 (mod r) |
62 | | // t1*n0*n == -t (mod r) |
63 | | // t*n0*n == -t (mod r) |
64 | | // n0*n == -1 (mod r) |
65 | | // n0 == -1/n (mod r) |
66 | | // |
67 | | // Thus, in each iteration of the loop, we multiply by the constant factor |
68 | | // |n0|, the negative inverse of n (mod r). |
69 | | |
70 | | // n_mod_r = n % r. As explained above, this is done by taking the lowest |
71 | | // |BN_MONT_CTX_N0_LIMBS| limbs of |n|. |
72 | 871 | uint64_t n_mod_r = n->d[0]; |
73 | | #if BN_MONT_CTX_N0_LIMBS == 2 |
74 | | if (n->width > 1) { |
75 | | n_mod_r |= (uint64_t)n->d[1] << BN_BITS2; |
76 | | } |
77 | | #endif |
78 | | |
79 | 871 | return bn_neg_inv_mod_r_u64(n_mod_r); |
80 | 871 | } |
81 | | |
82 | | // bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v| |
83 | | // such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n| |
84 | | // must be odd. |
85 | | // |
86 | | // This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery |
87 | | // Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf). |
88 | | // It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and |
89 | | // Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000" |
90 | | // (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21). |
91 | | // |
92 | | // This is inspired by Joppe W. Bos's "Constant Time Modular Inversion" |
93 | | // (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is |
94 | | // constant-time with respect to |n|. We assume uint64_t additions, |
95 | | // subtractions, shifts, and bitwise operations are all constant time, which |
96 | | // may be a large leap of faith on 32-bit targets. We avoid division and |
97 | | // multiplication, which tend to be the most problematic in terms of timing |
98 | | // leaks. |
99 | | // |
100 | | // Most GCD implementations return values such that |u*r + v*n == 1|, so the |
101 | | // caller would have to negate the resultant |v| for the purpose of Montgomery |
102 | | // multiplication. This implementation does the negation implicitly by doing |
103 | | // the computations as a difference instead of a sum. |
104 | 871 | static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) { |
105 | 871 | assert(n % 2 == 1); |
106 | | |
107 | | // alpha == 2**(lg r - 1) == r / 2. |
108 | 871 | static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1); |
109 | | |
110 | 871 | const uint64_t beta = n; |
111 | | |
112 | 871 | uint64_t u = 1; |
113 | 871 | uint64_t v = 0; |
114 | | |
115 | | // The invariant maintained from here on is: |
116 | | // 2**(lg r - i) == u*2*alpha - v*beta. |
117 | 56.6k | for (size_t i = 0; i < LG_LITTLE_R; ++i) { |
118 | 55.7k | #if BN_BITS2 == 64 && defined(BN_ULLONG) |
119 | 55.7k | assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) == |
120 | 55.7k | ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta)); |
121 | 55.7k | #endif |
122 | | |
123 | | // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set |
124 | | // |u = (u + beta) / 2| and |v = (v / 2) + alpha|. |
125 | | |
126 | 55.7k | uint64_t u_is_odd = UINT64_C(0) - (u & 1); // Either 0xff..ff or 0. |
127 | | |
128 | | // The addition can overflow, so use Dietz's method for it. |
129 | | // |
130 | | // Dietz calculates (x+y)/2 by (x⊕y)>>1 + x&y. This is valid for all |
131 | | // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values |
132 | | // (embedded in 64 bits to so that overflow can be ignored): |
133 | | // |
134 | | // (declare-fun x () (_ BitVec 64)) |
135 | | // (declare-fun y () (_ BitVec 64)) |
136 | | // (assert (let ( |
137 | | // (one (_ bv1 64)) |
138 | | // (thirtyTwo (_ bv32 64))) |
139 | | // (and |
140 | | // (bvult x (bvshl one thirtyTwo)) |
141 | | // (bvult y (bvshl one thirtyTwo)) |
142 | | // (not (= |
143 | | // (bvadd (bvlshr (bvxor x y) one) (bvand x y)) |
144 | | // (bvlshr (bvadd x y) one))) |
145 | | // ))) |
146 | | // (check-sat) |
147 | 55.7k | uint64_t beta_if_u_is_odd = beta & u_is_odd; // Either |beta| or 0. |
148 | 55.7k | u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd); |
149 | | |
150 | 55.7k | uint64_t alpha_if_u_is_odd = alpha & u_is_odd; // Either |alpha| or 0. |
151 | 55.7k | v = (v >> 1) + alpha_if_u_is_odd; |
152 | 55.7k | } |
153 | | |
154 | | // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. |
155 | 871 | #if BN_BITS2 == 64 && defined(BN_ULLONG) |
156 | 871 | declassify_assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta)); |
157 | 871 | #endif |
158 | | |
159 | 871 | return v; |
160 | 871 | } |
161 | | |
162 | 798 | int bn_mont_ctx_set_RR_consttime(BN_MONT_CTX *mont, BN_CTX *ctx) { |
163 | 798 | assert(!BN_is_zero(&mont->N)); |
164 | 798 | assert(!BN_is_negative(&mont->N)); |
165 | 798 | assert(BN_is_odd(&mont->N)); |
166 | 798 | assert(bn_minimal_width(&mont->N) == mont->N.width); |
167 | | |
168 | 798 | unsigned n_bits = BN_num_bits(&mont->N); |
169 | 798 | assert(n_bits != 0); |
170 | 798 | if (n_bits == 1) { |
171 | 0 | BN_zero(&mont->RR); |
172 | 0 | return bn_resize_words(&mont->RR, mont->N.width); |
173 | 0 | } |
174 | | |
175 | 798 | unsigned lgBigR = mont->N.width * BN_BITS2; |
176 | 798 | assert(lgBigR >= n_bits); |
177 | | |
178 | | // RR is R, or 2^lgBigR, in the Montgomery domain. We can compute 2 in the |
179 | | // Montgomery domain, 2R or 2^(lgBigR+1), and then use Montgomery |
180 | | // square-and-multiply to exponentiate. |
181 | | // |
182 | | // The square steps take 2^n R to (2^n)*(2^n) R = 2^2n R. This is the same as |
183 | | // doubling 2^n R, n times (doubling any x, n times, computes 2^n * x). When n |
184 | | // is below some threshold, doubling is faster; when above, squaring is |
185 | | // faster. From benchmarking various 32-bit and 64-bit architectures, the word |
186 | | // count seems to work well as a threshold. (Doubling scales linearly and |
187 | | // Montgomery reduction scales quadratically, so the threshold should scale |
188 | | // roughly linearly.) |
189 | | // |
190 | | // The multiply steps take 2^n R to 2*2^n R = 2^(n+1) R. It is faster to |
191 | | // double the value instead, so the square-and-multiply exponentiation would |
192 | | // become square-and-double. However, when using the word count as the |
193 | | // threshold, it turns out that no multiply/double steps will be needed at |
194 | | // all, because squaring any x, i times, computes x^(2^i): |
195 | | // |
196 | | // (2^threshold)^(2^BN_BITS2_LG) R |
197 | | // (2^mont->N.width)^BN_BITS2 R |
198 | | // = 2^(mont->N.width*BN_BITS2) R |
199 | | // = 2^lgBigR R |
200 | | // = RR |
201 | 798 | int threshold = mont->N.width; |
202 | | |
203 | | // Calculate 2^threshold R = 2^(threshold + lgBigR) by doubling. The |
204 | | // first n_bits - 1 doubles can be skipped because we don't need to reduce. |
205 | 798 | if (!BN_set_bit(&mont->RR, n_bits - 1) || |
206 | 798 | !bn_mod_lshift_consttime(&mont->RR, &mont->RR, |
207 | 798 | threshold + (lgBigR - (n_bits - 1)), |
208 | 798 | &mont->N, ctx)) { |
209 | 0 | return 0; |
210 | 0 | } |
211 | | |
212 | | // The above steps are the same regardless of the threshold. The steps below |
213 | | // need to be modified if the threshold changes. |
214 | 798 | assert(threshold == mont->N.width); |
215 | 5.58k | for (unsigned i = 0; i < BN_BITS2_LG; i++) { |
216 | 4.78k | if (!BN_mod_mul_montgomery(&mont->RR, &mont->RR, &mont->RR, mont, ctx)) { |
217 | 0 | return 0; |
218 | 0 | } |
219 | 4.78k | } |
220 | | |
221 | 798 | return bn_resize_words(&mont->RR, mont->N.width); |
222 | 798 | } |