/src/botan/src/lib/math/numbertheory/monty.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * (C) 2018 Jack Lloyd |
3 | | * |
4 | | * Botan is released under the Simplified BSD License (see license.txt) |
5 | | */ |
6 | | |
7 | | #include <botan/internal/monty.h> |
8 | | |
9 | | #include <botan/reducer.h> |
10 | | #include <botan/internal/mp_core.h> |
11 | | |
12 | | #include <utility> |
13 | | |
14 | | namespace Botan { |
15 | | |
16 | 4.39k | Montgomery_Params::Montgomery_Params(const BigInt& p, const Modular_Reducer& mod_p) { |
17 | 4.39k | if(p.is_even() || p < 3) { |
18 | 0 | throw Invalid_Argument("Montgomery_Params invalid modulus"); |
19 | 0 | } |
20 | | |
21 | 4.39k | m_p = p; |
22 | 4.39k | m_p_words = m_p.sig_words(); |
23 | 4.39k | m_p_dash = monty_inverse(m_p.word_at(0)); |
24 | | |
25 | 4.39k | const BigInt r = BigInt::power_of_2(m_p_words * BOTAN_MP_WORD_BITS); |
26 | | |
27 | 4.39k | m_r1 = mod_p.reduce(r); |
28 | 4.39k | m_r2 = mod_p.square(m_r1); |
29 | 4.39k | m_r3 = mod_p.multiply(m_r1, m_r2); |
30 | 4.39k | } |
31 | | |
32 | 0 | Montgomery_Params::Montgomery_Params(const BigInt& p) { |
33 | 0 | if(p.is_even() || p < 3) { |
34 | 0 | throw Invalid_Argument("Montgomery_Params invalid modulus"); |
35 | 0 | } |
36 | | |
37 | 0 | m_p = p; |
38 | 0 | m_p_words = m_p.sig_words(); |
39 | 0 | m_p_dash = monty_inverse(m_p.word_at(0)); |
40 | |
|
41 | 0 | const BigInt r = BigInt::power_of_2(m_p_words * BOTAN_MP_WORD_BITS); |
42 | | |
43 | | // It might be faster to use ct_modulo here vs setting up Barrett reduction? |
44 | 0 | Modular_Reducer mod_p(p); |
45 | |
|
46 | 0 | m_r1 = mod_p.reduce(r); |
47 | 0 | m_r2 = mod_p.square(m_r1); |
48 | 0 | m_r3 = mod_p.multiply(m_r1, m_r2); |
49 | 0 | } |
50 | | |
51 | 0 | BigInt Montgomery_Params::inv_mod_p(const BigInt& x) const { |
52 | | // TODO use Montgomery inverse here? |
53 | 0 | return inverse_mod(x, p()); |
54 | 0 | } |
55 | | |
56 | 17.3k | BigInt Montgomery_Params::redc(const BigInt& x, secure_vector<word>& ws) const { |
57 | 17.3k | const size_t output_size = m_p_words + 1; |
58 | | |
59 | 17.3k | if(ws.size() < output_size) { |
60 | 17.3k | ws.resize(output_size); |
61 | 17.3k | } |
62 | | |
63 | 17.3k | BigInt z = x; |
64 | 17.3k | z.grow_to(2 * m_p_words); |
65 | | |
66 | 17.3k | bigint_monty_redc(z.mutable_data(), m_p._data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
67 | | |
68 | 17.3k | return z; |
69 | 17.3k | } |
70 | | |
71 | 260k | BigInt Montgomery_Params::mul(const BigInt& x, const BigInt& y, secure_vector<word>& ws) const { |
72 | 260k | const size_t output_size = 2 * m_p_words + 2; |
73 | | |
74 | 260k | if(ws.size() < output_size) { |
75 | 260k | ws.resize(output_size); |
76 | 260k | } |
77 | | |
78 | 260k | BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); |
79 | 260k | BOTAN_DEBUG_ASSERT(y.sig_words() <= m_p_words); |
80 | | |
81 | 260k | BigInt z = BigInt::with_capacity(output_size); |
82 | 260k | bigint_mul(z.mutable_data(), |
83 | 260k | z.size(), |
84 | 260k | x._data(), |
85 | 260k | x.size(), |
86 | 260k | std::min(m_p_words, x.size()), |
87 | 260k | y._data(), |
88 | 260k | y.size(), |
89 | 260k | std::min(m_p_words, y.size()), |
90 | 260k | ws.data(), |
91 | 260k | ws.size()); |
92 | | |
93 | 260k | bigint_monty_redc(z.mutable_data(), m_p._data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
94 | | |
95 | 260k | return z; |
96 | 260k | } |
97 | | |
98 | 0 | BigInt Montgomery_Params::mul(const BigInt& x, const secure_vector<word>& y, secure_vector<word>& ws) const { |
99 | 0 | const size_t output_size = 2 * m_p_words + 2; |
100 | 0 | if(ws.size() < output_size) { |
101 | 0 | ws.resize(output_size); |
102 | 0 | } |
103 | 0 | BigInt z = BigInt::with_capacity(output_size); |
104 | |
|
105 | 0 | BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); |
106 | |
|
107 | 0 | bigint_mul(z.mutable_data(), |
108 | 0 | z.size(), |
109 | 0 | x._data(), |
110 | 0 | x.size(), |
111 | 0 | std::min(m_p_words, x.size()), |
112 | 0 | y.data(), |
113 | 0 | y.size(), |
114 | 0 | std::min(m_p_words, y.size()), |
115 | 0 | ws.data(), |
116 | 0 | ws.size()); |
117 | |
|
118 | 0 | bigint_monty_redc(z.mutable_data(), m_p._data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
119 | |
|
120 | 0 | return z; |
121 | 0 | } |
122 | | |
123 | 1.06M | void Montgomery_Params::mul_by(BigInt& x, const secure_vector<word>& y, secure_vector<word>& ws) const { |
124 | 1.06M | const size_t output_size = 2 * m_p_words; |
125 | | |
126 | 1.06M | if(ws.size() < 2 * output_size) { |
127 | 0 | ws.resize(2 * output_size); |
128 | 0 | } |
129 | | |
130 | 1.06M | word* z_data = &ws[0]; |
131 | 1.06M | word* ws_data = &ws[output_size]; |
132 | | |
133 | 1.06M | BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); |
134 | | |
135 | 1.06M | bigint_mul(z_data, |
136 | 1.06M | output_size, |
137 | 1.06M | x._data(), |
138 | 1.06M | x.size(), |
139 | 1.06M | std::min(m_p_words, x.size()), |
140 | 1.06M | y.data(), |
141 | 1.06M | y.size(), |
142 | 1.06M | std::min(m_p_words, y.size()), |
143 | 1.06M | ws_data, |
144 | 1.06M | output_size); |
145 | | |
146 | 1.06M | bigint_monty_redc(z_data, m_p._data(), m_p_words, m_p_dash, ws_data, output_size); |
147 | | |
148 | 1.06M | if(x.size() < output_size) { |
149 | 0 | x.grow_to(output_size); |
150 | 0 | } |
151 | 1.06M | copy_mem(x.mutable_data(), z_data, output_size); |
152 | 1.06M | } |
153 | | |
154 | 0 | void Montgomery_Params::mul_by(BigInt& x, const BigInt& y, secure_vector<word>& ws) const { |
155 | 0 | const size_t output_size = 2 * m_p_words; |
156 | |
|
157 | 0 | if(ws.size() < 2 * output_size) { |
158 | 0 | ws.resize(2 * output_size); |
159 | 0 | } |
160 | |
|
161 | 0 | word* z_data = &ws[0]; |
162 | 0 | word* ws_data = &ws[output_size]; |
163 | |
|
164 | 0 | BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); |
165 | |
|
166 | 0 | bigint_mul(z_data, |
167 | 0 | output_size, |
168 | 0 | x._data(), |
169 | 0 | x.size(), |
170 | 0 | std::min(m_p_words, x.size()), |
171 | 0 | y._data(), |
172 | 0 | y.size(), |
173 | 0 | std::min(m_p_words, y.size()), |
174 | 0 | ws_data, |
175 | 0 | output_size); |
176 | |
|
177 | 0 | bigint_monty_redc(z_data, m_p._data(), m_p_words, m_p_dash, ws_data, output_size); |
178 | |
|
179 | 0 | if(x.size() < output_size) { |
180 | 0 | x.grow_to(output_size); |
181 | 0 | } |
182 | 0 | copy_mem(x.mutable_data(), z_data, output_size); |
183 | 0 | } |
184 | | |
185 | 0 | BigInt Montgomery_Params::sqr(const BigInt& x, secure_vector<word>& ws) const { |
186 | 0 | const size_t output_size = 2 * m_p_words; |
187 | |
|
188 | 0 | if(ws.size() < output_size) { |
189 | 0 | ws.resize(output_size); |
190 | 0 | } |
191 | |
|
192 | 0 | BigInt z = BigInt::with_capacity(output_size); |
193 | |
|
194 | 0 | BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); |
195 | |
|
196 | 0 | bigint_sqr(z.mutable_data(), z.size(), x._data(), x.size(), std::min(m_p_words, x.size()), ws.data(), ws.size()); |
197 | |
|
198 | 0 | bigint_monty_redc(z.mutable_data(), m_p._data(), m_p_words, m_p_dash, ws.data(), ws.size()); |
199 | |
|
200 | 0 | return z; |
201 | 0 | } |
202 | | |
203 | 4.25M | void Montgomery_Params::square_this(BigInt& x, secure_vector<word>& ws) const { |
204 | 4.25M | const size_t output_size = 2 * m_p_words; |
205 | | |
206 | 4.25M | if(ws.size() < 2 * output_size) { |
207 | 17.2k | ws.resize(2 * output_size); |
208 | 17.2k | } |
209 | | |
210 | 4.25M | word* z_data = &ws[0]; |
211 | 4.25M | word* ws_data = &ws[output_size]; |
212 | | |
213 | 4.25M | BOTAN_DEBUG_ASSERT(x.sig_words() <= m_p_words); |
214 | | |
215 | 4.25M | bigint_sqr(z_data, output_size, x._data(), x.size(), std::min(m_p_words, x.size()), ws_data, output_size); |
216 | | |
217 | 4.25M | bigint_monty_redc(z_data, m_p._data(), m_p_words, m_p_dash, ws_data, output_size); |
218 | | |
219 | 4.25M | if(x.size() < output_size) { |
220 | 17.2k | x.grow_to(output_size); |
221 | 17.2k | } |
222 | 4.25M | copy_mem(x.mutable_data(), z_data, output_size); |
223 | 4.25M | } |
224 | | |
225 | | Montgomery_Int::Montgomery_Int(const std::shared_ptr<const Montgomery_Params>& params, |
226 | | const BigInt& v, |
227 | | bool redc_needed) : |
228 | 277k | m_params(params) { |
229 | 277k | if(redc_needed == false) { |
230 | 260k | m_v = v; |
231 | 260k | } else { |
232 | 17.3k | BOTAN_ASSERT_NOMSG(m_v < m_params->p()); |
233 | 17.3k | secure_vector<word> ws; |
234 | 17.3k | m_v = m_params->mul(v, m_params->R2(), ws); |
235 | 17.3k | } |
236 | 277k | } |
237 | | |
238 | | Montgomery_Int::Montgomery_Int(const std::shared_ptr<const Montgomery_Params>& params, |
239 | | const uint8_t bits[], |
240 | | size_t len, |
241 | | bool redc_needed) : |
242 | 0 | m_params(params), m_v(bits, len) { |
243 | 0 | if(redc_needed) { |
244 | 0 | BOTAN_ASSERT_NOMSG(m_v < m_params->p()); |
245 | 0 | secure_vector<word> ws; |
246 | 0 | m_v = m_params->mul(m_v, m_params->R2(), ws); |
247 | 0 | } |
248 | 0 | } |
249 | | |
250 | | Montgomery_Int::Montgomery_Int(std::shared_ptr<const Montgomery_Params> params, |
251 | | const word words[], |
252 | | size_t len, |
253 | | bool redc_needed) : |
254 | 17.3k | m_params(std::move(params)) { |
255 | 17.3k | m_v.set_words(words, len); |
256 | | |
257 | 17.3k | if(redc_needed) { |
258 | 0 | BOTAN_ASSERT_NOMSG(m_v < m_params->p()); |
259 | 0 | secure_vector<word> ws; |
260 | 0 | m_v = m_params->mul(m_v, m_params->R2(), ws); |
261 | 0 | } |
262 | 17.3k | } |
263 | | |
264 | 277k | void Montgomery_Int::fix_size() { |
265 | 277k | const size_t p_words = m_params->p_words(); |
266 | | |
267 | 277k | if(m_v.sig_words() > p_words) { |
268 | 0 | throw Internal_Error("Montgomery_Int::fix_size v too large"); |
269 | 0 | } |
270 | | |
271 | 277k | m_v.grow_to(p_words); |
272 | 277k | } |
273 | | |
274 | 0 | bool Montgomery_Int::operator==(const Montgomery_Int& other) const { |
275 | 0 | return m_v == other.m_v && m_params->p() == other.m_params->p(); |
276 | 0 | } |
277 | | |
278 | 0 | std::vector<uint8_t> Montgomery_Int::serialize() const { |
279 | 0 | return value().serialize(); |
280 | 0 | } |
281 | | |
282 | 0 | size_t Montgomery_Int::size() const { |
283 | 0 | return m_params->p().bytes(); |
284 | 0 | } |
285 | | |
286 | 0 | bool Montgomery_Int::is_one() const { |
287 | 0 | return m_v == m_params->R1(); |
288 | 0 | } |
289 | | |
290 | 0 | bool Montgomery_Int::is_zero() const { |
291 | 0 | return m_v.is_zero(); |
292 | 0 | } |
293 | | |
294 | 17.3k | BigInt Montgomery_Int::value() const { |
295 | 17.3k | secure_vector<word> ws; |
296 | 17.3k | return m_params->redc(m_v, ws); |
297 | 17.3k | } |
298 | | |
299 | 0 | Montgomery_Int Montgomery_Int::operator+(const Montgomery_Int& other) const { |
300 | 0 | secure_vector<word> ws; |
301 | 0 | BigInt z = m_v; |
302 | 0 | z.mod_add(other.m_v, m_params->p(), ws); |
303 | 0 | return Montgomery_Int(m_params, z, false); |
304 | 0 | } |
305 | | |
306 | 0 | Montgomery_Int Montgomery_Int::operator-(const Montgomery_Int& other) const { |
307 | 0 | secure_vector<word> ws; |
308 | 0 | BigInt z = m_v; |
309 | 0 | z.mod_sub(other.m_v, m_params->p(), ws); |
310 | 0 | return Montgomery_Int(m_params, z, false); |
311 | 0 | } |
312 | | |
313 | 0 | Montgomery_Int& Montgomery_Int::operator+=(const Montgomery_Int& other) { |
314 | 0 | secure_vector<word> ws; |
315 | 0 | return this->add(other, ws); |
316 | 0 | } |
317 | | |
318 | 0 | Montgomery_Int& Montgomery_Int::add(const Montgomery_Int& other, secure_vector<word>& ws) { |
319 | 0 | m_v.mod_add(other.m_v, m_params->p(), ws); |
320 | 0 | return (*this); |
321 | 0 | } |
322 | | |
323 | 0 | Montgomery_Int& Montgomery_Int::operator-=(const Montgomery_Int& other) { |
324 | 0 | secure_vector<word> ws; |
325 | 0 | return this->sub(other, ws); |
326 | 0 | } |
327 | | |
328 | 0 | Montgomery_Int& Montgomery_Int::sub(const Montgomery_Int& other, secure_vector<word>& ws) { |
329 | 0 | m_v.mod_sub(other.m_v, m_params->p(), ws); |
330 | 0 | return (*this); |
331 | 0 | } |
332 | | |
333 | 243k | Montgomery_Int Montgomery_Int::operator*(const Montgomery_Int& other) const { |
334 | 243k | secure_vector<word> ws; |
335 | 243k | return Montgomery_Int(m_params, m_params->mul(m_v, other.m_v, ws), false); |
336 | 243k | } |
337 | | |
338 | 0 | Montgomery_Int Montgomery_Int::mul(const Montgomery_Int& other, secure_vector<word>& ws) const { |
339 | 0 | return Montgomery_Int(m_params, m_params->mul(m_v, other.m_v, ws), false); |
340 | 0 | } |
341 | | |
342 | 0 | Montgomery_Int& Montgomery_Int::mul_by(const Montgomery_Int& other, secure_vector<word>& ws) { |
343 | 0 | m_params->mul_by(m_v, other.m_v, ws); |
344 | 0 | return (*this); |
345 | 0 | } |
346 | | |
347 | 1.06M | Montgomery_Int& Montgomery_Int::mul_by(const secure_vector<word>& other, secure_vector<word>& ws) { |
348 | 1.06M | m_params->mul_by(m_v, other, ws); |
349 | 1.06M | return (*this); |
350 | 1.06M | } |
351 | | |
352 | 0 | Montgomery_Int& Montgomery_Int::operator*=(const Montgomery_Int& other) { |
353 | 0 | secure_vector<word> ws; |
354 | 0 | return mul_by(other, ws); |
355 | 0 | } |
356 | | |
357 | 0 | Montgomery_Int& Montgomery_Int::operator*=(const secure_vector<word>& other) { |
358 | 0 | secure_vector<word> ws; |
359 | 0 | return mul_by(other, ws); |
360 | 0 | } |
361 | | |
362 | 1.06M | Montgomery_Int& Montgomery_Int::square_this_n_times(secure_vector<word>& ws, size_t n) { |
363 | 5.32M | for(size_t i = 0; i != n; ++i) { |
364 | 4.25M | m_params->square_this(m_v, ws); |
365 | 4.25M | } |
366 | 1.06M | return (*this); |
367 | 1.06M | } |
368 | | |
369 | 0 | Montgomery_Int& Montgomery_Int::square_this(secure_vector<word>& ws) { |
370 | 0 | m_params->square_this(m_v, ws); |
371 | 0 | return (*this); |
372 | 0 | } |
373 | | |
374 | 0 | Montgomery_Int Montgomery_Int::square(secure_vector<word>& ws) const { |
375 | 0 | return Montgomery_Int(m_params, m_params->sqr(m_v, ws), false); |
376 | 0 | } |
377 | | |
378 | 0 | Montgomery_Int Montgomery_Int::cube(secure_vector<word>& ws) const { |
379 | 0 | return Montgomery_Int(m_params, m_params->sqr(m_v, ws), false); |
380 | 0 | } |
381 | | |
382 | 0 | Montgomery_Int Montgomery_Int::multiplicative_inverse() const { |
383 | 0 | secure_vector<word> ws; |
384 | 0 | const BigInt iv = m_params->mul(m_params->inv_mod_p(m_v), m_params->R3(), ws); |
385 | 0 | return Montgomery_Int(m_params, iv, false); |
386 | 0 | } |
387 | | |
388 | 0 | Montgomery_Int Montgomery_Int::additive_inverse() const { |
389 | 0 | return Montgomery_Int(m_params, m_params->p()) - (*this); |
390 | 0 | } |
391 | | |
392 | 0 | Montgomery_Int& Montgomery_Int::mul_by_2(secure_vector<word>& ws) { |
393 | 0 | m_v.mod_mul(2, m_params->p(), ws); |
394 | 0 | return (*this); |
395 | 0 | } |
396 | | |
397 | 0 | Montgomery_Int& Montgomery_Int::mul_by_3(secure_vector<word>& ws) { |
398 | 0 | m_v.mod_mul(3, m_params->p(), ws); |
399 | 0 | return (*this); |
400 | 0 | } |
401 | | |
402 | 0 | Montgomery_Int& Montgomery_Int::mul_by_4(secure_vector<word>& ws) { |
403 | 0 | m_v.mod_mul(4, m_params->p(), ws); |
404 | 0 | return (*this); |
405 | 0 | } |
406 | | |
407 | 0 | Montgomery_Int& Montgomery_Int::mul_by_8(secure_vector<word>& ws) { |
408 | 0 | m_v.mod_mul(8, m_params->p(), ws); |
409 | 0 | return (*this); |
410 | 0 | } |
411 | | |
412 | | } // namespace Botan |