/src/openssl36/crypto/bn/rsaz_exp_x2.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * Copyright (c) 2020-2021, Intel Corporation. All Rights Reserved. |
4 | | * |
5 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
6 | | * this file except in compliance with the License. You can obtain a copy |
7 | | * in the file LICENSE in the source distribution or at |
8 | | * https://www.openssl.org/source/license.html |
9 | | * |
10 | | * |
11 | | * Originally written by Sergey Kirillov and Andrey Matyukov. |
12 | | * Special thanks to Ilya Albrekht for his valuable hints. |
13 | | * Intel Corporation |
14 | | * |
15 | | */ |
16 | | |
17 | | #include <openssl/opensslconf.h> |
18 | | #include <openssl/crypto.h> |
19 | | #include "rsaz_exp.h" |
20 | | |
21 | | #ifndef RSAZ_ENABLED |
22 | | NON_EMPTY_TRANSLATION_UNIT |
23 | | #else |
24 | | #include <assert.h> |
25 | | #include <string.h> |
26 | | |
27 | | #define ALIGN_OF(ptr, boundary) \ |
28 | 0 | ((unsigned char *)(ptr) + (boundary - (((size_t)(ptr)) & (boundary - 1)))) |
29 | | |
30 | | /* Internal radix */ |
31 | 0 | #define DIGIT_SIZE (52) |
32 | | /* 52-bit mask */ |
33 | 0 | #define DIGIT_MASK ((uint64_t)0xFFFFFFFFFFFFF) |
34 | | |
35 | 0 | #define BITS2WORD8_SIZE(x) (((x) + 7) >> 3) |
36 | 0 | #define BITS2WORD64_SIZE(x) (((x) + 63) >> 6) |
37 | | |
38 | | /* Number of registers required to hold |digits_num| amount of qword digits */ |
39 | | #define NUMBER_OF_REGISTERS(digits_num, register_size) \ |
40 | 0 | (((digits_num) * 64 + (register_size) - 1) / (register_size)) |
41 | | |
42 | | static ossl_inline uint64_t get_digit(const uint8_t *in, int in_len); |
43 | | static ossl_inline void put_digit(uint8_t *out, int out_len, uint64_t digit); |
44 | | static void to_words52(BN_ULONG *out, int out_len, const BN_ULONG *in, |
45 | | int in_bitsize); |
46 | | static void from_words52(BN_ULONG *bn_out, int out_bitsize, const BN_ULONG *in); |
47 | | static ossl_inline void set_bit(BN_ULONG *a, int idx); |
48 | | |
49 | | /* Number of |digit_size|-bit digits in |bitsize|-bit value */ |
50 | | static ossl_inline int number_of_digits(int bitsize, int digit_size) |
51 | 0 | { |
52 | 0 | return (bitsize + digit_size - 1) / digit_size; |
53 | 0 | } |
54 | | |
55 | | /* |
56 | | * For details of the methods declared below please refer to |
57 | | * crypto/bn/asm/rsaz-avx512.pl |
58 | | * |
59 | | * Naming conventions: |
60 | | * amm = Almost Montgomery Multiplication |
61 | | * ams = Almost Montgomery Squaring |
62 | | * 52xZZ - data represented as array of ZZ digits in 52-bit radix |
63 | | * _x1_/_x2_ - 1 or 2 independent inputs/outputs |
64 | | * _ifma256 - uses 256-bit wide IFMA ISA (AVX512_IFMA256) |
65 | | * _avxifma256 - uses 256-bit wide AVXIFMA ISA (AVX_IFMA256) |
66 | | */ |
67 | | |
68 | | void ossl_rsaz_amm52x20_x1_ifma256(BN_ULONG *res, const BN_ULONG *a, |
69 | | const BN_ULONG *b, const BN_ULONG *m, |
70 | | BN_ULONG k0); |
71 | | void ossl_rsaz_amm52x20_x2_ifma256(BN_ULONG *out, const BN_ULONG *a, |
72 | | const BN_ULONG *b, const BN_ULONG *m, |
73 | | const BN_ULONG k0[2]); |
74 | | void ossl_extract_multiplier_2x20_win5(BN_ULONG *red_Y, |
75 | | const BN_ULONG *red_table, |
76 | | int red_table_idx1, int red_table_idx2); |
77 | | |
78 | | void ossl_rsaz_amm52x30_x1_ifma256(BN_ULONG *res, const BN_ULONG *a, |
79 | | const BN_ULONG *b, const BN_ULONG *m, |
80 | | BN_ULONG k0); |
81 | | void ossl_rsaz_amm52x30_x2_ifma256(BN_ULONG *out, const BN_ULONG *a, |
82 | | const BN_ULONG *b, const BN_ULONG *m, |
83 | | const BN_ULONG k0[2]); |
84 | | void ossl_extract_multiplier_2x30_win5(BN_ULONG *red_Y, |
85 | | const BN_ULONG *red_table, |
86 | | int red_table_idx1, int red_table_idx2); |
87 | | |
88 | | void ossl_rsaz_amm52x40_x1_ifma256(BN_ULONG *res, const BN_ULONG *a, |
89 | | const BN_ULONG *b, const BN_ULONG *m, |
90 | | BN_ULONG k0); |
91 | | void ossl_rsaz_amm52x40_x2_ifma256(BN_ULONG *out, const BN_ULONG *a, |
92 | | const BN_ULONG *b, const BN_ULONG *m, |
93 | | const BN_ULONG k0[2]); |
94 | | void ossl_extract_multiplier_2x40_win5(BN_ULONG *red_Y, |
95 | | const BN_ULONG *red_table, |
96 | | int red_table_idx1, int red_table_idx2); |
97 | | |
98 | | void ossl_rsaz_amm52x20_x1_avxifma256(BN_ULONG *res, const BN_ULONG *a, |
99 | | const BN_ULONG *b, const BN_ULONG *m, |
100 | | BN_ULONG k0); |
101 | | void ossl_rsaz_amm52x20_x2_avxifma256(BN_ULONG *out, const BN_ULONG *a, |
102 | | const BN_ULONG *b, const BN_ULONG *m, |
103 | | const BN_ULONG k0[2]); |
104 | | void ossl_extract_multiplier_2x20_win5_avx(BN_ULONG *red_Y, |
105 | | const BN_ULONG *red_table, |
106 | | int red_table_idx1, |
107 | | int red_table_idx2); |
108 | | |
109 | | void ossl_rsaz_amm52x30_x1_avxifma256(BN_ULONG *res, const BN_ULONG *a, |
110 | | const BN_ULONG *b, const BN_ULONG *m, |
111 | | BN_ULONG k0); |
112 | | void ossl_rsaz_amm52x30_x2_avxifma256(BN_ULONG *out, const BN_ULONG *a, |
113 | | const BN_ULONG *b, const BN_ULONG *m, |
114 | | const BN_ULONG k0[2]); |
115 | | void ossl_extract_multiplier_2x30_win5_avx(BN_ULONG *red_Y, |
116 | | const BN_ULONG *red_table, |
117 | | int red_table_idx1, |
118 | | int red_table_idx2); |
119 | | |
120 | | void ossl_rsaz_amm52x40_x1_avxifma256(BN_ULONG *res, const BN_ULONG *a, |
121 | | const BN_ULONG *b, const BN_ULONG *m, |
122 | | BN_ULONG k0); |
123 | | void ossl_rsaz_amm52x40_x2_avxifma256(BN_ULONG *out, const BN_ULONG *a, |
124 | | const BN_ULONG *b, const BN_ULONG *m, |
125 | | const BN_ULONG k0[2]); |
126 | | void ossl_extract_multiplier_2x40_win5_avx(BN_ULONG *red_Y, |
127 | | const BN_ULONG *red_table, |
128 | | int red_table_idx1, |
129 | | int red_table_idx2); |
130 | | |
131 | | typedef void (*AMM)(BN_ULONG *res, const BN_ULONG *a, const BN_ULONG *b, |
132 | | const BN_ULONG *m, BN_ULONG k0); |
133 | | |
134 | | static AMM ossl_rsaz_amm52_x1[] = { |
135 | | ossl_rsaz_amm52x20_x1_avxifma256, |
136 | | ossl_rsaz_amm52x20_x1_ifma256, |
137 | | ossl_rsaz_amm52x30_x1_avxifma256, |
138 | | ossl_rsaz_amm52x30_x1_ifma256, |
139 | | ossl_rsaz_amm52x40_x1_avxifma256, |
140 | | ossl_rsaz_amm52x40_x1_ifma256, |
141 | | }; |
142 | | |
143 | | typedef void (*DAMM)(BN_ULONG *res, const BN_ULONG *a, const BN_ULONG *b, |
144 | | const BN_ULONG *m, const BN_ULONG k0[2]); |
145 | | |
146 | | static DAMM ossl_rsaz_amm52_x2[] = { |
147 | | ossl_rsaz_amm52x20_x2_avxifma256, |
148 | | ossl_rsaz_amm52x20_x2_ifma256, |
149 | | ossl_rsaz_amm52x30_x2_avxifma256, |
150 | | ossl_rsaz_amm52x30_x2_ifma256, |
151 | | ossl_rsaz_amm52x40_x2_avxifma256, |
152 | | ossl_rsaz_amm52x40_x2_ifma256, |
153 | | }; |
154 | | |
155 | | typedef void (*DEXTRACT)(BN_ULONG *res, const BN_ULONG *red_table, |
156 | | int red_table_idx, int tbl_idx); |
157 | | |
158 | | static DEXTRACT ossl_extract_multiplier_win5[] = { |
159 | | ossl_extract_multiplier_2x20_win5_avx, |
160 | | ossl_extract_multiplier_2x20_win5, |
161 | | ossl_extract_multiplier_2x30_win5_avx, |
162 | | ossl_extract_multiplier_2x30_win5, |
163 | | ossl_extract_multiplier_2x40_win5_avx, |
164 | | ossl_extract_multiplier_2x40_win5, |
165 | | }; |
166 | | |
167 | | static int RSAZ_mod_exp_x2_ifma256(BN_ULONG *res, const BN_ULONG *base, |
168 | | const BN_ULONG *exp[2], const BN_ULONG *m, |
169 | | const BN_ULONG *rr, const BN_ULONG k0[2], |
170 | | int modulus_bitsize); |
171 | | |
172 | | /* |
173 | | * Dual Montgomery modular exponentiation using prime moduli of the |
174 | | * same bit size, optimized with AVX512 ISA or AVXIFMA ISA. |
175 | | * |
176 | | * Input and output parameters for each exponentiation are independent and |
177 | | * denoted here by index |i|, i = 1..2. |
178 | | * |
179 | | * Input and output are all in regular 2^64 radix. |
180 | | * |
181 | | * Each moduli shall be |factor_size| bit size. |
182 | | * |
183 | | * Supported cases: |
184 | | * - 2x1024 |
185 | | * - 2x1536 |
186 | | * - 2x2048 |
187 | | * |
188 | | * [out] res|i| - result of modular exponentiation: array of qword values |
189 | | * in regular (2^64) radix. Size of array shall be enough |
190 | | * to hold |factor_size| bits. |
191 | | * [in] base|i| - base |
192 | | * [in] exp|i| - exponent |
193 | | * [in] m|i| - moduli |
194 | | * [in] rr|i| - Montgomery parameter RR = R^2 mod m|i| |
195 | | * [in] k0_|i| - Montgomery parameter k0 = -1/m|i| mod 2^64 |
196 | | * [in] factor_size - moduli bit size |
197 | | * |
198 | | * \return 0 in case of failure, |
199 | | * 1 in case of success. |
200 | | */ |
201 | | int ossl_rsaz_mod_exp_avx512_x2(BN_ULONG *res1, |
202 | | const BN_ULONG *base1, |
203 | | const BN_ULONG *exp1, |
204 | | const BN_ULONG *m1, |
205 | | const BN_ULONG *rr1, |
206 | | BN_ULONG k0_1, |
207 | | BN_ULONG *res2, |
208 | | const BN_ULONG *base2, |
209 | | const BN_ULONG *exp2, |
210 | | const BN_ULONG *m2, |
211 | | const BN_ULONG *rr2, |
212 | | BN_ULONG k0_2, |
213 | | int factor_size) |
214 | 0 | { |
215 | 0 | int ret = 0; |
216 | | |
217 | | /* |
218 | | * Number of word-size (BN_ULONG) digits to store exponent in redundant |
219 | | * representation. |
220 | | */ |
221 | 0 | int exp_digits = number_of_digits(factor_size + 2, DIGIT_SIZE); |
222 | 0 | int coeff_pow = 4 * (DIGIT_SIZE * exp_digits - factor_size); |
223 | | |
224 | | /* Number of YMM registers required to store exponent's digits */ |
225 | 0 | int ymm_regs_num = NUMBER_OF_REGISTERS(exp_digits, 256 /* ymm bit size */); |
226 | | /* Capacity of the register set (in qwords) to store exponent */ |
227 | 0 | int regs_capacity = ymm_regs_num * 4; |
228 | |
|
229 | 0 | BN_ULONG *base1_red, *m1_red, *rr1_red; |
230 | 0 | BN_ULONG *base2_red, *m2_red, *rr2_red; |
231 | 0 | BN_ULONG *coeff_red; |
232 | 0 | BN_ULONG *storage = NULL; |
233 | 0 | BN_ULONG *storage_aligned = NULL; |
234 | 0 | int storage_len_bytes = 7 * regs_capacity * sizeof(BN_ULONG) |
235 | 0 | + 64 /* alignment */; |
236 | |
|
237 | 0 | const BN_ULONG *exp[2] = { 0 }; |
238 | 0 | BN_ULONG k0[2] = { 0 }; |
239 | | /* AMM = Almost Montgomery Multiplication */ |
240 | 0 | AMM amm = NULL; |
241 | 0 | int avx512ifma = !!ossl_rsaz_avx512ifma_eligible(); |
242 | |
|
243 | 0 | if (factor_size != 1024 && factor_size != 1536 && factor_size != 2048) |
244 | 0 | goto err; |
245 | | |
246 | 0 | amm = ossl_rsaz_amm52_x1[(factor_size / 512 - 2) * 2 + avx512ifma]; |
247 | |
|
248 | 0 | storage = (BN_ULONG *)OPENSSL_malloc(storage_len_bytes); |
249 | 0 | if (storage == NULL) |
250 | 0 | goto err; |
251 | 0 | storage_aligned = (BN_ULONG *)ALIGN_OF(storage, 64); |
252 | | |
253 | | /* Memory layout for red(undant) representations */ |
254 | 0 | base1_red = storage_aligned; |
255 | 0 | base2_red = storage_aligned + 1 * regs_capacity; |
256 | 0 | m1_red = storage_aligned + 2 * regs_capacity; |
257 | 0 | m2_red = storage_aligned + 3 * regs_capacity; |
258 | 0 | rr1_red = storage_aligned + 4 * regs_capacity; |
259 | 0 | rr2_red = storage_aligned + 5 * regs_capacity; |
260 | 0 | coeff_red = storage_aligned + 6 * regs_capacity; |
261 | | |
262 | | /* Convert base_i, m_i, rr_i, from regular to 52-bit radix */ |
263 | 0 | to_words52(base1_red, regs_capacity, base1, factor_size); |
264 | 0 | to_words52(base2_red, regs_capacity, base2, factor_size); |
265 | 0 | to_words52(m1_red, regs_capacity, m1, factor_size); |
266 | 0 | to_words52(m2_red, regs_capacity, m2, factor_size); |
267 | 0 | to_words52(rr1_red, regs_capacity, rr1, factor_size); |
268 | 0 | to_words52(rr2_red, regs_capacity, rr2, factor_size); |
269 | | |
270 | | /* |
271 | | * Compute target domain Montgomery converters RR' for each modulus |
272 | | * based on precomputed original domain's RR. |
273 | | * |
274 | | * RR -> RR' transformation steps: |
275 | | * (1) coeff = 2^k |
276 | | * (2) t = AMM(RR,RR) = RR^2 / R' mod m |
277 | | * (3) RR' = AMM(t, coeff) = RR^2 * 2^k / R'^2 mod m |
278 | | * where |
279 | | * k = 4 * (52 * digits52 - modlen) |
280 | | * R = 2^(64 * ceil(modlen/64)) mod m |
281 | | * RR = R^2 mod m |
282 | | * R' = 2^(52 * ceil(modlen/52)) mod m |
283 | | * |
284 | | * EX/ modlen = 1024: k = 64, RR = 2^2048 mod m, RR' = 2^2080 mod m |
285 | | */ |
286 | 0 | memset(coeff_red, 0, exp_digits * sizeof(BN_ULONG)); |
287 | | /* (1) in reduced domain representation */ |
288 | 0 | set_bit(coeff_red, 64 * (int)(coeff_pow / 52) + coeff_pow % 52); |
289 | |
|
290 | 0 | amm(rr1_red, rr1_red, rr1_red, m1_red, k0_1); /* (2) for m1 */ |
291 | 0 | amm(rr1_red, rr1_red, coeff_red, m1_red, k0_1); /* (3) for m1 */ |
292 | |
|
293 | 0 | amm(rr2_red, rr2_red, rr2_red, m2_red, k0_2); /* (2) for m2 */ |
294 | 0 | amm(rr2_red, rr2_red, coeff_red, m2_red, k0_2); /* (3) for m2 */ |
295 | |
|
296 | 0 | exp[0] = exp1; |
297 | 0 | exp[1] = exp2; |
298 | |
|
299 | 0 | k0[0] = k0_1; |
300 | 0 | k0[1] = k0_2; |
301 | | |
302 | | /* Dual (2-exps in parallel) exponentiation */ |
303 | 0 | ret = RSAZ_mod_exp_x2_ifma256(rr1_red, base1_red, exp, m1_red, rr1_red, |
304 | 0 | k0, factor_size); |
305 | 0 | if (!ret) |
306 | 0 | goto err; |
307 | | |
308 | | /* Convert rr_i back to regular radix */ |
309 | 0 | from_words52(res1, factor_size, rr1_red); |
310 | 0 | from_words52(res2, factor_size, rr2_red); |
311 | | |
312 | | /* bn_reduce_once_in_place expects number of BN_ULONG, not bit size */ |
313 | 0 | factor_size /= sizeof(BN_ULONG) * 8; |
314 | |
|
315 | 0 | bn_reduce_once_in_place(res1, /*carry=*/0, m1, storage, factor_size); |
316 | 0 | bn_reduce_once_in_place(res2, /*carry=*/0, m2, storage, factor_size); |
317 | |
|
318 | 0 | err: |
319 | 0 | if (storage != NULL) { |
320 | 0 | OPENSSL_cleanse(storage, storage_len_bytes); |
321 | 0 | OPENSSL_free(storage); |
322 | 0 | } |
323 | 0 | return ret; |
324 | 0 | } |
325 | | |
326 | | /* |
327 | | * Dual {1024,1536,2048}-bit w-ary modular exponentiation using prime moduli of |
328 | | * the same bit size using Almost Montgomery Multiplication, optimized with |
329 | | * AVX512_IFMA256 ISA. |
330 | | * |
331 | | * The parameter w (window size) = 5. |
332 | | * |
333 | | * [out] res - result of modular exponentiation: 2x{20,30,40} qword |
334 | | * values in 2^52 radix. |
335 | | * [in] base - base (2x{20,30,40} qword values in 2^52 radix) |
336 | | * [in] exp - array of 2 pointers to {16,24,32} qword values in 2^64 radix. |
337 | | * Exponent is not converted to redundant representation. |
338 | | * [in] m - moduli (2x{20,30,40} qword values in 2^52 radix) |
339 | | * [in] rr - Montgomery parameter for 2 moduli: |
340 | | * RR(1024) = 2^2080 mod m. |
341 | | * RR(1536) = 2^3120 mod m. |
342 | | * RR(2048) = 2^4160 mod m. |
343 | | * (2x{20,30,40} qword values in 2^52 radix) |
344 | | * [in] k0 - Montgomery parameter for 2 moduli: k0 = -1/m mod 2^64 |
345 | | * |
346 | | * \return (void). |
347 | | */ |
348 | | int RSAZ_mod_exp_x2_ifma256(BN_ULONG *out, |
349 | | const BN_ULONG *base, |
350 | | const BN_ULONG *exp[2], |
351 | | const BN_ULONG *m, |
352 | | const BN_ULONG *rr, |
353 | | const BN_ULONG k0[2], |
354 | | int modulus_bitsize) |
355 | 0 | { |
356 | 0 | int ret = 0; |
357 | 0 | int idx; |
358 | | |
359 | | /* Exponent window size */ |
360 | 0 | int exp_win_size = 5; |
361 | 0 | int exp_win_mask = (1U << exp_win_size) - 1; |
362 | | |
363 | | /* |
364 | | * Number of digits (64-bit words) in redundant representation to handle |
365 | | * modulus bits |
366 | | */ |
367 | 0 | int red_digits = 0; |
368 | 0 | int exp_digits = 0; |
369 | |
|
370 | 0 | BN_ULONG *storage = NULL; |
371 | 0 | BN_ULONG *storage_aligned = NULL; |
372 | 0 | int storage_len_bytes = 0; |
373 | | |
374 | | /* Red(undant) result Y and multiplier X */ |
375 | 0 | BN_ULONG *red_Y = NULL; /* [2][red_digits] */ |
376 | 0 | BN_ULONG *red_X = NULL; /* [2][red_digits] */ |
377 | | /* Pre-computed table of base powers */ |
378 | 0 | BN_ULONG *red_table = NULL; /* [1U << exp_win_size][2][red_digits] */ |
379 | | /* Expanded exponent */ |
380 | 0 | BN_ULONG *expz = NULL; /* [2][exp_digits + 1] */ |
381 | | |
382 | | /* Dual AMM */ |
383 | 0 | DAMM damm = NULL; |
384 | | /* Extractor from red_table */ |
385 | 0 | DEXTRACT extract = NULL; |
386 | 0 | int avx512ifma = !!ossl_rsaz_avx512ifma_eligible(); |
387 | | |
388 | | /* |
389 | | * Squaring is done using multiplication now. That can be a subject of |
390 | | * optimization in future. |
391 | | */ |
392 | 0 | #define DAMS(r, a, m, k0) damm((r), (a), (a), (m), (k0)) |
393 | |
|
394 | 0 | if (modulus_bitsize != 1024 && modulus_bitsize != 1536 && modulus_bitsize != 2048) |
395 | 0 | goto err; |
396 | | |
397 | 0 | damm = ossl_rsaz_amm52_x2[(modulus_bitsize / 512 - 2) * 2 + avx512ifma]; |
398 | 0 | extract = ossl_extract_multiplier_win5[(modulus_bitsize / 512 - 2) * 2 + avx512ifma]; |
399 | |
|
400 | 0 | switch (modulus_bitsize) { |
401 | 0 | case 1024: |
402 | 0 | red_digits = 20; |
403 | 0 | exp_digits = 16; |
404 | 0 | break; |
405 | 0 | case 1536: |
406 | | /* Extended with 2 digits padding to avoid mask ops in high YMM register */ |
407 | 0 | red_digits = 30 + 2; |
408 | 0 | exp_digits = 24; |
409 | 0 | break; |
410 | 0 | case 2048: |
411 | 0 | red_digits = 40; |
412 | 0 | exp_digits = 32; |
413 | 0 | break; |
414 | 0 | default: |
415 | 0 | goto err; |
416 | 0 | } |
417 | | |
418 | 0 | storage_len_bytes = (2 * red_digits /* red_Y */ |
419 | 0 | + 2 * red_digits /* red_X */ |
420 | 0 | + 2 * red_digits * (1U << exp_win_size) /* red_table */ |
421 | 0 | + 2 * (exp_digits + 1)) /* expz */ |
422 | 0 | * sizeof(BN_ULONG) |
423 | 0 | + 64; /* alignment */ |
424 | |
|
425 | 0 | storage = (BN_ULONG *)OPENSSL_zalloc(storage_len_bytes); |
426 | 0 | if (storage == NULL) |
427 | 0 | goto err; |
428 | 0 | storage_aligned = (BN_ULONG *)ALIGN_OF(storage, 64); |
429 | |
|
430 | 0 | red_Y = storage_aligned; |
431 | 0 | red_X = red_Y + 2 * red_digits; |
432 | 0 | red_table = red_X + 2 * red_digits; |
433 | 0 | expz = red_table + 2 * red_digits * (1U << exp_win_size); |
434 | | |
435 | | /* |
436 | | * Compute table of powers base^i, i = 0, ..., (2^EXP_WIN_SIZE) - 1 |
437 | | * table[0] = mont(x^0) = mont(1) |
438 | | * table[1] = mont(x^1) = mont(x) |
439 | | */ |
440 | 0 | red_X[0 * red_digits] = 1; |
441 | 0 | red_X[1 * red_digits] = 1; |
442 | 0 | damm(&red_table[0 * 2 * red_digits], (const BN_ULONG *)red_X, rr, m, k0); |
443 | 0 | damm(&red_table[1 * 2 * red_digits], base, rr, m, k0); |
444 | |
|
445 | 0 | for (idx = 1; idx < (int)((1U << exp_win_size) / 2); idx++) { |
446 | 0 | DAMS(&red_table[(2 * idx + 0) * 2 * red_digits], |
447 | 0 | &red_table[(1 * idx) * 2 * red_digits], m, k0); |
448 | 0 | damm(&red_table[(2 * idx + 1) * 2 * red_digits], |
449 | 0 | &red_table[(2 * idx) * 2 * red_digits], |
450 | 0 | &red_table[1 * 2 * red_digits], m, k0); |
451 | 0 | } |
452 | | |
453 | | /* Copy and expand exponents */ |
454 | 0 | memcpy(&expz[0 * (exp_digits + 1)], exp[0], exp_digits * sizeof(BN_ULONG)); |
455 | 0 | expz[1 * (exp_digits + 1) - 1] = 0; |
456 | 0 | memcpy(&expz[1 * (exp_digits + 1)], exp[1], exp_digits * sizeof(BN_ULONG)); |
457 | 0 | expz[2 * (exp_digits + 1) - 1] = 0; |
458 | | |
459 | | /* Exponentiation */ |
460 | 0 | { |
461 | 0 | const int rem = modulus_bitsize % exp_win_size; |
462 | 0 | const BN_ULONG table_idx_mask = exp_win_mask; |
463 | |
|
464 | 0 | int exp_bit_no = modulus_bitsize - rem; |
465 | 0 | int exp_chunk_no = exp_bit_no / 64; |
466 | 0 | int exp_chunk_shift = exp_bit_no % 64; |
467 | |
|
468 | 0 | BN_ULONG red_table_idx_0, red_table_idx_1; |
469 | | |
470 | | /* |
471 | | * If rem == 0, then |
472 | | * exp_bit_no = modulus_bitsize - exp_win_size |
473 | | * However, this isn't possible because rem is { 1024, 1536, 2048 } % 5 |
474 | | * which is { 4, 1, 3 } respectively. |
475 | | * |
476 | | * If this assertion ever fails the fix above is easy. |
477 | | */ |
478 | 0 | OPENSSL_assert(rem != 0); |
479 | | |
480 | | /* Process 1-st exp window - just init result */ |
481 | 0 | red_table_idx_0 = expz[exp_chunk_no + 0 * (exp_digits + 1)]; |
482 | 0 | red_table_idx_1 = expz[exp_chunk_no + 1 * (exp_digits + 1)]; |
483 | | |
484 | | /* |
485 | | * The function operates with fixed moduli sizes divisible by 64, |
486 | | * thus table index here is always in supported range [0, EXP_WIN_SIZE). |
487 | | */ |
488 | 0 | red_table_idx_0 >>= exp_chunk_shift; |
489 | 0 | red_table_idx_1 >>= exp_chunk_shift; |
490 | |
|
491 | 0 | extract(&red_Y[0 * red_digits], (const BN_ULONG *)red_table, (int)red_table_idx_0, (int)red_table_idx_1); |
492 | | |
493 | | /* Process other exp windows */ |
494 | 0 | for (exp_bit_no -= exp_win_size; exp_bit_no >= 0; exp_bit_no -= exp_win_size) { |
495 | | /* Extract pre-computed multiplier from the table */ |
496 | 0 | { |
497 | 0 | BN_ULONG T; |
498 | |
|
499 | 0 | exp_chunk_no = exp_bit_no / 64; |
500 | 0 | exp_chunk_shift = exp_bit_no % 64; |
501 | 0 | { |
502 | 0 | red_table_idx_0 = expz[exp_chunk_no + 0 * (exp_digits + 1)]; |
503 | 0 | T = expz[exp_chunk_no + 1 + 0 * (exp_digits + 1)]; |
504 | |
|
505 | 0 | red_table_idx_0 >>= exp_chunk_shift; |
506 | | /* |
507 | | * Get additional bits from then next quadword |
508 | | * when 64-bit boundaries are crossed. |
509 | | */ |
510 | 0 | if (exp_chunk_shift > 64 - exp_win_size) { |
511 | 0 | T <<= (64 - exp_chunk_shift); |
512 | 0 | red_table_idx_0 ^= T; |
513 | 0 | } |
514 | 0 | red_table_idx_0 &= table_idx_mask; |
515 | 0 | } |
516 | 0 | { |
517 | 0 | red_table_idx_1 = expz[exp_chunk_no + 1 * (exp_digits + 1)]; |
518 | 0 | T = expz[exp_chunk_no + 1 + 1 * (exp_digits + 1)]; |
519 | |
|
520 | 0 | red_table_idx_1 >>= exp_chunk_shift; |
521 | | /* |
522 | | * Get additional bits from then next quadword |
523 | | * when 64-bit boundaries are crossed. |
524 | | */ |
525 | 0 | if (exp_chunk_shift > 64 - exp_win_size) { |
526 | 0 | T <<= (64 - exp_chunk_shift); |
527 | 0 | red_table_idx_1 ^= T; |
528 | 0 | } |
529 | 0 | red_table_idx_1 &= table_idx_mask; |
530 | 0 | } |
531 | |
|
532 | 0 | extract(&red_X[0 * red_digits], (const BN_ULONG *)red_table, (int)red_table_idx_0, (int)red_table_idx_1); |
533 | 0 | } |
534 | | |
535 | | /* Series of squaring */ |
536 | 0 | DAMS((BN_ULONG *)red_Y, (const BN_ULONG *)red_Y, m, k0); |
537 | 0 | DAMS((BN_ULONG *)red_Y, (const BN_ULONG *)red_Y, m, k0); |
538 | 0 | DAMS((BN_ULONG *)red_Y, (const BN_ULONG *)red_Y, m, k0); |
539 | 0 | DAMS((BN_ULONG *)red_Y, (const BN_ULONG *)red_Y, m, k0); |
540 | 0 | DAMS((BN_ULONG *)red_Y, (const BN_ULONG *)red_Y, m, k0); |
541 | |
|
542 | 0 | damm((BN_ULONG *)red_Y, (const BN_ULONG *)red_Y, (const BN_ULONG *)red_X, m, k0); |
543 | 0 | } |
544 | 0 | } |
545 | | |
546 | | /* |
547 | | * |
548 | | * NB: After the last AMM of exponentiation in Montgomery domain, the result |
549 | | * may be (modulus_bitsize + 1), but the conversion out of Montgomery domain |
550 | | * performs an AMM(x,1) which guarantees that the final result is less than |
551 | | * |m|, so no conditional subtraction is needed here. See [1] for details. |
552 | | * |
553 | | * [1] Gueron, S. Efficient software implementations of modular exponentiation. |
554 | | * DOI: 10.1007/s13389-012-0031-5 |
555 | | */ |
556 | | |
557 | | /* Convert result back in regular 2^52 domain */ |
558 | 0 | memset(red_X, 0, 2 * red_digits * sizeof(BN_ULONG)); |
559 | 0 | red_X[0 * red_digits] = 1; |
560 | 0 | red_X[1 * red_digits] = 1; |
561 | 0 | damm(out, (const BN_ULONG *)red_Y, (const BN_ULONG *)red_X, m, k0); |
562 | |
|
563 | 0 | ret = 1; |
564 | |
|
565 | 0 | err: |
566 | 0 | if (storage != NULL) { |
567 | | /* Clear whole storage */ |
568 | 0 | OPENSSL_cleanse(storage, storage_len_bytes); |
569 | 0 | OPENSSL_free(storage); |
570 | 0 | } |
571 | |
|
572 | 0 | #undef DAMS |
573 | 0 | return ret; |
574 | 0 | } |
575 | | |
576 | | static ossl_inline uint64_t get_digit(const uint8_t *in, int in_len) |
577 | 0 | { |
578 | 0 | uint64_t digit = 0; |
579 | |
|
580 | 0 | assert(in != NULL); |
581 | 0 | assert(in_len <= 8); |
582 | |
|
583 | 0 | for (; in_len > 0; in_len--) { |
584 | 0 | digit <<= 8; |
585 | 0 | digit += (uint64_t)(in[in_len - 1]); |
586 | 0 | } |
587 | 0 | return digit; |
588 | 0 | } |
589 | | |
590 | | /* |
591 | | * Convert array of words in regular (base=2^64) representation to array of |
592 | | * words in redundant (base=2^52) one. |
593 | | */ |
594 | | static void to_words52(BN_ULONG *out, int out_len, |
595 | | const BN_ULONG *in, int in_bitsize) |
596 | 0 | { |
597 | 0 | uint8_t *in_str = NULL; |
598 | |
|
599 | 0 | assert(out != NULL); |
600 | 0 | assert(in != NULL); |
601 | | /* Check destination buffer capacity */ |
602 | 0 | assert(out_len >= number_of_digits(in_bitsize, DIGIT_SIZE)); |
603 | |
|
604 | 0 | in_str = (uint8_t *)in; |
605 | |
|
606 | 0 | for (; in_bitsize >= (2 * DIGIT_SIZE); in_bitsize -= (2 * DIGIT_SIZE), out += 2) { |
607 | 0 | uint64_t digit; |
608 | |
|
609 | 0 | memcpy(&digit, in_str, sizeof(digit)); |
610 | 0 | out[0] = digit & DIGIT_MASK; |
611 | 0 | in_str += 6; |
612 | 0 | memcpy(&digit, in_str, sizeof(digit)); |
613 | 0 | out[1] = (digit >> 4) & DIGIT_MASK; |
614 | 0 | in_str += 7; |
615 | 0 | out_len -= 2; |
616 | 0 | } |
617 | |
|
618 | 0 | if (in_bitsize > DIGIT_SIZE) { |
619 | 0 | uint64_t digit = get_digit(in_str, 7); |
620 | |
|
621 | 0 | out[0] = digit & DIGIT_MASK; |
622 | 0 | in_str += 6; |
623 | 0 | in_bitsize -= DIGIT_SIZE; |
624 | 0 | digit = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); |
625 | 0 | out[1] = digit >> 4; |
626 | 0 | out += 2; |
627 | 0 | out_len -= 2; |
628 | 0 | } else if (in_bitsize > 0) { |
629 | 0 | out[0] = get_digit(in_str, BITS2WORD8_SIZE(in_bitsize)); |
630 | 0 | out++; |
631 | 0 | out_len--; |
632 | 0 | } |
633 | |
|
634 | 0 | memset(out, 0, out_len * sizeof(BN_ULONG)); |
635 | 0 | } |
636 | | |
637 | | static ossl_inline void put_digit(uint8_t *out, int out_len, uint64_t digit) |
638 | 0 | { |
639 | 0 | assert(out != NULL); |
640 | 0 | assert(out_len <= 8); |
641 | |
|
642 | 0 | for (; out_len > 0; out_len--) { |
643 | 0 | *out++ = (uint8_t)(digit & 0xFF); |
644 | 0 | digit >>= 8; |
645 | 0 | } |
646 | 0 | } |
647 | | |
648 | | /* |
649 | | * Convert array of words in redundant (base=2^52) representation to array of |
650 | | * words in regular (base=2^64) one. |
651 | | */ |
652 | | static void from_words52(BN_ULONG *out, int out_bitsize, const BN_ULONG *in) |
653 | 0 | { |
654 | 0 | int i; |
655 | 0 | int out_len = BITS2WORD64_SIZE(out_bitsize); |
656 | |
|
657 | 0 | assert(out != NULL); |
658 | 0 | assert(in != NULL); |
659 | |
|
660 | 0 | for (i = 0; i < out_len; i++) |
661 | 0 | out[i] = 0; |
662 | |
|
663 | 0 | { |
664 | 0 | uint8_t *out_str = (uint8_t *)out; |
665 | |
|
666 | 0 | for (; out_bitsize >= (2 * DIGIT_SIZE); |
667 | 0 | out_bitsize -= (2 * DIGIT_SIZE), in += 2) { |
668 | 0 | uint64_t digit; |
669 | |
|
670 | 0 | digit = in[0]; |
671 | 0 | memcpy(out_str, &digit, sizeof(digit)); |
672 | 0 | out_str += 6; |
673 | 0 | digit = digit >> 48 | in[1] << 4; |
674 | 0 | memcpy(out_str, &digit, sizeof(digit)); |
675 | 0 | out_str += 7; |
676 | 0 | } |
677 | |
|
678 | 0 | if (out_bitsize > DIGIT_SIZE) { |
679 | 0 | put_digit(out_str, 7, in[0]); |
680 | 0 | out_str += 6; |
681 | 0 | out_bitsize -= DIGIT_SIZE; |
682 | 0 | put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), |
683 | 0 | (in[1] << 4 | in[0] >> 48)); |
684 | 0 | } else if (out_bitsize) { |
685 | 0 | put_digit(out_str, BITS2WORD8_SIZE(out_bitsize), in[0]); |
686 | 0 | } |
687 | 0 | } |
688 | 0 | } |
689 | | |
690 | | /* |
691 | | * Set bit at index |idx| in the words array |a|. |
692 | | * It does not do any boundaries checks, make sure the index is valid before |
693 | | * calling the function. |
694 | | */ |
695 | | static ossl_inline void set_bit(BN_ULONG *a, int idx) |
696 | 0 | { |
697 | 0 | assert(a != NULL); |
698 | |
|
699 | 0 | { |
700 | 0 | int i, j; |
701 | |
|
702 | 0 | i = idx / BN_BITS2; |
703 | 0 | j = idx % BN_BITS2; |
704 | 0 | a[i] |= (((BN_ULONG)1) << j); |
705 | 0 | } |
706 | 0 | } |
707 | | |
708 | | #endif |