/src/nettle/ecc-mod-inv.c

Source (jump to first uncovered line)
/* ecc-mod-inv.c

   Copyright (C) 2013, 2014 Niels Möller

   This file is part of GNU Nettle.

   GNU Nettle is free software: you can redistribute it and/or
   modify it under the terms of either:

     * the GNU Lesser General Public License as published by the Free
       Software Foundation; either version 3 of the License, or (at your
       option) any later version.

   or

     * the GNU General Public License as published by the Free
       Software Foundation; either version 2 of the License, or (at your
       option) any later version.

   or both in parallel, as here.

   GNU Nettle is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   General Public License for more details.

   You should have received copies of the GNU General Public License and
   the GNU Lesser General Public License along with this program.  If
   not, see http://www.gnu.org/licenses/.
*/

/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */

#if HAVE_CONFIG_H
# include "config.h"
#endif

#include <assert.h>

#include "ecc-internal.h"

static void
cnd_neg (int cnd, mp_limb_t *rp, const mp_limb_t *ap, mp_size_t n)
{
  mp_limb_t cy = (cnd != 0);
  mp_limb_t mask = -cy;
  mp_size_t i;

  for (i = 0; i < n; i++)
    {
      mp_limb_t r = (ap[i] ^ mask) + cy;
      cy = r < cy;
      rp[i] = r;
    }
}

/* Compute a^{-1} mod m, with running time depending only on the size.
   Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}.
   Also needs (m+1)/2, and m must be odd.

   Needs 3n limbs of scratch space.
*/

/* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more
   scratch need since it doesn't precompute (m+1)/2. */
void
ecc_mod_inv (const struct ecc_modulo *m,
       mp_limb_t *vp, const mp_limb_t *in_ap,
       mp_limb_t *scratch)
{
#define ap scratch
#define bp (scratch + n)
#define up (scratch + 2*n)

  mp_size_t n = m->size;
  /* Avoid the mp_bitcnt_t type for compatibility with older GMP
     versions. */  
  unsigned i;

  /* Maintain

       a = u * orig_a (mod m)
       b = v * orig_a (mod m)

     and b odd at all times. Initially,

       a = a_orig, u = 1
       b = m,      v = 0
     */

  assert (ap != vp);

  up[0] = 1;
  mpn_zero (up+1, n - 1);
  mpn_copyi (bp, m->m, n);
  mpn_zero (vp, n);
  mpn_copyi (ap, in_ap, n);

  for (i = m->bit_size + GMP_NUMB_BITS * n; i-- > 0; )
    {
      mp_limb_t odd, swap, cy;
      
      /* Always maintain b odd. The logic of the iteration is as
   follows. For a, b:

     odd = a & 1
     a -= odd * b
     if (underflow from a-b)
       {
         b += a, assigns old a
         a = B^n-a
       }
     
     a /= 2

   For u, v:

     if (underflow from a - b)
       swap u, v
     u -= odd * v
     if (underflow from u - v)
       u += m

     u /= 2
     if (a one bit was shifted out)
       u += (m+1)/2

   As long as a > 0, the quantity

     (bitsize of a) + (bitsize of b)

   is reduced by at least one bit per iteration, hence after
         (bit_size of orig_a) + (bit_size of m) - 1 iterations we
         surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then
         also v = orig_a^{-1} (mod m)
      */

      assert_maybe (bp[0] & 1);
      odd = ap[0] & 1;

      swap = mpn_cnd_sub_n (odd, ap, ap, bp, n);
      mpn_cnd_add_n (swap, bp, bp, ap, n);
      cnd_neg (swap, ap, ap, n);

      mpn_cnd_swap (swap, up, vp, n);
      cy = mpn_cnd_sub_n (odd, up, up, vp, n);
      cy -= mpn_cnd_add_n (cy, up, up, m->m, n);
      assert_maybe (cy == 0);

      cy = mpn_rshift (ap, ap, n, 1);
      assert_maybe (cy == 0);
      cy = mpn_rshift (up, up, n, 1);
      cy = mpn_cnd_add_n (cy, up, up, m->mp1h, n);
      assert_maybe (cy == 0);
    }
  assert_maybe ( (ap[0] | ap[n-1]) == 0);
#undef ap
#undef bp
#undef up
}

Line	Count	Source (jump to first uncovered line)
1		/* ecc-mod-inv.c
2
3		Copyright (C) 2013, 2014 Niels Möller
4
5		This file is part of GNU Nettle.
6
7		GNU Nettle is free software: you can redistribute it and/or
8		modify it under the terms of either:
9
10		* the GNU Lesser General Public License as published by the Free
11		Software Foundation; either version 3 of the License, or (at your
12		option) any later version.
13
14		or
15
16		* the GNU General Public License as published by the Free
17		Software Foundation; either version 2 of the License, or (at your
18		option) any later version.
19
20		or both in parallel, as here.
21
22		GNU Nettle is distributed in the hope that it will be useful,
23		but WITHOUT ANY WARRANTY; without even the implied warranty of
24		MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
25		General Public License for more details.
26
27		You should have received copies of the GNU General Public License and
28		the GNU Lesser General Public License along with this program. If
29		not, see http://www.gnu.org/licenses/.
30		*/
31
32		/* Development of Nettle's ECC support was funded by the .SE Internet Fund. */
33
34		#if HAVE_CONFIG_H
35		# include "config.h"
36		#endif
37
38		#include <assert.h>
39
40		#include "ecc-internal.h"
41
42		static void
43		cnd_neg (int cnd, mp_limb_t rp, const mp_limb_t ap, mp_size_t n)
44	0	{
45	0	mp_limb_t cy = (cnd != 0);
46	0	mp_limb_t mask = -cy;
47	0	mp_size_t i;
48
49	0	for (i = 0; i < n; i++)
50	0	{
51	0	mp_limb_t r = (ap[i] ^ mask) + cy;
52	0	cy = r < cy;
53	0	rp[i] = r;
54	0	}
55	0	}
56
57		/* Compute a^{-1} mod m, with running time depending only on the size.
58		Returns zero if a == 0 (mod m), to be consistent with a^{phi(m)-1}.
59		Also needs (m+1)/2, and m must be odd.
60
61		Needs 3n limbs of scratch space.
62		*/
63
64		/* FIXME: Could use mpn_sec_invert (in GMP-6), but with a bit more
65		scratch need since it doesn't precompute (m+1)/2. */
66		void
67		ecc_mod_inv (const struct ecc_modulo *m,
68		mp_limb_t vp, const mp_limb_t in_ap,
69		mp_limb_t *scratch)
70	0	{
71	0	#define ap scratch
72	0	#define bp (scratch + n)
73	0	#define up (scratch + 2*n)
74
75	0	mp_size_t n = m->size;
76		/* Avoid the mp_bitcnt_t type for compatibility with older GMP
77		versions. */
78	0	unsigned i;
79
80		/* Maintain
81
82		a = u * orig_a (mod m)
83		b = v * orig_a (mod m)
84
85		and b odd at all times. Initially,
86
87		a = a_orig, u = 1
88		b = m, v = 0
89		*/
90
91	0	assert (ap != vp);
92
93	0	up[0] = 1;
94	0	mpn_zero (up+1, n - 1);
95	0	mpn_copyi (bp, m->m, n);
96	0	mpn_zero (vp, n);
97	0	mpn_copyi (ap, in_ap, n);
98
99	0	for (i = m->bit_size + GMP_NUMB_BITS * n; i-- > 0; )
100	0	{
101	0	mp_limb_t odd, swap, cy;
102
103		/* Always maintain b odd. The logic of the iteration is as
104		follows. For a, b:
105
106		odd = a & 1
107		a -= odd * b
108		if (underflow from a-b)
109		{
110		b += a, assigns old a
111		a = B^n-a
112		}
113
114		a /= 2
115
116		For u, v:
117
118		if (underflow from a - b)
119		swap u, v
120		u -= odd * v
121		if (underflow from u - v)
122		u += m
123
124		u /= 2
125		if (a one bit was shifted out)
126		u += (m+1)/2
127
128		As long as a > 0, the quantity
129
130		(bitsize of a) + (bitsize of b)
131
132		is reduced by at least one bit per iteration, hence after
133		(bit_size of orig_a) + (bit_size of m) - 1 iterations we
134		surely have a = 0. Then b = gcd(orig_a, m) and if b = 1 then
135		also v = orig_a^{-1} (mod m)
136		*/
137
138	0	assert_maybe (bp[0] & 1);
139	0	odd = ap[0] & 1;
140
141	0	swap = mpn_cnd_sub_n (odd, ap, ap, bp, n);
142	0	mpn_cnd_add_n (swap, bp, bp, ap, n);
143	0	cnd_neg (swap, ap, ap, n);
144
145	0	mpn_cnd_swap (swap, up, vp, n);
146	0	cy = mpn_cnd_sub_n (odd, up, up, vp, n);
147	0	cy -= mpn_cnd_add_n (cy, up, up, m->m, n);
148	0	assert_maybe (cy == 0);
149
150	0	cy = mpn_rshift (ap, ap, n, 1);
151	0	assert_maybe (cy == 0);
152	0	cy = mpn_rshift (up, up, n, 1);
153	0	cy = mpn_cnd_add_n (cy, up, up, m->mp1h, n);
154	0	assert_maybe (cy == 0);
155	0	}
156	0	assert_maybe ( (ap[0] \| ap[n-1]) == 0);
157	0	#undef ap
158	0	#undef bp
159	0	#undef up
160	0	}

Coverage Report

Created: 2025-03-18 06:55