bool PointGFp::operator==(const PointGFp& other) const
{
if(m_curve != other.m_curve)
return false;
// If this is zero, only equal if other is also zero
if(is_zero())
return other.is_zero();
return (get_affine_x() == other.get_affine_x() &&
get_affine_y() == other.get_affine_y());
}
PointGFp multi_exponentiate(const PointGFp& p1, const BigInt& z1,
const PointGFp& p2, const BigInt& z2)
{
const PointGFp p3 = p1 + p2;
PointGFp H(p1.get_curve()); // create as zero
size_t bits_left = std::max(z1.bits(), z2.bits());
std::vector<BigInt> ws(9);
while(bits_left)
{
H.mult2(ws);
const bool z1_b = z1.get_bit(bits_left - 1);
const bool z2_b = z2.get_bit(bits_left - 1);
if(z1_b == true && z2_b == true)
H.add(p3, ws);
else if(z1_b)
H.add(p1, ws);
else if(z2_b)
H.add(p2, ws);
--bits_left;
}
if(z1.is_negative() != z2.is_negative())
H.negate();
return H;
}
PointGFp operator*(const BigInt& scalar, const PointGFp& point)
{
//BOTAN_ASSERT(point.on_the_curve(), "Input is on the curve");
const CurveGFp& curve = point.get_curve();
const size_t scalar_bits = scalar.bits();
std::vector<BigInt> ws(9);
PointGFp R[2] = { PointGFp(curve), point };
for(size_t i = scalar_bits; i > 0; i--)
{
const size_t b = scalar.get_bit(i - 1);
R[b ^ 1].add(R[b], ws);
R[b].mult2(ws);
}
if(scalar.is_negative())
R[0].negate();
//BOTAN_ASSERT(R[0].on_the_curve(), "Output is on the curve");
return R[0];
}
// encoding and decoding
secure_vector<uint8_t> EC2OSP(const PointGFp& point, uint8_t format)
{
if(point.is_zero())
return secure_vector<uint8_t>(1); // single 0 byte
const size_t p_bytes = point.get_curve().get_p().bytes();
BigInt x = point.get_affine_x();
BigInt y = point.get_affine_y();
secure_vector<uint8_t> bX = BigInt::encode_1363(x, p_bytes);
secure_vector<uint8_t> bY = BigInt::encode_1363(y, p_bytes);
if(format == PointGFp::UNCOMPRESSED)
{
secure_vector<uint8_t> result;
result.push_back(0x04);
result += bX;
result += bY;
return result;
}
else if(format == PointGFp::COMPRESSED)
{
secure_vector<uint8_t> result;
result.push_back(0x02 | static_cast<uint8_t>(y.get_bit(0)));
result += bX;
return result;
}
else if(format == PointGFp::HYBRID)
{
secure_vector<uint8_t> result;
result.push_back(0x06 | static_cast<uint8_t>(y.get_bit(0)));
result += bX;
result += bY;
return result;
}
else
throw Invalid_Argument("EC2OSP illegal point encoding");
}
PointGFp operator*(const BigInt& scalar, const PointGFp& point)
{
//BOTAN_ASSERT(point.on_the_curve(), "Input is on the curve");
const CurveGFp& curve = point.get_curve();
const size_t scalar_bits = scalar.bits();
std::vector<BigInt> ws(9);
if(scalar_bits <= 2)
{
const byte abs_val = scalar.byte_at(0);
if(abs_val == 0)
return PointGFp::zero_of(curve);
PointGFp result = point;
if(abs_val == 2)
result.mult2(ws);
if(scalar.is_negative())
result.negate();
return result;
}
PointGFp R[2] = { PointGFp(curve), point };
for(size_t i = scalar_bits; i > 0; i--)
{
const size_t b = scalar.get_bit(i - 1);
R[b ^ 1].add(R[b], ws);
R[b].mult2(ws);
}
if(scalar.is_negative())
R[0].negate();
//BOTAN_ASSERT(R[0].on_the_curve(), "Output is on the curve");
return R[0];
}
bool ECDSA_Verification_Operation::verify(const byte msg[], size_t msg_len,
const byte sig[], size_t sig_len)
{
if(sig_len != order.bytes()*2)
return false;
BigInt e(msg, msg_len);
BigInt r(sig, sig_len / 2);
BigInt s(sig + sig_len / 2, sig_len / 2);
if(r <= 0 || r >= order || s <= 0 || s >= order)
return false;
BigInt w = inverse_mod(s, order);
PointGFp R = w * multi_exponentiate(base_point, e,
public_point, r);
if(R.is_zero())
return false;
return (R.get_affine_x() % order == r);
}
Blinded_Point_Multiply::Blinded_Point_Multiply(const PointGFp& base, const BigInt& order, size_t h) :
m_h(h > 0 ? h : 4), m_order(order), m_ws(9)
{
// Upper bound is a sanity check rather than hard limit
if(m_h < 1 || m_h > 8)
throw std::invalid_argument("Blinded_Point_Multiply invalid h param");
const CurveGFp& curve = base.get_curve();
#if BOTAN_POINTGFP_BLINDED_MULTIPLY_USE_MONTGOMERY_LADDER
const PointGFp inv = -base;
m_U.resize(6*m_h + 3);
m_U[3*m_h+0] = inv;
m_U[3*m_h+1] = PointGFp::zero_of(curve);
m_U[3*m_h+2] = base;
for(size_t i = 1; i <= 3 * m_h + 1; ++i)
{
m_U[3*m_h+1+i] = m_U[3*m_h+i];
m_U[3*m_h+1+i].add(base, m_ws);
m_U[3*m_h+1-i] = m_U[3*m_h+2-i];
m_U[3*m_h+1-i].add(inv, m_ws);
}
#else
m_U.resize(1 << m_h);
m_U[0] = PointGFp::zero_of(curve);
m_U[1] = base;
for(size_t i = 2; i < m_U.size(); ++i)
{
m_U[i] = m_U[i-1];
m_U[i].add(base, m_ws);
}
#endif
}
// Point addition
void PointGFp::add(const PointGFp& rhs, std::vector<BigInt>& ws_bn)
{
if(is_zero())
{
m_coord_x = rhs.m_coord_x;
m_coord_y = rhs.m_coord_y;
m_coord_z = rhs.m_coord_z;
return;
}
else if(rhs.is_zero())
return;
const BigInt& p = m_curve.get_p();
const size_t cap_size = 2*m_curve.get_p_words() + 2;
for(size_t i = 0; i != ws_bn.size(); ++i)
ws_bn[i].ensure_capacity(cap_size);
BigInt& rhs_z2 = ws_bn[0];
BigInt& U1 = ws_bn[1];
BigInt& S1 = ws_bn[2];
BigInt& lhs_z2 = ws_bn[3];
BigInt& U2 = ws_bn[4];
BigInt& S2 = ws_bn[5];
BigInt& H = ws_bn[6];
BigInt& r = ws_bn[7];
BigInt& tmp = ws_bn[9];
secure_vector<word>& monty_ws = ws_bn[8].get_word_vector();
/*
https://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
*/
m_curve.sqr(rhs_z2, rhs.m_coord_z, monty_ws);
m_curve.mul(U1, m_coord_x, rhs_z2, monty_ws);
m_curve.mul(tmp, rhs.m_coord_z, rhs_z2, monty_ws); // z^3
m_curve.mul(S1, m_coord_y, tmp, monty_ws);
m_curve.sqr(lhs_z2, m_coord_z, monty_ws);
m_curve.mul(U2, rhs.m_coord_x, lhs_z2, monty_ws);
m_curve.mul(tmp, m_coord_z, lhs_z2, monty_ws);
m_curve.mul(S2, rhs.m_coord_y, tmp, monty_ws);
H = U2;
H -= U1;
if(H.is_negative())
H += p;
r = S2;
r -= S1;
if(r.is_negative())
r += p;
if(H.is_zero())
{
if(r.is_zero())
{
mult2(ws_bn);
return;
}
// setting to zero:
m_coord_x = 0;
m_coord_y = 1;
m_coord_z = 0;
return;
}
m_curve.sqr(U2, H, monty_ws);
m_curve.mul(S2, U2, H, monty_ws);
m_curve.mul(tmp, U1, U2, monty_ws);
U2 = tmp;
m_curve.sqr(m_coord_x, r, monty_ws);
m_coord_x -= S2;
m_coord_x -= (U2 << 1);
while(m_coord_x.is_negative())
m_coord_x += p;
U2 -= m_coord_x;
if(U2.is_negative())
U2 += p;
m_curve.mul(m_coord_y, r, U2, monty_ws);
m_curve.mul(tmp, S1, S2, monty_ws);
m_coord_y -= tmp;
if(m_coord_y.is_negative())
m_coord_y += p;
m_curve.mul(tmp, m_coord_z, rhs.m_coord_z, monty_ws);
m_curve.mul(m_coord_z, tmp, H, monty_ws);
}
PointGFp multi_exponentiate(const PointGFp& x, const BigInt& z1,
const PointGFp& y, const BigInt& z2)
{
const size_t z_bits = round_up(std::max(z1.bits(), z2.bits()), 2);
std::vector<BigInt> ws(PointGFp::WORKSPACE_SIZE);
PointGFp x2 = x;
x2.mult2(ws);
const PointGFp x3(x2.plus(x, ws));
PointGFp y2 = y;
y2.mult2(ws);
const PointGFp y3(y2.plus(y, ws));
const PointGFp M[16] = {
x.zero(), // 0000
x, // 0001
x2, // 0010
x3, // 0011
y, // 0100
y.plus(x, ws), // 0101
y.plus(x2, ws), // 0110
y.plus(x3, ws), // 0111
y2, // 1000
y2.plus(x, ws), // 1001
y2.plus(x2, ws), // 1010
y2.plus(x3, ws), // 1011
y3, // 1100
y3.plus(x, ws), // 1101
y3.plus(x2, ws), // 1110
y3.plus(x3, ws), // 1111
};
PointGFp H = x.zero();
for(size_t i = 0; i != z_bits; i += 2)
{
if(i > 0)
{
H.mult2(ws);
H.mult2(ws);
}
const uint8_t z1_b = z1.get_substring(z_bits - i - 2, 2);
const uint8_t z2_b = z2.get_substring(z_bits - i - 2, 2);
const uint8_t z12 = (4*z2_b) + z1_b;
H.add(M[z12], ws);
}
if(z1.is_negative() != z2.is_negative())
H.negate();
return H;
}
// Point addition
void PointGFp::add(const PointGFp& rhs, std::vector<BigInt>& ws_bn)
{
if(is_zero())
{
coord_x = rhs.coord_x;
coord_y = rhs.coord_y;
coord_z = rhs.coord_z;
return;
}
else if(rhs.is_zero())
return;
const BigInt& p = curve.get_p();
BigInt& rhs_z2 = ws_bn[0];
BigInt& U1 = ws_bn[1];
BigInt& S1 = ws_bn[2];
BigInt& lhs_z2 = ws_bn[3];
BigInt& U2 = ws_bn[4];
BigInt& S2 = ws_bn[5];
BigInt& H = ws_bn[6];
BigInt& r = ws_bn[7];
monty_sqr(rhs_z2, rhs.coord_z);
monty_mult(U1, coord_x, rhs_z2);
monty_mult(S1, coord_y, monty_mult(rhs.coord_z, rhs_z2));
monty_sqr(lhs_z2, coord_z);
monty_mult(U2, rhs.coord_x, lhs_z2);
monty_mult(S2, rhs.coord_y, monty_mult(coord_z, lhs_z2));
H = U2;
H -= U1;
if(H.is_negative())
H += p;
r = S2;
r -= S1;
if(r.is_negative())
r += p;
if(H.is_zero())
{
if(r.is_zero())
{
mult2(ws_bn);
return;
}
*this = PointGFp(curve); // setting myself to zero
return;
}
monty_sqr(U2, H);
monty_mult(S2, U2, H);
U2 = monty_mult(U1, U2);
monty_sqr(coord_x, r);
coord_x -= S2;
coord_x -= (U2 << 1);
while(coord_x.is_negative())
coord_x += p;
U2 -= coord_x;
if(U2.is_negative())
U2 += p;
monty_mult(coord_y, r, U2);
coord_y -= monty_mult(S1, S2);
if(coord_y.is_negative())
coord_y += p;
monty_mult(coord_z, monty_mult(coord_z, rhs.coord_z), H);
}
PointGFp operator*(const BigInt& scalar, const PointGFp& point)
{
const CurveGFp& curve = point.get_curve();
if(scalar.is_zero())
return PointGFp(curve); // zero point
std::vector<BigInt> ws(9);
if(scalar.abs() <= 2) // special cases for small values
{
byte value = scalar.abs().byte_at(0);
PointGFp result = point;
if(value == 2)
result.mult2(ws);
if(scalar.is_negative())
result.negate();
return result;
}
const size_t scalar_bits = scalar.bits();
#if 0
PointGFp x1 = PointGFp(curve);
PointGFp x2 = point;
size_t bits_left = scalar_bits;
// Montgomery Ladder
while(bits_left)
{
const bool bit_set = scalar.get_bit(bits_left - 1);
if(bit_set)
{
x1.add(x2, ws);
x2.mult2(ws);
}
else
{
x2.add(x1, ws);
x1.mult2(ws);
}
--bits_left;
}
if(scalar.is_negative())
x1.negate();
return x1;
#else
const size_t window_size = 4;
std::vector<PointGFp> Ps(1 << window_size);
Ps[0] = PointGFp(curve);
Ps[1] = point;
for(size_t i = 2; i != Ps.size(); ++i)
{
Ps[i] = Ps[i-1];
Ps[i].add(point, ws);
}
PointGFp H(curve); // create as zero
size_t bits_left = scalar_bits;
while(bits_left >= window_size)
{
for(size_t i = 0; i != window_size; ++i)
H.mult2(ws);
const u32bit nibble = scalar.get_substring(bits_left - window_size,
window_size);
H.add(Ps[nibble], ws);
bits_left -= window_size;
}
while(bits_left)
{
H.mult2(ws);
if(scalar.get_bit(bits_left-1))
H.add(point, ws);
--bits_left;
}
if(scalar.is_negative())
H.negate();
return H;
#endif
}
// Point addition
void PointGFp::add(const PointGFp& rhs, std::vector<BigInt>& ws_bn)
{
if(is_zero())
{
m_coord_x = rhs.m_coord_x;
m_coord_y = rhs.m_coord_y;
m_coord_z = rhs.m_coord_z;
return;
}
else if(rhs.is_zero())
return;
const BigInt& p = m_curve.get_p();
BigInt& rhs_z2 = ws_bn[0];
BigInt& U1 = ws_bn[1];
BigInt& S1 = ws_bn[2];
BigInt& lhs_z2 = ws_bn[3];
BigInt& U2 = ws_bn[4];
BigInt& S2 = ws_bn[5];
BigInt& H = ws_bn[6];
BigInt& r = ws_bn[7];
/*
http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-1998-cmo-2
*/
curve_sqr(rhs_z2, rhs.m_coord_z);
curve_mult(U1, m_coord_x, rhs_z2);
curve_mult(S1, m_coord_y, curve_mult(rhs.m_coord_z, rhs_z2));
curve_sqr(lhs_z2, m_coord_z);
curve_mult(U2, rhs.m_coord_x, lhs_z2);
curve_mult(S2, rhs.m_coord_y, curve_mult(m_coord_z, lhs_z2));
H = U2;
H -= U1;
if(H.is_negative())
H += p;
r = S2;
r -= S1;
if(r.is_negative())
r += p;
if(H.is_zero())
{
if(r.is_zero())
{
mult2(ws_bn);
return;
}
// setting to zero:
m_coord_x = 0;
m_coord_y = 1;
m_coord_z = 0;
return;
}
curve_sqr(U2, H);
curve_mult(S2, U2, H);
U2 = curve_mult(U1, U2);
curve_sqr(m_coord_x, r);
m_coord_x -= S2;
m_coord_x -= (U2 << 1);
while(m_coord_x.is_negative())
m_coord_x += p;
U2 -= m_coord_x;
if(U2.is_negative())
U2 += p;
curve_mult(m_coord_y, r, U2);
m_coord_y -= curve_mult(S1, S2);
if(m_coord_y.is_negative())
m_coord_y += p;
curve_mult(m_coord_z, curve_mult(m_coord_z, rhs.m_coord_z), H);
}
PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar_in,
RandomNumberGenerator& rng)
{
if(scalar_in.is_negative())
throw std::invalid_argument("Blinded_Point_Multiply scalar must be positive");
#if BOTAN_POINTGFP_SCALAR_BLINDING_BITS > 0
// Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
const BigInt mask(rng, BOTAN_POINTGFP_SCALAR_BLINDING_BITS, false);
const BigInt scalar = scalar_in + m_order * mask;
#else
const BigInt& scalar = scalar_in;
#endif
const size_t scalar_bits = scalar.bits();
// Randomize each point representation (Coron's 3rd countermeasure)
for(size_t i = 0; i != m_U.size(); ++i)
m_U[i].randomize_repr(rng);
#if BOTAN_POINTGFP_BLINDED_MULTIPLY_USE_MONTGOMERY_LADDER
PointGFp R = m_U.at(3*m_h + 2); // base point
int32_t alpha = 0;
R.randomize_repr(rng);
/*
Algorithm 7 from "Randomizing the Montgomery Powering Ladder"
Duc-Phong Le, Chik How Tan and Michael Tunstall
http://eprint.iacr.org/2015/657
It takes a random walk through (a subset of) the set of addition
chains that end in k.
*/
for(size_t i = scalar_bits; i > 0; i--)
{
const int32_t ki = scalar.get_bit(i);
// choose gamma from -h,...,h
const int32_t gamma = static_cast<int32_t>((rng.next_byte() % (2*m_h))) - m_h;
const int32_t l = gamma - 2*alpha + ki - (ki ^ 1);
R.mult2(m_ws);
R.add(m_U.at(3*m_h + 1 + l), m_ws);
alpha = gamma;
}
const int32_t k0 = scalar.get_bit(0);
R.add(m_U[3*m_h + 1 - alpha - (k0 ^ 1)], m_ws);
#else
// N-bit windowing exponentiation:
size_t windows = round_up(scalar_bits, m_h) / m_h;
PointGFp R = m_U[0];
if(windows > 0)
{
windows--;
const u32bit nibble = scalar.get_substring(windows*m_h, m_h);
R.add(m_U[nibble], m_ws);
/*
Randomize after adding the first nibble as before the addition R
is zero, and we cannot effectively randomize the point
representation of the zero point.
*/
R.randomize_repr(rng);
while(windows)
{
for(size_t i = 0; i != m_h; ++i)
R.mult2(m_ws);
const u32bit nibble = scalar.get_substring((windows-1)*m_h, m_h);
R.add(m_U[nibble], m_ws);
windows--;
}
}
#endif
//BOTAN_ASSERT(R.on_the_curve(), "Output is on the curve");
return R;
}
