diff options
Diffstat (limited to 'src/lib/math/ec_gfp/point_gfp.cpp')
| -rw-r--r-- | src/lib/math/ec_gfp/point_gfp.cpp | 82 |
1 files changed, 0 insertions, 82 deletions
diff --git a/src/lib/math/ec_gfp/point_gfp.cpp b/src/lib/math/ec_gfp/point_gfp.cpp index f00f030d7..1489065a0 100644 --- a/src/lib/math/ec_gfp/point_gfp.cpp +++ b/src/lib/math/ec_gfp/point_gfp.cpp @@ -304,88 +304,6 @@ PointGFp operator*(const BigInt& scalar, const PointGFp& point) return R[0]; } -Blinded_Point_Multiply::Blinded_Point_Multiply(const PointGFp& base, const BigInt& order, size_t h) : - m_h(h > 0 ? h : 4), m_order(order), m_ws(9) - { - // Upper bound is a sanity check rather than hard limit - if(m_h < 1 || m_h > 8) - throw Invalid_Argument("Blinded_Point_Multiply invalid h param"); - - const CurveGFp& curve = base.get_curve(); - - const PointGFp inv = -base; - - m_U.resize(6*m_h + 3); - - m_U[3*m_h+0] = inv; - m_U[3*m_h+1] = PointGFp::zero_of(curve); - m_U[3*m_h+2] = base; - - for(size_t i = 1; i <= 3 * m_h + 1; ++i) - { - m_U[3*m_h+1+i] = m_U[3*m_h+i]; - m_U[3*m_h+1+i].add(base, m_ws); - - m_U[3*m_h+1-i] = m_U[3*m_h+2-i]; - m_U[3*m_h+1-i].add(inv, m_ws); - } - } - -PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar_in, - RandomNumberGenerator& rng) - { - if(scalar_in.is_negative()) - throw Invalid_Argument("Blinded_Point_Multiply scalar must be positive"); - -#if BOTAN_POINTGFP_USE_SCALAR_BLINDING - // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure) - const BigInt mask(rng, (m_order.bits()+1)/2, false); - const BigInt scalar = scalar_in + m_order * mask; -#else - const BigInt& scalar = scalar_in; -#endif - - const size_t scalar_bits = scalar.bits(); - - // Randomize each point representation (Coron's 3rd countermeasure) - for(size_t i = 0; i != m_U.size(); ++i) - m_U[i].randomize_repr(rng); - - PointGFp R = m_U.at(3*m_h + 2); // base point - int32_t alpha = 0; - - R.randomize_repr(rng); - - /* - Algorithm 7 from "Randomizing the Montgomery Powering Ladder" - Duc-Phong Le, Chik How Tan and Michael Tunstall - https://eprint.iacr.org/2015/657 - - It takes a random walk through (a subset of) the set of addition - chains that end in k. - */ - for(size_t i = scalar_bits; i > 0; i--) - { - const int32_t ki = scalar.get_bit(i); - - // choose gamma from -h,...,h - const int32_t gamma = static_cast<int32_t>((rng.next_byte() % (2*m_h))) - m_h; - const int32_t l = gamma - 2*alpha + ki - (ki ^ 1); - - R.mult2(m_ws); - R.add(m_U.at(3*m_h + 1 + l), m_ws); - alpha = gamma; - } - - const int32_t k0 = scalar.get_bit(0); - R.add(m_U[3*m_h + 1 - alpha - (k0 ^ 1)], m_ws); - - - //BOTAN_ASSERT(R.on_the_curve(), "Output is on the curve"); - - return R; - } - BigInt PointGFp::get_affine_x() const { if(is_zero()) |