aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/math/numbertheory
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/math/numbertheory')
-rw-r--r--src/lib/math/numbertheory/mod_inv.cpp147
-rw-r--r--src/lib/math/numbertheory/numthry.h3
2 files changed, 73 insertions, 77 deletions
diff --git a/src/lib/math/numbertheory/mod_inv.cpp b/src/lib/math/numbertheory/mod_inv.cpp
index 8a23707e0..8bc073d9c 100644
--- a/src/lib/math/numbertheory/mod_inv.cpp
+++ b/src/lib/math/numbertheory/mod_inv.cpp
@@ -8,6 +8,7 @@
#include <botan/divide.h>
#include <botan/internal/ct_utils.h>
#include <botan/internal/mp_core.h>
+#include <botan/internal/rounding.h>
namespace Botan {
@@ -101,12 +102,11 @@ namespace {
BigInt inverse_mod_odd_modulus(const BigInt& n, const BigInt& mod)
{
- if(n.is_negative() || mod.is_negative())
- throw Invalid_Argument("inverse_mod_odd_modulus: arguments must be non-negative");
- if(mod < 3 || mod.is_even())
- throw Invalid_Argument("Bad modulus to inverse_mod_odd_modulus");
- if(n >= mod)
- throw Invalid_Argument("inverse_mod_odd_modulus n >= mod not supported");
+ // Caller should assure these preconditions:
+ BOTAN_DEBUG_ASSERT(n.is_positive());
+ BOTAN_DEBUG_ASSERT(mod.is_positive());
+ BOTAN_DEBUG_ASSERT(n < mod);
+ BOTAN_DEBUG_ASSERT(mod >= 3 && mod.is_odd());
/*
This uses a modular inversion algorithm designed by Niels Möller
@@ -127,98 +127,85 @@ BigInt inverse_mod_odd_modulus(const BigInt& n, const BigInt& mod)
about it, and the reference to the paper.
*/
- // todo allow this to be pre-calculated and passed in as arg
- BigInt mp1o2 = (mod + 1) >> 1;
-
const size_t mod_words = mod.sig_words();
BOTAN_ASSERT(mod_words > 0, "Not empty");
- BigInt a = n;
- BigInt b = mod;
- BigInt u = 1, v = 0;
+ secure_vector<word> tmp_mem(5*mod_words);
+
+ word* v_w = &tmp_mem[0];
+ word* u_w = &tmp_mem[1*mod_words];
+ word* b_w = &tmp_mem[2*mod_words];
+ word* a_w = &tmp_mem[3*mod_words];
+ word* mp1o2 = &tmp_mem[4*mod_words];
- a.grow_to(mod_words);
- u.grow_to(mod_words);
- v.grow_to(mod_words);
- mp1o2.grow_to(mod_words);
+ copy_mem(a_w, n.data(), std::min(n.size(), mod_words));
+ copy_mem(b_w, mod.data(), std::min(mod.size(), mod_words));
+ u_w[0] = 1;
+ // v_w = 0
- secure_vector<word>& a_w = a.get_word_vector();
- secure_vector<word>& b_w = b.get_word_vector();
- secure_vector<word>& u_w = u.get_word_vector();
- secure_vector<word>& v_w = v.get_word_vector();
+ // compute (mod + 1) / 2 which [because mod is odd] is equal to
+ // (mod / 2) + 1
+ copy_mem(mp1o2, mod.data(), std::min(mod.size(), mod_words));
+ bigint_shr1(mp1o2, mod_words, 0, 1);
+ word carry = bigint_add2_nc(mp1o2, mod_words, u_w, 1);
+ BOTAN_ASSERT_NOMSG(carry == 0);
- CT::poison(a_w.data(), a_w.size());
- CT::poison(b_w.data(), b_w.size());
- CT::poison(u_w.data(), u_w.size());
- CT::poison(v_w.data(), v_w.size());
+ CT::poison(tmp_mem.data(), tmp_mem.size());
// Only n.bits() + mod.bits() iterations are required, but avoid leaking the size of n
- size_t bits = 2 * mod.bits();
+ size_t execs = 2 * mod.bits();
- while(bits--)
+ while(execs--)
{
- /*
- const word odd = a.is_odd();
- a -= odd * b;
- const word underflow = a.is_negative();
- b += a * underflow;
- a.set_sign(BigInt::Positive);
-
- a >>= 1;
-
- if(underflow)
- {
- std::swap(u, v);
- }
-
- u -= odd * v;
- u += u.is_negative() * mod;
-
- const word odd_u = u.is_odd();
-
- u >>= 1;
- u += mp1o2 * odd_u;
- */
-
const word odd_a = a_w[0] & 1;
//if(odd_a) a -= b
- word underflow = bigint_cnd_sub(odd_a, a_w.data(), b_w.data(), mod_words);
+ word underflow = bigint_cnd_sub(odd_a, a_w, b_w, mod_words);
//if(underflow) { b -= a; a = abs(a); swap(u, v); }
- bigint_cnd_add(underflow, b_w.data(), a_w.data(), mod_words);
- bigint_cnd_abs(underflow, a_w.data(), mod_words);
- bigint_cnd_swap(underflow, u_w.data(), v_w.data(), mod_words);
+ bigint_cnd_add(underflow, b_w, a_w, mod_words);
+ bigint_cnd_abs(underflow, a_w, mod_words);
+ bigint_cnd_swap(underflow, u_w, v_w, mod_words);
// a >>= 1
- bigint_shr1(a_w.data(), mod_words, 0, 1);
+ bigint_shr1(a_w, mod_words, 0, 1);
//if(odd_a) u -= v;
- word borrow = bigint_cnd_sub(odd_a, u_w.data(), v_w.data(), mod_words);
+ word borrow = bigint_cnd_sub(odd_a, u_w, v_w, mod_words);
// if(borrow) u += p
- bigint_cnd_add(borrow, u_w.data(), mod.data(), mod_words);
+ bigint_cnd_add(borrow, u_w, mod.data(), mod_words);
const word odd_u = u_w[0] & 1;
// u >>= 1
- bigint_shr1(u_w.data(), mod_words, 0, 1);
+ bigint_shr1(u_w, mod_words, 0, 1);
//if(odd_u) u += mp1o2;
- bigint_cnd_add(odd_u, u_w.data(), mp1o2.data(), mod_words);
+ bigint_cnd_add(odd_u, u_w, mp1o2, mod_words);
}
- CT::unpoison(a_w.data(), a_w.size());
- CT::unpoison(b_w.data(), b_w.size());
- CT::unpoison(u_w.data(), u_w.size());
- CT::unpoison(v_w.data(), v_w.size());
+ auto a_is_0 = CT::Mask<word>::set();
+ for(size_t i = 0; i != mod_words; ++i)
+ a_is_0 &= CT::Mask<word>::is_zero(a_w[i]);
- BOTAN_ASSERT(a.is_zero(), "A is zero");
+ auto b_is_1 = CT::Mask<word>::is_equal(b_w[0], 1);
+ for(size_t i = 1; i != mod_words; ++i)
+ b_is_1 &= CT::Mask<word>::is_zero(b_w[i]);
- if(b != 1)
- return 0;
+ BOTAN_ASSERT(a_is_0.is_set(), "A is zero");
+
+ // if b != 1 then gcd(n,mod) > 1 and inverse does not exist
+ // in which case zero out the result to indicate this
+ (~b_is_1).if_set_zero_out(v_w, mod_words);
- return v;
+ clear_mem(&tmp_mem[mod_words], 4*mod_words);
+
+ CT::unpoison(tmp_mem.data(), tmp_mem.size());
+
+ BigInt r;
+ r.swap_reg(tmp_mem);
+ return r;
}
BigInt inverse_mod_pow2(const BigInt& a1, size_t k)
@@ -237,15 +224,25 @@ BigInt inverse_mod_pow2(const BigInt& a1, size_t k)
BigInt b = 1;
BigInt X = 0;
- for(size_t i = 0; i != k; ++i)
+ const size_t a_words = 1 + a.sig_words();
+
+ /*
+ Hide the exact value of k. k is anyway known to word length
+ granularity because of the length of a, so no point in doing more
+ than this.
+ */
+ const size_t iter = round_up(k, BOTAN_MP_WORD_BITS);
+
+ for(size_t i = 0; i != iter; ++i)
{
const bool b0 = b.get_bit(0);
-
X.conditionally_set_bit(i, b0);
- b -= a * b0;
- b /= 2;
+ b.grow_to(a_words);
+ bigint_cnd_sub(b0, b.mutable_data(), b.size(), a.data(), a.sig_words());
+ b >>= 1;
}
+ X.mask_bits(k);
return X;
}
@@ -257,9 +254,7 @@ BigInt inverse_mod(const BigInt& n, const BigInt& mod)
throw BigInt::DivideByZero();
if(mod.is_negative() || n.is_negative())
throw Invalid_Argument("inverse_mod: arguments must be non-negative");
- if(n.is_zero())
- return 0;
- if(n.is_even() && mod.is_even())
+ if(n.is_zero() || (n.is_even() && mod.is_even()))
return 0;
if(mod.is_odd())
@@ -306,10 +301,10 @@ BigInt inverse_mod(const BigInt& n, const BigInt& mod)
// Compute h = c*(inv_2k-inv_o) mod 2^k
BigInt h = c * (inv_2k - inv_o);
const bool h_neg = h.is_negative();
- h.mask_bits(mod_lz);
h.set_sign(BigInt::Positive);
- if(h_neg && h > 0)
- h = BigInt::power_of_2(mod_lz) - h;
+ h.mask_bits(mod_lz);
+ const bool h_nonzero = h.is_nonzero();
+ h.ct_cond_assign(h_nonzero && h_neg, BigInt::power_of_2(mod_lz) - h);
// Return result inv_o + h * o
h *= o;
diff --git a/src/lib/math/numbertheory/numthry.h b/src/lib/math/numbertheory/numthry.h
index b476db600..e818aa0bb 100644
--- a/src/lib/math/numbertheory/numthry.h
+++ b/src/lib/math/numbertheory/numthry.h
@@ -81,7 +81,8 @@ BigInt BOTAN_PUBLIC_API(2,0) square(const BigInt& x);
* as long as x is less than modulus. It also avoids leaking
* information about the modulus, except that it does leak which of 3
* categories the modulus is in: an odd integer, a power of 2, or some
-* other even number.
+* other even number, and if the modulus is even, leaks the power of 2
+* which divides the modulus.
*
* @param x a positive integer
* @param modulus a positive integer