Botan  2.1.0
Crypto and TLS for C++11
Public Member Functions | List of all members
Botan::Blinded_Point_Multiply Class Reference

#include <point_gfp.h>

Public Member Functions

PointGFp blinded_multiply (const BigInt &scalar, RandomNumberGenerator &rng)
 
 Blinded_Point_Multiply (const PointGFp &base, const BigInt &order, size_t h=0)
 

Detailed Description

Definition at line 289 of file point_gfp.h.

Constructor & Destructor Documentation

Botan::Blinded_Point_Multiply::Blinded_Point_Multiply ( const PointGFp base,
const BigInt order,
size_t  h = 0 
)

Definition at line 308 of file point_gfp.cpp.

References Botan::PointGFp::get_curve(), and Botan::PointGFp::zero_of().

308  :
309  m_h(h > 0 ? h : 4), m_order(order), m_ws(9)
310  {
311  // Upper bound is a sanity check rather than hard limit
312  if(m_h < 1 || m_h > 8)
313  throw Invalid_Argument("Blinded_Point_Multiply invalid h param");
314 
315  const CurveGFp& curve = base.get_curve();
316 
317  const PointGFp inv = -base;
318 
319  m_U.resize(6*m_h + 3);
320 
321  m_U[3*m_h+0] = inv;
322  m_U[3*m_h+1] = PointGFp::zero_of(curve);
323  m_U[3*m_h+2] = base;
324 
325  for(size_t i = 1; i <= 3 * m_h + 1; ++i)
326  {
327  m_U[3*m_h+1+i] = m_U[3*m_h+i];
328  m_U[3*m_h+1+i].add(base, m_ws);
329 
330  m_U[3*m_h+1-i] = m_U[3*m_h+2-i];
331  m_U[3*m_h+1-i].add(inv, m_ws);
332  }
333  }
static PointGFp zero_of(const CurveGFp &curve)
Definition: point_gfp.h:61

Member Function Documentation

PointGFp Botan::Blinded_Point_Multiply::blinded_multiply ( const BigInt scalar,
RandomNumberGenerator rng 
)

Definition at line 335 of file point_gfp.cpp.

References Botan::BigInt::bits(), Botan::BigInt::get_bit(), Botan::BigInt::is_negative(), Botan::RandomNumberGenerator::next_byte(), and Botan::PointGFp::randomize_repr().

337  {
338  if(scalar_in.is_negative())
339  throw Invalid_Argument("Blinded_Point_Multiply scalar must be positive");
340 
341 #if BOTAN_POINTGFP_USE_SCALAR_BLINDING
342  // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
343  const BigInt mask(rng, (m_order.bits()+1)/2, false);
344  const BigInt scalar = scalar_in + m_order * mask;
345 #else
346  const BigInt& scalar = scalar_in;
347 #endif
348 
349  const size_t scalar_bits = scalar.bits();
350 
351  // Randomize each point representation (Coron's 3rd countermeasure)
352  for(size_t i = 0; i != m_U.size(); ++i)
353  m_U[i].randomize_repr(rng);
354 
355  PointGFp R = m_U.at(3*m_h + 2); // base point
356  int32_t alpha = 0;
357 
358  R.randomize_repr(rng);
359 
360  /*
361  Algorithm 7 from "Randomizing the Montgomery Powering Ladder"
362  Duc-Phong Le, Chik How Tan and Michael Tunstall
363  http://eprint.iacr.org/2015/657
364 
365  It takes a random walk through (a subset of) the set of addition
366  chains that end in k.
367  */
368  for(size_t i = scalar_bits; i > 0; i--)
369  {
370  const int32_t ki = scalar.get_bit(i);
371 
372  // choose gamma from -h,...,h
373  const int32_t gamma = static_cast<int32_t>((rng.next_byte() % (2*m_h))) - m_h;
374  const int32_t l = gamma - 2*alpha + ki - (ki ^ 1);
375 
376  R.mult2(m_ws);
377  R.add(m_U.at(3*m_h + 1 + l), m_ws);
378  alpha = gamma;
379  }
380 
381  const int32_t k0 = scalar.get_bit(0);
382  R.add(m_U[3*m_h + 1 - alpha - (k0 ^ 1)], m_ws);
383 
384 
385  //BOTAN_ASSERT(R.on_the_curve(), "Output is on the curve");
386 
387  return R;
388  }
size_t bits() const
Definition: bigint.cpp:184

The documentation for this class was generated from the following files: