1 /* Copyright 2016 Brian Smith. 2 * 3 * Permission to use, copy, modify, and/or distribute this software for any 4 * purpose with or without fee is hereby granted, provided that the above 5 * copyright notice and this permission notice appear in all copies. 6 * 7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY 10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION 12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN 13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ 14 15 #include <openssl/bn.h> 16 17 #include <assert.h> 18 19 #include "internal.h" 20 #include "../../internal.h" 21 22 23 static uint64_t bn_neg_inv_mod_r_u64(uint64_t n); 24 25 OPENSSL_COMPILE_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2, 26 BN_MONT_CTX_N0_LIMBS_VALUE_INVALID_2); 27 OPENSSL_COMPILE_ASSERT(sizeof(uint64_t) == 28 BN_MONT_CTX_N0_LIMBS * sizeof(BN_ULONG), 29 BN_MONT_CTX_N0_LIMBS_DOES_NOT_MATCH_UINT64_T); 30 31 // LG_LITTLE_R is log_2(r). 32 #define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2) 33 34 uint64_t bn_mont_n0(const BIGNUM *n) { 35 // These conditions are checked by the caller, |BN_MONT_CTX_set|. 36 assert(!BN_is_zero(n)); 37 assert(!BN_is_negative(n)); 38 assert(BN_is_odd(n)); 39 40 // r == 2**(BN_MONT_CTX_N0_LIMBS * BN_BITS2) and LG_LITTLE_R == lg(r). This 41 // ensures that we can do integer division by |r| by simply ignoring 42 // |BN_MONT_CTX_N0_LIMBS| limbs. Similarly, we can calculate values modulo 43 // |r| by just looking at the lowest |BN_MONT_CTX_N0_LIMBS| limbs. This is 44 // what makes Montgomery multiplication efficient. 45 // 46 // As shown in Algorithm 1 of "Fast Prime Field Elliptic Curve Cryptography 47 // with 256 Bit Primes" by Shay Gueron and Vlad Krasnov, in the loop of a 48 // multi-limb Montgomery multiplication of |a * b (mod n)|, given the 49 // unreduced product |t == a * b|, we repeatedly calculate: 50 // 51 // t1 := t % r |t1| is |t|'s lowest limb (see previous paragraph). 52 // t2 := t1*n0*n 53 // t3 := t + t2 54 // t := t3 / r copy all limbs of |t3| except the lowest to |t|. 55 // 56 // In the last step, it would only make sense to ignore the lowest limb of 57 // |t3| if it were zero. The middle steps ensure that this is the case: 58 // 59 // t3 == 0 (mod r) 60 // t + t2 == 0 (mod r) 61 // t + t1*n0*n == 0 (mod r) 62 // t1*n0*n == -t (mod r) 63 // t*n0*n == -t (mod r) 64 // n0*n == -1 (mod r) 65 // n0 == -1/n (mod r) 66 // 67 // Thus, in each iteration of the loop, we multiply by the constant factor 68 // |n0|, the negative inverse of n (mod r). 69 70 // n_mod_r = n % r. As explained above, this is done by taking the lowest 71 // |BN_MONT_CTX_N0_LIMBS| limbs of |n|. 72 uint64_t n_mod_r = n->d[0]; 73 #if BN_MONT_CTX_N0_LIMBS == 2 74 if (n->top > 1) { 75 n_mod_r |= (uint64_t)n->d[1] << BN_BITS2; 76 } 77 #endif 78 79 return bn_neg_inv_mod_r_u64(n_mod_r); 80 } 81 82 // bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v| 83 // such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n| 84 // must be odd. 85 // 86 // This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery 87 // Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf). 88 // It is very similar to the MODULAR-INVERSE function in Stephen R. Duss's and 89 // Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000" 90 // (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21). 91 // 92 // This is inspired by Joppe W. Bos's "Constant Time Modular Inversion" 93 // (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is 94 // constant-time with respect to |n|. We assume uint64_t additions, 95 // subtractions, shifts, and bitwise operations are all constant time, which 96 // may be a large leap of faith on 32-bit targets. We avoid division and 97 // multiplication, which tend to be the most problematic in terms of timing 98 // leaks. 99 // 100 // Most GCD implementations return values such that |u*r + v*n == 1|, so the 101 // caller would have to negate the resultant |v| for the purpose of Montgomery 102 // multiplication. This implementation does the negation implicitly by doing 103 // the computations as a difference instead of a sum. 104 static uint64_t bn_neg_inv_mod_r_u64(uint64_t n) { 105 assert(n % 2 == 1); 106 107 // alpha == 2**(lg r - 1) == r / 2. 108 static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1); 109 110 const uint64_t beta = n; 111 112 uint64_t u = 1; 113 uint64_t v = 0; 114 115 // The invariant maintained from here on is: 116 // 2**(lg r - i) == u*2*alpha - v*beta. 117 for (size_t i = 0; i < LG_LITTLE_R; ++i) { 118 #if BN_BITS2 == 64 && defined(BN_ULLONG) 119 assert((BN_ULLONG)(1) << (LG_LITTLE_R - i) == 120 ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta)); 121 #endif 122 123 // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set 124 // |u = (u + beta) / 2| and |v = (v / 2) + alpha|. 125 126 uint64_t u_is_odd = UINT64_C(0) - (u & 1); // Either 0xff..ff or 0. 127 128 // The addition can overflow, so use Dietz's method for it. 129 // 130 // Dietz calculates (x+y)/2 by (xy)>>1 + x&y. This is valid for all 131 // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values 132 // (embedded in 64 bits to so that overflow can be ignored): 133 // 134 // (declare-fun x () (_ BitVec 64)) 135 // (declare-fun y () (_ BitVec 64)) 136 // (assert (let ( 137 // (one (_ bv1 64)) 138 // (thirtyTwo (_ bv32 64))) 139 // (and 140 // (bvult x (bvshl one thirtyTwo)) 141 // (bvult y (bvshl one thirtyTwo)) 142 // (not (= 143 // (bvadd (bvlshr (bvxor x y) one) (bvand x y)) 144 // (bvlshr (bvadd x y) one))) 145 // ))) 146 // (check-sat) 147 uint64_t beta_if_u_is_odd = beta & u_is_odd; // Either |beta| or 0. 148 u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd); 149 150 uint64_t alpha_if_u_is_odd = alpha & u_is_odd; // Either |alpha| or 0. 151 v = (v >> 1) + alpha_if_u_is_odd; 152 } 153 154 // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha. 155 #if BN_BITS2 == 64 && defined(BN_ULLONG) 156 assert(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta)); 157 #endif 158 159 return v; 160 } 161 162 // bn_mod_exp_base_2_vartime calculates r = 2**p (mod n). |p| must be larger 163 // than log_2(n); i.e. 2**p must be larger than |n|. |n| must be positive and 164 // odd. 165 int bn_mod_exp_base_2_vartime(BIGNUM *r, unsigned p, const BIGNUM *n) { 166 assert(!BN_is_zero(n)); 167 assert(!BN_is_negative(n)); 168 assert(BN_is_odd(n)); 169 170 BN_zero(r); 171 172 unsigned n_bits = BN_num_bits(n); 173 assert(n_bits != 0); 174 if (n_bits == 1) { 175 return 1; 176 } 177 178 // Set |r| to the smallest power of two larger than |n|. 179 assert(p > n_bits); 180 if (!BN_set_bit(r, n_bits)) { 181 return 0; 182 } 183 184 // Unconditionally reduce |r|. 185 assert(BN_cmp(r, n) > 0); 186 if (!BN_usub(r, r, n)) { 187 return 0; 188 } 189 assert(BN_cmp(r, n) < 0); 190 191 for (unsigned i = n_bits; i < p; ++i) { 192 // This is like |BN_mod_lshift1_quick| except using |BN_usub|. 193 // 194 // TODO: Replace this with the use of a constant-time variant of 195 // |BN_mod_lshift1_quick|. 196 if (!BN_lshift1(r, r)) { 197 return 0; 198 } 199 if (BN_cmp(r, n) >= 0) { 200 if (!BN_usub(r, r, n)) { 201 return 0; 202 } 203 } 204 } 205 206 return 1; 207 } 208