/* =================================================================== * * Copyright (c) 2018, Helder Eijs * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE * POSSIBILITY OF SUCH DAMAGE. * =================================================================== */ #include #include #include #include #include #include "common.h" #include "endianess.h" FAKE_INIT(modexp) #include "mont.h" #include "modexp_utils.h" /** Multiplication will be replaced by a look-up **/ /** Do not change this value! **/ #define WINDOW_SIZE 4 /* * Modular exponentiation. All numbers are * encoded in big endian form, possibly with * zero padding on the left. * * @param out The memory area where to store the result * @param base Base number, strictly smaller than the modulus * @param exp Exponent * @param modulus Modulus, it must be odd * @param len Size in bytes of out, base, exp, and modulus * @param seed A random seed, used for avoiding side-channel * attacks * @return 0 in case of success, the appropriate error code otherwise */ EXPORT_SYM int monty_pow( uint8_t *out, const uint8_t *base, const uint8_t *exp, const uint8_t *modulus, size_t len, uint64_t seed) { unsigned i, j; size_t exp_len; int res; MontContext *ctx = NULL; uint64_t *powers[1 << WINDOW_SIZE] = { NULL }; uint64_t *power_idx = NULL; ProtMemory *prot = NULL; uint64_t *mont_base = NULL; uint64_t *x = NULL; uint64_t *scratchpad = NULL; uint8_t *buf_out = NULL; struct BitWindow_LR bit_window; if (!base || !exp || !modulus || !out) return ERR_NULL; if (len == 0) return ERR_NOT_ENOUGH_DATA; /* Allocations **/ res = mont_context_init(&ctx, modulus, len); if (res) return res; for (i=0; i<(1 << WINDOW_SIZE); i++) { res = mont_number(powers+i, 1, ctx); if (res) goto cleanup; } res = mont_number(&power_idx, 1, ctx); if (res) goto cleanup; res = mont_from_bytes(&mont_base, base, len, ctx); if (res) goto cleanup; res = mont_number(&x, 1, ctx); if (res) goto cleanup; res = mont_number(&scratchpad, SCRATCHPAD_NR, ctx); if (res) goto cleanup; buf_out = (uint8_t*)calloc(1, mont_bytes(ctx)); if (NULL == buf_out) { res = ERR_MEMORY; goto cleanup; } /** Result is initially 1 in Montgomery form **/ mont_set(x, 1, ctx); /** Pre-compute powers a^0 mod n, a^1 mod n, a^2 mod n, ... a^(2^WINDOW_SIZE-1) mod n **/ mont_copy(powers[0], x, ctx); mont_copy(powers[1], mont_base, ctx); for (i=1; i<(1 << (WINDOW_SIZE-1)); i++) { mont_mult(powers[i*2], powers[i], powers[i], scratchpad, ctx); mont_mult(powers[i*2+1], powers[i*2], mont_base, scratchpad, ctx); } res = scatter(&prot, (const void**)powers, 1<