diff --git a/src/fuzzer/mp_redc_crandall.cpp b/src/fuzzer/mp_redc_crandall.cpp new file mode 100644 index 00000000000..1f9f1d3a2b1 --- /dev/null +++ b/src/fuzzer/mp_redc_crandall.cpp @@ -0,0 +1,44 @@ +/* +* (C) 2024 Jack Lloyd +* +* Botan is released under the Simplified BSD License (see license.txt) +*/ + +#include "mp_fuzzers.h" + +#include +#include + +void fuzz(const uint8_t in[], size_t in_len) { + if(in_len != 8 * sizeof(word)) { + return; + } + +#if BOTAN_MP_WORD_BITS == 64 + // secp256k1 modulus + const word C = 0x1000003d1; +#else + // 128 bit prime with largest possible C + const word C = 0xffffffe1; +#endif + + static const Botan::BigInt refp = Botan::BigInt::power_of_2(4 * BOTAN_MP_WORD_BITS) - C; + static const Botan::BigInt refp2 = refp * refp; + + const auto refz = Botan::BigInt::from_bytes(std::span{in, in_len}); + + if(refz >= refp2) { + return; + } + + const auto refc = refz % refp; + + std::array z = {}; + for(size_t i = 0; i != 8; ++i) { + z[7 - i] = Botan::load_be(in, i); + } + + const auto rc = Botan::redc_crandall(z); + + compare_word_vec(rc.data(), 4, refc._data(), refc.sig_words(), "Crandall reduction"); +} diff --git a/src/lib/math/mp/mp_core.h b/src/lib/math/mp/mp_core.h index d94fe519485..2a1b20047aa 100644 --- a/src/lib/math/mp/mp_core.h +++ b/src/lib/math/mp/mp_core.h @@ -384,7 +384,7 @@ inline constexpr void bigint_monty_maybe_sub(size_t N, W z[], W x0, const W x[], z[i] = word_sub(x[i], p[i], &borrow); } - word_sub(x0, static_cast(0), &borrow); + borrow = (x0 - borrow) > x0; CT::conditional_assign_mem(borrow, z, x, N); } @@ -418,7 +418,7 @@ inline constexpr void bigint_monty_maybe_sub(W z[N], W x0, const W x[N], const W } } - word_sub(x0, static_cast(0), &borrow); + borrow = (x0 - borrow) > x0; CT::conditional_assign_mem(borrow, z, x, N); } @@ -1086,6 +1086,57 @@ void bigint_mul(word z[], void bigint_sqr(word z[], size_t z_size, const word x[], size_t x_size, size_t x_sw, word workspace[], size_t ws_size); +/** +* Return 2**B - C +*/ +template +consteval std::array crandall_p() { + static_assert(C % 2 == 1); + std::array P; + for(size_t i = 0; i != N; ++i) { + P[i] = WordInfo::max; + } + P[0] = WordInfo::max - (C - 1); + return P; +} + +/** +* Reduce z modulo p = 2**B - C where C is small +* +* z is assumed to be at most (p-1)**2 +* +* For details on the algorithm see +* - Handbook of Applied Cryptography, Algorithm 14.47 +* - Guide to Elliptic Curve Cryptography, Algorithm 2.54 and Note 2.55 +* +*/ +template +constexpr std::array redc_crandall(std::span z) { + static_assert(N >= 2); + + std::array hi = {}; + + // hi = hi * c + lo + + W carry = 0; + for(size_t i = 0; i != N; ++i) { + hi[i] = word_madd3(z[i + N], C, z[i], &carry); + } + + // hi += carry * C + word carry_c[2] = {0}; + carry_c[0] = word_madd2(carry, C, &carry_c[1]); + + carry = bigint_add2_nc(hi.data(), N, carry_c, 2); + + constexpr auto P = crandall_p(); + + std::array r = {}; + bigint_monty_maybe_sub(r.data(), carry, hi.data(), P.data()); + + return r; +} + } // namespace Botan #endif diff --git a/src/lib/math/pcurves/pcurves_secp256k1/pcurves_secp256k1.cpp b/src/lib/math/pcurves/pcurves_secp256k1/pcurves_secp256k1.cpp index 5a701fabeb7..1d4b42fe0d7 100644 --- a/src/lib/math/pcurves/pcurves_secp256k1/pcurves_secp256k1.cpp +++ b/src/lib/math/pcurves/pcurves_secp256k1/pcurves_secp256k1.cpp @@ -12,9 +12,33 @@ namespace Botan::PCurve { namespace { -// clang-format off namespace secp256k1 { +template +class Secp256k1Rep final { + public: + static constexpr auto P = Params::P; + static constexpr size_t N = Params::N; + typedef typename Params::W W; + + static_assert(WordInfo::bits >= 33); + + static constexpr W C = 0x1000003d1; + + constexpr static std::array one() { return std::array{1}; } + + constexpr static std::array redc(const std::array& z) { + return redc_crandall(std::span{z}); + } + + constexpr static std::array to_rep(const std::array& x) { return x; } + + constexpr static std::array wide_to_rep(const std::array& x) { return redc(x); } + + constexpr static std::array from_rep(const std::array& z) { return z; } +}; + +// clang-format off class Params final : public EllipticCurveParameters< "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F", "0", @@ -24,11 +48,15 @@ class Params final : public EllipticCurveParameters< "483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8"> { }; -class Curve final : public EllipticCurve {}; +// clang-format on -} +#if BOTAN_MP_WORD_BITS == 64 +class Curve final : public EllipticCurve {}; +#else +class Curve final : public EllipticCurve {}; +#endif -// clang-format on +} // namespace secp256k1 } // namespace