Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove the workspace argument to various ECC interfaces #4555

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+97 −138
Open

Remove the workspace argument to various ECC interfaces #4555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions doc/api_ref/ecc.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -181,7 +181,7 @@ Only curves over prime fields are supported.

Return a random non-zero scalar value

.. cpp:function:: static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws)
.. cpp:function:: static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng)

Compute the elliptic curve scalar multiplication (g*k) where g is the
standard base point on the curve. Then extract the x coordinate of the
Expand Down Expand Up @@ -247,7 +247,7 @@ Only curves over prime fields are supported.

This accepts SEC1 compressed or uncompressed formats

.. cpp:function:: static EC_AffinePoint g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws)
.. cpp:function:: static EC_AffinePoint g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng)

Fixed base scalar multiplication. Constant time with blinding.

Expand All @@ -260,7 +260,7 @@ Only curves over prime fields are supported.
Constant time 2-ary multiscalar multiplication. Returns p*x + q*y, or
nullopt if the resulting point was the identity element.

.. cpp:function:: EC_AffinePoint mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const
.. cpp:function:: EC_AffinePoint mul(const EC_Scalar& scalar, RandomNumberGenerator& rng) const

Variable base scalar multiplication. Constant time with blinding.

Expand Down
6 changes: 2 additions & 4 deletions src/cli/perf_ec.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,8 +43,6 @@ class PerfTest_EllipticCurve final : public PerfTest {
auto h2c_nu_timer = config.make_timer(group_name + " hash to curve (NU)");
auto h2c_ro_timer = config.make_timer(group_name + " hash to curve (RO)");

std::vector<Botan::BigInt> ws;

auto g = Botan::EC_AffinePoint::generator(group);

const bool h2c_supported = [&]() {
Expand All @@ -58,8 +56,8 @@ class PerfTest_EllipticCurve final : public PerfTest {

while(bp_timer->under(run) && vp_timer->under(run)) {
const auto k = Botan::EC_Scalar::random(group, rng);
const auto r1 = bp_timer->run([&]() { return Botan::EC_AffinePoint::g_mul(k, rng, ws); });
const auto r2 = vp_timer->run([&]() { return g.mul(k, rng, ws); });
const auto r1 = bp_timer->run([&]() { return Botan::EC_AffinePoint::g_mul(k, rng); });
const auto r2 = vp_timer->run([&]() { return g.mul(k, rng); });

const auto r1_bytes = r1.serialize_uncompressed();
const auto r2_bytes = r2.serialize_uncompressed();
Expand Down
6 changes: 2 additions & 4 deletions src/cli/timing_tests.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -265,7 +265,6 @@ class ECDSA_Timing_Test final : public Timing_Test {
const Botan::EC_Scalar m_x;
Botan::EC_Scalar m_b;
Botan::EC_Scalar m_b_inv;
std::vector<Botan::BigInt> m_ws;
};

ECDSA_Timing_Test::ECDSA_Timing_Test(const std::string& ecgroup) :
Expand All @@ -283,7 +282,7 @@ uint64_t ECDSA_Timing_Test::measure_critical_function(const std::vector<uint8_t>
TimingTestTimer timer;

// the following ECDSA operations involve and should not leak any information about k
const auto r = Botan::EC_Scalar::gk_x_mod_order(k, timing_test_rng(), m_ws);
const auto r = Botan::EC_Scalar::gk_x_mod_order(k, timing_test_rng());
const auto k_inv = k.invert();
m_b.square_self();
m_b_inv.square_self();
Expand All @@ -306,14 +305,13 @@ class ECC_Mul_Timing_Test final : public Timing_Test {

private:
const Botan::EC_Group m_group;
std::vector<Botan::BigInt> m_ws;
};

uint64_t ECC_Mul_Timing_Test::measure_critical_function(const std::vector<uint8_t>& input) {
const auto k = Botan::EC_Scalar::from_bytes_with_trunc(m_group, input);

TimingTestTimer timer;
const auto kG = Botan::EC_AffinePoint::g_mul(k, timing_test_rng(), m_ws);
const auto kG = Botan::EC_AffinePoint::g_mul(k, timing_test_rng());
return timer.complete();
}

Expand Down
14 changes: 6 additions & 8 deletions src/lib/pubkey/ec_group/ec_apoint.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,19 +133,17 @@ std::optional<EC_AffinePoint> EC_AffinePoint::deserialize(const EC_Group& group,
}
}

EC_AffinePoint EC_AffinePoint::g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) {
auto pt = scalar._inner().group()->point_g_mul(scalar.inner(), rng, ws);
EC_AffinePoint EC_AffinePoint::g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng) {
auto pt = scalar._inner().group()->point_g_mul(scalar.inner(), rng);
return EC_AffinePoint(std::move(pt));
}

EC_AffinePoint EC_AffinePoint::mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const {
return EC_AffinePoint(inner().mul(scalar._inner(), rng, ws));
EC_AffinePoint EC_AffinePoint::mul(const EC_Scalar& scalar, RandomNumberGenerator& rng) const {
return EC_AffinePoint(inner().mul(scalar._inner(), rng));
}

secure_vector<uint8_t> EC_AffinePoint::mul_x_only(const EC_Scalar& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
return inner().mul_x_only(scalar._inner(), rng, ws);
secure_vector<uint8_t> EC_AffinePoint::mul_x_only(const EC_Scalar& scalar, RandomNumberGenerator& rng) const {
return inner().mul_x_only(scalar._inner(), rng);
}

std::optional<EC_AffinePoint> EC_AffinePoint::mul_px_qy(const EC_AffinePoint& p,
Expand Down
26 changes: 15 additions & 11 deletions src/lib/pubkey/ec_group/ec_apoint.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,13 @@ class BOTAN_UNSTABLE_API EC_AffinePoint final {
static std::optional<EC_AffinePoint> from_bigint_xy(const EC_Group& group, const BigInt& x, const BigInt& y);

/// Multiply by the group generator returning a complete point
///
/// Workspace argument is transitional
static EC_AffinePoint g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws);
static EC_AffinePoint g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng);

BOTAN_DEPRECATED("Use version without workspace arg")
static EC_AffinePoint g_mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) {
BOTAN_UNUSED(ws);
return EC_AffinePoint::g_mul(scalar, rng);
}

/// Return the identity element
static EC_AffinePoint identity(const EC_Group& group);
Expand All @@ -78,16 +82,16 @@ class BOTAN_UNSTABLE_API EC_AffinePoint final {
std::span<const uint8_t> domain_sep);

/// Multiply a point by a scalar returning a complete point
///
/// Workspace argument is transitional
EC_AffinePoint mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const;
EC_AffinePoint mul(const EC_Scalar& scalar, RandomNumberGenerator& rng) const;

BOTAN_DEPRECATED("Use version without workspace arg")
EC_AffinePoint mul(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const {
BOTAN_UNUSED(ws);
return this->mul(scalar, rng);
}

/// Multiply a point by a scalar, returning the byte encoding of the x coordinate only
///
/// Workspace argument is transitional
secure_vector<uint8_t> mul_x_only(const EC_Scalar& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const;
secure_vector<uint8_t> mul_x_only(const EC_Scalar& scalar, RandomNumberGenerator& rng) const;
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the record: This API was added recently and hence doesn't require a deprecation, correct?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct.

If this ends up not making it for 3.7 I'll switch it to be like the others with a second deprecated function that ignores the arg


/// Compute 2-ary multiscalar multiplication - p*x + q*y
///
Expand Down
15 changes: 9 additions & 6 deletions src/lib/pubkey/ec_group/ec_group.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -438,14 +438,15 @@ class BOTAN_PUBLIC_API(2, 0) EC_Group final {
* Blinded point multiplication, attempts resistance to side channels
* @param k_bn the scalar
* @param rng a random number generator
* @param ws a temp workspace
* @param ws a (no longer used) temp workspace
* @return base_point*k
*/
BOTAN_DEPRECATED("Use EC_AffinePoint and EC_Scalar")
EC_Point
blinded_base_point_multiply(const BigInt& k_bn, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const {
BOTAN_UNUSED(ws);
auto k = EC_Scalar::from_bigint(*this, k_bn);
auto pt = EC_AffinePoint::g_mul(k, rng, ws);
auto pt = EC_AffinePoint::g_mul(k, rng);
return pt.to_legacy_point();
}

Expand All @@ -455,32 +456,34 @@ class BOTAN_PUBLIC_API(2, 0) EC_Group final {
*
* @param k_bn the scalar
* @param rng a random number generator
* @param ws a temp workspace
* @param ws a (no longer used) temp workspace
* @return x coordinate of base_point*k
*/
BOTAN_DEPRECATED("Use EC_AffinePoint and EC_Scalar")
BigInt
blinded_base_point_multiply_x(const BigInt& k_bn, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const {
BOTAN_UNUSED(ws);
auto k = EC_Scalar::from_bigint(*this, k_bn);
return BigInt(EC_AffinePoint::g_mul(k, rng, ws).x_bytes());
return BigInt(EC_AffinePoint::g_mul(k, rng).x_bytes());
}

/**
* Blinded point multiplication, attempts resistance to side channels
* @param point input point
* @param k_bn the scalar
* @param rng a random number generator
* @param ws a temp workspace
* @param ws a (no longer used) temp workspace
* @return point*k
*/
BOTAN_DEPRECATED("Use EC_AffinePoint and EC_Scalar")
EC_Point blinded_var_point_multiply(const EC_Point& point,
const BigInt& k_bn,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
BOTAN_UNUSED(ws);
auto k = EC_Scalar::from_bigint(*this, k_bn);
auto pt = EC_AffinePoint(*this, point);
return pt.mul(k, rng, ws).to_legacy_point();
return pt.mul(k, rng).to_legacy_point();
}

/**
Expand Down
10 changes: 4 additions & 6 deletions src/lib/pubkey/ec_group/ec_inner_data.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -222,8 +222,7 @@ std::unique_ptr<EC_Scalar_Data> EC_Group_Data::scalar_from_bigint(const BigInt&
}

std::unique_ptr<EC_Scalar_Data> EC_Group_Data::gk_x_mod_order(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
RandomNumberGenerator& rng) const {
if(m_pcurve) {
const auto& k = EC_Scalar_Data_PC::checked_ref(scalar);
auto gk_x_mod_order = m_pcurve->base_point_mul_x_mod_order(k.value(), rng);
Expand All @@ -232,6 +231,7 @@ std::unique_ptr<EC_Scalar_Data> EC_Group_Data::gk_x_mod_order(const EC_Scalar_Da
#if defined(BOTAN_HAS_LEGACY_EC_POINT)
const auto& k = EC_Scalar_Data_BN::checked_ref(scalar);
BOTAN_STATE_CHECK(m_base_mult != nullptr);
std::vector<BigInt> ws;
const auto pt = m_base_mult->mul(k.value(), rng, m_order, ws);

if(pt.is_zero()) {
Expand All @@ -240,7 +240,6 @@ std::unique_ptr<EC_Scalar_Data> EC_Group_Data::gk_x_mod_order(const EC_Scalar_Da
return std::make_unique<EC_Scalar_Data_BN>(shared_from_this(), m_mod_order.reduce(pt.get_affine_x()));
}
#else
BOTAN_UNUSED(ws);
throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
}
Expand Down Expand Up @@ -315,8 +314,7 @@ std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_hash_to_curve_nu(std::
}

std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_g_mul(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
RandomNumberGenerator& rng) const {
if(m_pcurve) {
const auto& k = EC_Scalar_Data_PC::checked_ref(scalar);
auto pt = m_pcurve->mul_by_g(k.value(), rng).to_affine();
Expand All @@ -327,10 +325,10 @@ std::unique_ptr<EC_AffinePoint_Data> EC_Group_Data::point_g_mul(const EC_Scalar_
const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);

BOTAN_STATE_CHECK(group->m_base_mult != nullptr);
std::vector<BigInt> ws;
auto pt = group->m_base_mult->mul(bn.value(), rng, m_order, ws);
return std::make_unique<EC_AffinePoint_Data_BN>(shared_from_this(), std::move(pt));
#else
BOTAN_UNUSED(ws);
throw Not_Implemented("Legacy EC interfaces disabled in this build configuration");
#endif
}
Expand Down
15 changes: 4 additions & 11 deletions src/lib/pubkey/ec_group/ec_inner_data.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,12 +92,9 @@ class EC_AffinePoint_Data {
virtual void serialize_uncompressed_to(std::span<uint8_t> bytes) const = 0;

virtual std::unique_ptr<EC_AffinePoint_Data> mul(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const = 0;
RandomNumberGenerator& rng) const = 0;

virtual secure_vector<uint8_t> mul_x_only(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const = 0;
virtual secure_vector<uint8_t> mul_x_only(const EC_Scalar_Data& scalar, RandomNumberGenerator& rng) const = 0;

#if defined(BOTAN_HAS_LEGACY_EC_POINT)
virtual EC_Point to_legacy_point() const = 0;
Expand Down Expand Up @@ -234,9 +231,7 @@ class EC_Group_Data final : public std::enable_shared_from_this<EC_Group_Data> {

std::unique_ptr<EC_Scalar_Data> scalar_one() const;

std::unique_ptr<EC_Scalar_Data> gk_x_mod_order(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const;
std::unique_ptr<EC_Scalar_Data> gk_x_mod_order(const EC_Scalar_Data& scalar, RandomNumberGenerator& rng) const;

/// Deserialize a point
///
Expand All @@ -251,9 +246,7 @@ class EC_Group_Data final : public std::enable_shared_from_this<EC_Group_Data> {
std::span<const uint8_t> input,
std::span<const uint8_t> domain_sep) const;

std::unique_ptr<EC_AffinePoint_Data> point_g_mul(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const;
std::unique_ptr<EC_AffinePoint_Data> point_g_mul(const EC_Scalar_Data& scalar, RandomNumberGenerator& rng) const;

std::unique_ptr<EC_AffinePoint_Data> mul_px_qy(const EC_AffinePoint_Data& p,
const EC_Scalar_Data& x,
Expand Down
10 changes: 2 additions & 8 deletions src/lib/pubkey/ec_group/ec_inner_pc.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -118,21 +118,15 @@ const std::shared_ptr<const EC_Group_Data>& EC_AffinePoint_Data_PC::group() cons
}

std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_PC::mul(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
BOTAN_UNUSED(ws);

RandomNumberGenerator& rng) const {
BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
const auto& k = EC_Scalar_Data_PC::checked_ref(scalar).value();
auto pt = m_group->pcurve().mul(m_pt, k, rng).to_affine();
return std::make_unique<EC_AffinePoint_Data_PC>(m_group, std::move(pt));
}

secure_vector<uint8_t> EC_AffinePoint_Data_PC::mul_x_only(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
BOTAN_UNUSED(ws);

RandomNumberGenerator& rng) const {
BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
const auto& k = EC_Scalar_Data_PC::checked_ref(scalar).value();
return m_group->pcurve().mul_x_only(m_pt, k, rng);
Expand Down
8 changes: 2 additions & 6 deletions src/lib/pubkey/ec_group/ec_inner_pc.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,9 @@ class EC_AffinePoint_Data_PC final : public EC_AffinePoint_Data {

void serialize_uncompressed_to(std::span<uint8_t> bytes) const override;

std::unique_ptr<EC_AffinePoint_Data> mul(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const override;
std::unique_ptr<EC_AffinePoint_Data> mul(const EC_Scalar_Data& scalar, RandomNumberGenerator& rng) const override;

secure_vector<uint8_t> mul_x_only(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const override;
secure_vector<uint8_t> mul_x_only(const EC_Scalar_Data& scalar, RandomNumberGenerator& rng) const override;

const PCurve::PrimeOrderCurve::AffinePoint& value() const { return m_pt; }

Expand Down
4 changes: 2 additions & 2 deletions src/lib/pubkey/ec_group/ec_scalar.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,9 +76,9 @@ BigInt EC_Scalar::to_bigint() const {
return BigInt::from_bytes(bytes);
}

EC_Scalar EC_Scalar::gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) {
EC_Scalar EC_Scalar::gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng) {
const auto& group = scalar._inner().group();
return EC_Scalar(group->gk_x_mod_order(scalar.inner(), rng, ws));
return EC_Scalar(group->gk_x_mod_order(scalar.inner(), rng));
}

void EC_Scalar::serialize_to(std::span<uint8_t> bytes) const {
Expand Down
10 changes: 7 additions & 3 deletions src/lib/pubkey/ec_group/ec_scalar.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -92,10 +92,14 @@ class BOTAN_UNSTABLE_API EC_Scalar final {
* Compute the elliptic curve scalar multiplication (g*k) where g is the
* standard base point on the curve. Then extract the x coordinate of
* the resulting point, and reduce it modulo the group order.
*
* Workspace argument is transitional
*/
static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws);
static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng);

BOTAN_DEPRECATED("Use version without workspace arg")
static EC_Scalar gk_x_mod_order(const EC_Scalar& scalar, RandomNumberGenerator& rng, std::vector<BigInt>& ws) {
BOTAN_UNUSED(ws);
return EC_Scalar::gk_x_mod_order(scalar, rng);
}

/**
* Return the byte size of this scalar
Expand Down
8 changes: 4 additions & 4 deletions src/lib/pubkey/ec_group/legacy_ec_point/ec_inner_bn.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,11 +96,11 @@ const std::shared_ptr<const EC_Group_Data>& EC_AffinePoint_Data_BN::group() cons
}

std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::mul(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
RandomNumberGenerator& rng) const {
BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);

std::vector<BigInt> ws;
EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);

// We pass order*cofactor here to "correctly" handle the case where the
Expand All @@ -114,11 +114,11 @@ std::unique_ptr<EC_AffinePoint_Data> EC_AffinePoint_Data_BN::mul(const EC_Scalar
}

secure_vector<uint8_t> EC_AffinePoint_Data_BN::mul_x_only(const EC_Scalar_Data& scalar,
RandomNumberGenerator& rng,
std::vector<BigInt>& ws) const {
RandomNumberGenerator& rng) const {
BOTAN_ARG_CHECK(scalar.group() == m_group, "Curve mismatch");
const auto& bn = EC_Scalar_Data_BN::checked_ref(scalar);

std::vector<BigInt> ws;
EC_Point_Var_Point_Precompute mul(m_pt, rng, ws);

// We pass order*cofactor here to "correctly" handle the case where the
Expand Down
Loading
Loading