1 /* $OpenBSD: bn_exp.c,v 1.22 2015/03/21 08:05:20 doug Exp $ */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
115 #include <openssl/err.h>
119 /* maximum precomputation table size for *variable* sliding windows */
120 #define TABLE_SIZE 32
122 /* this one works - simple but works */
124 BN_exp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
, BN_CTX
*ctx
)
126 int i
, bits
, ret
= 0;
129 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0) {
130 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
131 BNerr(BN_F_BN_EXP
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
136 if ((r
== a
) || (r
== p
))
137 rr
= BN_CTX_get(ctx
);
141 if (rr
== NULL
|| v
== NULL
)
144 if (BN_copy(v
, a
) == NULL
)
146 bits
= BN_num_bits(p
);
149 if (BN_copy(rr
, a
) == NULL
)
156 for (i
= 1; i
< bits
; i
++) {
157 if (!BN_sqr(v
, v
, ctx
))
159 if (BN_is_bit_set(p
, i
)) {
160 if (!BN_mul(rr
, rr
, v
, ctx
))
167 if (r
!= rr
&& rr
!= NULL
)
175 BN_mod_exp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
,
184 /* For even modulus m = 2^k*m_odd, it might make sense to compute
185 * a^p mod m_odd and a^p mod 2^k separately (with Montgomery
186 * exponentiation for the odd part), using appropriate exponent
187 * reductions, and combine the results using the CRT.
189 * For now, we use Montgomery only if the modulus is odd; otherwise,
190 * exponentiation using the reciprocal-based quick remaindering
193 * (Timing obtained with expspeed.c [computations a^p mod m
194 * where a, p, m are of the same length: 256, 512, 1024, 2048,
195 * 4096, 8192 bits], compared to the running time of the
196 * standard algorithm:
198 * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration]
199 * 55 .. 77 % [UltraSparc processor, but
200 * debug-solaris-sparcv8-gcc conf.]
202 * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration]
203 * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
205 * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
206 * at 2048 and more bits, but at 512 and 1024 bits, it was
207 * slower even than the standard algorithm!
209 * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
210 * should be obtained when the new Montgomery reduction code
211 * has been integrated into OpenSSL.)
215 #define MONT_EXP_WORD
219 /* I have finally been able to take out this pre-condition of
220 * the top bit being set. It was caused by an error in BN_div
221 * with negatives. There was also another problem when for a^b%m
222 * a >= m. eay 07-May-97 */
223 /* if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */
226 # ifdef MONT_EXP_WORD
227 if (a
->top
== 1 && !a
->neg
&&
228 (BN_get_flags(p
, BN_FLG_CONSTTIME
) == 0)) {
229 BN_ULONG A
= a
->d
[0];
230 ret
= BN_mod_exp_mont_word(r
, A
,p
, m
,ctx
, NULL
);
233 ret
= BN_mod_exp_mont(r
, a
,p
, m
,ctx
, NULL
);
238 ret
= BN_mod_exp_recp(r
, a
,p
, m
, ctx
);
242 ret
= BN_mod_exp_simple(r
, a
,p
, m
, ctx
);
251 BN_mod_exp_recp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
,
254 int i
, j
, bits
, ret
= 0, wstart
, wend
, window
, wvalue
;
257 /* Table of variables obtained from 'ctx' */
258 BIGNUM
*val
[TABLE_SIZE
];
261 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0) {
262 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
263 BNerr(BN_F_BN_MOD_EXP_RECP
, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
267 bits
= BN_num_bits(p
);
275 if ((aa
= BN_CTX_get(ctx
)) == NULL
)
277 if ((val
[0] = BN_CTX_get(ctx
)) == NULL
)
280 BN_RECP_CTX_init(&recp
);
282 /* ignore sign of 'm' */
286 if (BN_RECP_CTX_set(&recp
, aa
, ctx
) <= 0)
289 if (BN_RECP_CTX_set(&recp
, m
, ctx
) <= 0)
293 if (!BN_nnmod(val
[0], a
, m
, ctx
))
295 if (BN_is_zero(val
[0])) {
301 window
= BN_window_bits_for_exponent_size(bits
);
303 if (!BN_mod_mul_reciprocal(aa
, val
[0], val
[0], &recp
, ctx
))
305 j
= 1 << (window
- 1);
306 for (i
= 1; i
< j
; i
++) {
307 if (((val
[i
] = BN_CTX_get(ctx
)) == NULL
) ||
308 !BN_mod_mul_reciprocal(val
[i
], val
[i
- 1],
314 start
= 1; /* This is used to avoid multiplication etc
315 * when there is only the value '1' in the
317 wvalue
= 0; /* The 'value' of the window */
318 wstart
= bits
- 1; /* The top bit of the window */
319 wend
= 0; /* The bottom bit of the window */
325 if (BN_is_bit_set(p
, wstart
) == 0) {
327 if (!BN_mod_mul_reciprocal(r
, r
,r
, &recp
, ctx
))
334 /* We now have wstart on a 'set' bit, we now need to work out
335 * how bit a window to do. To do this we need to scan
336 * forward until the last set bit before the end of the
341 for (i
= 1; i
< window
; i
++) {
344 if (BN_is_bit_set(p
, wstart
- i
)) {
345 wvalue
<<= (i
- wend
);
351 /* wend is the size of the current window */
353 /* add the 'bytes above' */
355 for (i
= 0; i
< j
; i
++) {
356 if (!BN_mod_mul_reciprocal(r
, r
,r
, &recp
, ctx
))
360 /* wvalue will be an odd number < 2^window */
361 if (!BN_mod_mul_reciprocal(r
, r
,val
[wvalue
>> 1], &recp
, ctx
))
364 /* move the 'window' down further */
375 BN_RECP_CTX_free(&recp
);
381 BN_mod_exp_mont(BIGNUM
*rr
, const BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
,
382 BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
384 int i
, j
, bits
, ret
= 0, wstart
, wend
, window
, wvalue
;
388 /* Table of variables obtained from 'ctx' */
389 BIGNUM
*val
[TABLE_SIZE
];
390 BN_MONT_CTX
*mont
= NULL
;
392 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0) {
393 return BN_mod_exp_mont_consttime(rr
, a
, p
, m
, ctx
, in_mont
);
401 BNerr(BN_F_BN_MOD_EXP_MONT
, BN_R_CALLED_WITH_EVEN_MODULUS
);
404 bits
= BN_num_bits(p
);
411 if ((d
= BN_CTX_get(ctx
)) == NULL
)
413 if ((r
= BN_CTX_get(ctx
)) == NULL
)
415 if ((val
[0] = BN_CTX_get(ctx
)) == NULL
)
418 /* If this is not done, things will break in the montgomery
424 if ((mont
= BN_MONT_CTX_new()) == NULL
)
426 if (!BN_MONT_CTX_set(mont
, m
, ctx
))
430 if (a
->neg
|| BN_ucmp(a
, m
) >= 0) {
431 if (!BN_nnmod(val
[0], a
,m
, ctx
))
436 if (BN_is_zero(aa
)) {
441 if (!BN_to_montgomery(val
[0], aa
, mont
, ctx
))
444 window
= BN_window_bits_for_exponent_size(bits
);
446 if (!BN_mod_mul_montgomery(d
, val
[0], val
[0], mont
, ctx
))
448 j
= 1 << (window
- 1);
449 for (i
= 1; i
< j
; i
++) {
450 if (((val
[i
] = BN_CTX_get(ctx
)) == NULL
) ||
451 !BN_mod_mul_montgomery(val
[i
], val
[i
- 1],
457 start
= 1; /* This is used to avoid multiplication etc
458 * when there is only the value '1' in the
460 wvalue
= 0; /* The 'value' of the window */
461 wstart
= bits
- 1; /* The top bit of the window */
462 wend
= 0; /* The bottom bit of the window */
464 if (!BN_to_montgomery(r
, BN_value_one(), mont
, ctx
))
467 if (BN_is_bit_set(p
, wstart
) == 0) {
469 if (!BN_mod_mul_montgomery(r
, r
, r
, mont
, ctx
))
477 /* We now have wstart on a 'set' bit, we now need to work out
478 * how bit a window to do. To do this we need to scan
479 * forward until the last set bit before the end of the
484 for (i
= 1; i
< window
; i
++) {
487 if (BN_is_bit_set(p
, wstart
- i
)) {
488 wvalue
<<= (i
- wend
);
494 /* wend is the size of the current window */
496 /* add the 'bytes above' */
498 for (i
= 0; i
< j
; i
++) {
499 if (!BN_mod_mul_montgomery(r
, r
, r
, mont
, ctx
))
503 /* wvalue will be an odd number < 2^window */
504 if (!BN_mod_mul_montgomery(r
, r
, val
[wvalue
>> 1], mont
, ctx
))
507 /* move the 'window' down further */
514 if (!BN_from_montgomery(rr
, r
,mont
, ctx
))
519 if ((in_mont
== NULL
) && (mont
!= NULL
))
520 BN_MONT_CTX_free(mont
);
527 /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
528 * so that accessing any of these table values shows the same access pattern as far
529 * as cache lines are concerned. The following functions are used to transfer a BIGNUM
530 * from/to that table. */
533 MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM
*b
, int top
, unsigned char *buf
,
539 top
= b
->top
; /* this works because 'buf' is explicitly zeroed */
540 for (i
= 0, j
= idx
; i
< top
* sizeof b
->d
[0]; i
++, j
+= width
) {
541 buf
[j
] = ((unsigned char*)b
->d
)[i
];
548 MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM
*b
, int top
, unsigned char *buf
, int idx
,
553 if (bn_wexpand(b
, top
) == NULL
)
556 for (i
= 0, j
= idx
; i
< top
* sizeof b
->d
[0]; i
++, j
+= width
) {
557 ((unsigned char*)b
->d
)[i
] = buf
[j
];
565 /* Given a pointer value, compute the next address that is a cache line multiple. */
566 #define MOD_EXP_CTIME_ALIGN(x_) \
567 ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
569 /* This variant of BN_mod_exp_mont() uses fixed windows and the special
570 * precomputation memory layout to limit data-dependency to a minimum
571 * to protect secret exponents (cf. the hyper-threading timing attacks
572 * pointed out by Colin Percival,
573 * http://www.daemonology.net/hyperthreading-considered-harmful/)
576 BN_mod_exp_mont_consttime(BIGNUM
*rr
, const BIGNUM
*a
, const BIGNUM
*p
,
577 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
579 int i
, bits
, ret
= 0, window
, wvalue
;
581 BN_MONT_CTX
*mont
= NULL
;
583 unsigned char *powerbufFree
= NULL
;
585 unsigned char *powerbuf
= NULL
;
594 if (!(m
->d
[0] & 1)) {
595 BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME
,
596 BN_R_CALLED_WITH_EVEN_MODULUS
);
599 bits
= BN_num_bits(p
);
607 /* Allocate a montgomery context if it was not supplied by the caller.
608 * If this is not done, things will break in the montgomery part.
613 if ((mont
= BN_MONT_CTX_new()) == NULL
)
615 if (!BN_MONT_CTX_set(mont
, m
, ctx
))
619 /* Get the window size to use with size of p. */
620 window
= BN_window_bits_for_ctime_exponent_size(bits
);
621 #if defined(OPENSSL_BN_ASM_MONT5)
622 if (window
== 6 && bits
<= 1024)
623 window
= 5; /* ~5% improvement of 2048-bit RSA sign */
626 /* Allocate a buffer large enough to hold all of the pre-computed
627 * powers of am, am itself and tmp.
629 numPowers
= 1 << window
;
630 powerbufLen
= sizeof(m
->d
[0]) * (top
* numPowers
+
631 ((2*top
) > numPowers
? (2*top
) : numPowers
));
632 if ((powerbufFree
= malloc(powerbufLen
+
633 MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH
)) == NULL
)
636 powerbuf
= MOD_EXP_CTIME_ALIGN(powerbufFree
);
637 memset(powerbuf
, 0, powerbufLen
);
639 /* lay down tmp and am right after powers table */
640 tmp
.d
= (BN_ULONG
*)(powerbuf
+ sizeof(m
->d
[0]) * top
* numPowers
);
642 tmp
.top
= am
.top
= 0;
643 tmp
.dmax
= am
.dmax
= top
;
644 tmp
.neg
= am
.neg
= 0;
645 tmp
.flags
= am
.flags
= BN_FLG_STATIC_DATA
;
647 /* prepare a^0 in Montgomery domain */
649 if (!BN_to_montgomery(&tmp
, BN_value_one(), mont
, ctx
))
652 tmp
.d
[0] = (0 - m
- >d
[0]) & BN_MASK2
; /* 2^(top*BN_BITS2) - m */
653 for (i
= 1; i
< top
; i
++)
654 tmp
.d
[i
] = (~m
->d
[i
]) & BN_MASK2
;
658 /* prepare a^1 in Montgomery domain */
659 if (a
->neg
|| BN_ucmp(a
, m
) >= 0) {
660 if (!BN_mod(&am
, a
,m
, ctx
))
662 if (!BN_to_montgomery(&am
, &am
, mont
, ctx
))
664 } else if (!BN_to_montgomery(&am
, a
,mont
, ctx
))
667 #if defined(OPENSSL_BN_ASM_MONT5)
668 /* This optimization uses ideas from http://eprint.iacr.org/2011/239,
669 * specifically optimization of cache-timing attack countermeasures
670 * and pre-computation optimization. */
672 /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
673 * 512-bit RSA is hardly relevant, we omit it to spare size... */
674 if (window
== 5 && top
> 1) {
675 void bn_mul_mont_gather5(BN_ULONG
*rp
, const BN_ULONG
*ap
,
676 const void *table
, const BN_ULONG
*np
,
677 const BN_ULONG
*n0
, int num
, int power
);
678 void bn_scatter5(const BN_ULONG
*inp
, size_t num
,
679 void *table
, size_t power
);
680 void bn_gather5(BN_ULONG
*out
, size_t num
,
681 void *table
, size_t power
);
683 BN_ULONG
*np
= mont
->N
.d
, *n0
= mont
->n0
;
685 /* BN_to_montgomery can contaminate words above .top
686 * [in BN_DEBUG[_DEBUG] build]... */
687 for (i
= am
.top
; i
< top
; i
++)
689 for (i
= tmp
.top
; i
< top
; i
++)
692 bn_scatter5(tmp
.d
, top
, powerbuf
, 0);
693 bn_scatter5(am
.d
, am
.top
, powerbuf
, 1);
694 bn_mul_mont(tmp
.d
, am
.d
, am
.d
, np
, n0
, top
);
695 bn_scatter5(tmp
.d
, top
, powerbuf
, 2);
698 for (i
= 3; i
< 32; i
++) {
699 /* Calculate a^i = a^(i-1) * a */
700 bn_mul_mont_gather5(tmp
.d
, am
.d
, powerbuf
, np
,
702 bn_scatter5(tmp
.d
, top
, powerbuf
, i
);
705 /* same as above, but uses squaring for 1/2 of operations */
706 for (i
= 4; i
< 32; i
*=2) {
707 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
708 bn_scatter5(tmp
.d
, top
, powerbuf
, i
);
710 for (i
= 3; i
< 8; i
+= 2) {
712 bn_mul_mont_gather5(tmp
.d
, am
.d
, powerbuf
, np
,
714 bn_scatter5(tmp
.d
, top
, powerbuf
, i
);
715 for (j
= 2 * i
; j
< 32; j
*= 2) {
716 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
717 bn_scatter5(tmp
.d
, top
, powerbuf
, j
);
720 for (; i
< 16; i
+= 2) {
721 bn_mul_mont_gather5(tmp
.d
, am
.d
, powerbuf
, np
,
723 bn_scatter5(tmp
.d
, top
, powerbuf
, i
);
724 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
725 bn_scatter5(tmp
.d
, top
, powerbuf
, 2*i
);
727 for (; i
< 32; i
+= 2) {
728 bn_mul_mont_gather5(tmp
.d
, am
.d
, powerbuf
, np
,
730 bn_scatter5(tmp
.d
, top
, powerbuf
, i
);
734 for (wvalue
= 0, i
= bits
% 5; i
>= 0; i
--, bits
--)
735 wvalue
= (wvalue
<< 1) + BN_is_bit_set(p
, bits
);
736 bn_gather5(tmp
.d
, top
, powerbuf
, wvalue
);
738 /* Scan the exponent one window at a time starting from the most
742 for (wvalue
= 0, i
= 0; i
< 5; i
++, bits
--)
743 wvalue
= (wvalue
<< 1) + BN_is_bit_set(p
, bits
);
745 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
746 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
747 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
748 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
749 bn_mul_mont(tmp
.d
, tmp
.d
, tmp
.d
, np
, n0
, top
);
750 bn_mul_mont_gather5(tmp
.d
, tmp
.d
, powerbuf
, np
, n0
, top
, wvalue
);
754 bn_correct_top(&tmp
);
758 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp
, top
, powerbuf
, 0,
761 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am
, top
, powerbuf
, 1,
765 /* If the window size is greater than 1, then calculate
766 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
767 * (even powers could instead be computed as (a^(i/2))^2
768 * to use the slight performance advantage of sqr over mul).
771 if (!BN_mod_mul_montgomery(&tmp
, &am
, &am
, mont
, ctx
))
773 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp
, top
, powerbuf
,
776 for (i
= 3; i
< numPowers
; i
++) {
777 /* Calculate a^i = a^(i-1) * a */
778 if (!BN_mod_mul_montgomery(&tmp
, &am
, &tmp
,
781 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp
, top
,
782 powerbuf
, i
, numPowers
))
788 for (wvalue
= 0, i
= bits
% window
; i
>= 0; i
--, bits
--)
789 wvalue
= (wvalue
<< 1) + BN_is_bit_set(p
, bits
);
790 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp
, top
, powerbuf
,
794 /* Scan the exponent one window at a time starting from the most
798 wvalue
= 0; /* The 'value' of the window */
800 /* Scan the window, squaring the result as we go */
801 for (i
= 0; i
< window
; i
++, bits
--) {
802 if (!BN_mod_mul_montgomery(&tmp
, &tmp
, &tmp
,
805 wvalue
= (wvalue
<< 1) + BN_is_bit_set(p
, bits
);
808 /* Fetch the appropriate pre-computed value from the pre-buf */
809 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am
, top
, powerbuf
,
813 /* Multiply the result into the intermediate result */
814 if (!BN_mod_mul_montgomery(&tmp
, &tmp
, &am
, mont
, ctx
))
819 /* Convert the final result from montgomery to standard format */
820 if (!BN_from_montgomery(rr
, &tmp
, mont
, ctx
))
825 if ((in_mont
== NULL
) && (mont
!= NULL
))
826 BN_MONT_CTX_free(mont
);
827 if (powerbuf
!= NULL
) {
828 explicit_bzero(powerbuf
, powerbufLen
);
836 BN_mod_exp_mont_word(BIGNUM
*rr
, BN_ULONG a
, const BIGNUM
*p
, const BIGNUM
*m
,
837 BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
839 BN_MONT_CTX
*mont
= NULL
;
840 int b
, bits
, ret
= 0;
846 #define BN_MOD_MUL_WORD(r, w, m) \
847 (BN_mul_word(r, (w)) && \
848 (/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \
849 (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
850 /* BN_MOD_MUL_WORD is only used with 'w' large,
851 * so the BN_ucmp test is probably more overhead
852 * than always using BN_mod (which uses BN_copy if
853 * a similar test returns true). */
854 /* We can use BN_mod and do not need BN_nnmod because our
855 * accumulator is never negative (the result of BN_mod does
856 * not depend on the sign of the modulus).
858 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
859 (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
861 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0) {
862 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
863 BNerr(BN_F_BN_MOD_EXP_MONT_WORD
,
864 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
872 BNerr(BN_F_BN_MOD_EXP_MONT_WORD
, BN_R_CALLED_WITH_EVEN_MODULUS
);
876 a
%= m
->d
[0]; /* make sure that 'a' is reduced */
878 bits
= BN_num_bits(p
);
890 if ((d
= BN_CTX_get(ctx
)) == NULL
)
892 if ((r
= BN_CTX_get(ctx
)) == NULL
)
894 if ((t
= BN_CTX_get(ctx
)) == NULL
)
900 if ((mont
= BN_MONT_CTX_new()) == NULL
)
902 if (!BN_MONT_CTX_set(mont
, m
, ctx
))
906 r_is_one
= 1; /* except for Montgomery factor */
910 /* The result is accumulated in the product r*w. */
911 w
= a
; /* bit 'bits-1' of 'p' is always set */
912 for (b
= bits
- 2; b
>= 0; b
--) {
913 /* First, square r*w. */
915 if ((next_w
/ w
) != w
) /* overflow */
918 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
))
922 if (!BN_MOD_MUL_WORD(r
, w
, m
))
929 if (!BN_mod_mul_montgomery(r
, r
, r
, mont
, ctx
))
933 /* Second, multiply r*w by 'a' if exponent bit is set. */
934 if (BN_is_bit_set(p
, b
)) {
936 if ((next_w
/ a
) != w
) /* overflow */
939 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
))
943 if (!BN_MOD_MUL_WORD(r
, w
, m
))
952 /* Finally, set r:=r*w. */
955 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
))
959 if (!BN_MOD_MUL_WORD(r
, w
, m
))
964 if (r_is_one
) /* can happen only if a == 1*/
969 if (!BN_from_montgomery(rr
, r
, mont
, ctx
))
975 if ((in_mont
== NULL
) && (mont
!= NULL
))
976 BN_MONT_CTX_free(mont
);
983 /* The old fallback, simple version :-) */
985 BN_mod_exp_simple(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
,
988 int i
, j
,bits
, ret
= 0, wstart
, wend
, window
, wvalue
;
991 /* Table of variables obtained from 'ctx' */
992 BIGNUM
*val
[TABLE_SIZE
];
994 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0) {
995 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
996 BNerr(BN_F_BN_MOD_EXP_SIMPLE
,
997 ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
1001 bits
= BN_num_bits(p
);
1009 if ((d
= BN_CTX_get(ctx
)) == NULL
)
1011 if ((val
[0] = BN_CTX_get(ctx
)) == NULL
)
1014 if (!BN_nnmod(val
[0],a
,m
,ctx
))
1016 if (BN_is_zero(val
[0])) {
1022 window
= BN_window_bits_for_exponent_size(bits
);
1024 if (!BN_mod_mul(d
, val
[0], val
[0], m
, ctx
))
1026 j
= 1 << (window
- 1);
1027 for (i
= 1; i
< j
; i
++) {
1028 if (((val
[i
] = BN_CTX_get(ctx
)) == NULL
) ||
1029 !BN_mod_mul(val
[i
], val
[i
- 1], d
,m
, ctx
))
1034 start
= 1; /* This is used to avoid multiplication etc
1035 * when there is only the value '1' in the
1037 wvalue
= 0; /* The 'value' of the window */
1038 wstart
= bits
- 1; /* The top bit of the window */
1039 wend
= 0; /* The bottom bit of the window */
1045 if (BN_is_bit_set(p
, wstart
) == 0) {
1047 if (!BN_mod_mul(r
, r
, r
, m
, ctx
))
1054 /* We now have wstart on a 'set' bit, we now need to work out
1055 * how bit a window to do. To do this we need to scan
1056 * forward until the last set bit before the end of the
1061 for (i
= 1; i
< window
; i
++) {
1064 if (BN_is_bit_set(p
, wstart
- i
)) {
1065 wvalue
<<= (i
- wend
);
1071 /* wend is the size of the current window */
1073 /* add the 'bytes above' */
1075 for (i
= 0; i
< j
; i
++) {
1076 if (!BN_mod_mul(r
, r
, r
, m
, ctx
))
1080 /* wvalue will be an odd number < 2^window */
1081 if (!BN_mod_mul(r
, r
, val
[wvalue
>> 1], m
, ctx
))
1084 /* move the 'window' down further */