1 /* crypto/bn/bn_exp.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
58 /* ====================================================================
59 * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
87 * 6. Redistributions of any form whatsoever must retain the following
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
113 #include "cryptlib.h"
120 # define alloca _alloca
122 #elif defined(__GNUC__)
124 # define alloca(s) __builtin_alloca((s))
128 /* maximum precomputation table size for *variable* sliding windows */
129 #define TABLE_SIZE 32
131 /* this one works - simple but works */
132 int BN_exp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
, BN_CTX
*ctx
)
137 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0)
139 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
140 BNerr(BN_F_BN_EXP
,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
145 if ((r
== a
) || (r
== p
))
146 rr
= BN_CTX_get(ctx
);
150 if (rr
== NULL
|| v
== NULL
) goto err
;
152 if (BN_copy(v
,a
) == NULL
) goto err
;
156 { if (BN_copy(rr
,a
) == NULL
) goto err
; }
157 else { if (!BN_one(rr
)) goto err
; }
159 for (i
=1; i
<bits
; i
++)
161 if (!BN_sqr(v
,v
,ctx
)) goto err
;
162 if (BN_is_bit_set(p
,i
))
164 if (!BN_mul(rr
,rr
,v
,ctx
)) goto err
;
169 if (r
!= rr
) BN_copy(r
,rr
);
176 int BN_mod_exp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
, const BIGNUM
*m
,
185 /* For even modulus m = 2^k*m_odd, it might make sense to compute
186 * a^p mod m_odd and a^p mod 2^k separately (with Montgomery
187 * exponentiation for the odd part), using appropriate exponent
188 * reductions, and combine the results using the CRT.
190 * For now, we use Montgomery only if the modulus is odd; otherwise,
191 * exponentiation using the reciprocal-based quick remaindering
194 * (Timing obtained with expspeed.c [computations a^p mod m
195 * where a, p, m are of the same length: 256, 512, 1024, 2048,
196 * 4096, 8192 bits], compared to the running time of the
197 * standard algorithm:
199 * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration]
200 * 55 .. 77 % [UltraSparc processor, but
201 * debug-solaris-sparcv8-gcc conf.]
203 * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration]
204 * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc]
206 * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont
207 * at 2048 and more bits, but at 512 and 1024 bits, it was
208 * slower even than the standard algorithm!
210 * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations]
211 * should be obtained when the new Montgomery reduction code
212 * has been integrated into OpenSSL.)
216 #define MONT_EXP_WORD
220 /* I have finally been able to take out this pre-condition of
221 * the top bit being set. It was caused by an error in BN_div
222 * with negatives. There was also another problem when for a^b%m
223 * a >= m. eay 07-May-97 */
224 /* if ((m->d[m->top-1]&BN_TBIT) && BN_is_odd(m)) */
228 # ifdef MONT_EXP_WORD
229 if (a
->top
== 1 && !a
->neg
&& (BN_get_flags(p
, BN_FLG_CONSTTIME
) == 0))
231 BN_ULONG A
= a
->d
[0];
232 ret
=BN_mod_exp_mont_word(r
,A
,p
,m
,ctx
,NULL
);
236 ret
=BN_mod_exp_mont(r
,a
,p
,m
,ctx
,NULL
);
241 { ret
=BN_mod_exp_recp(r
,a
,p
,m
,ctx
); }
243 { ret
=BN_mod_exp_simple(r
,a
,p
,m
,ctx
); }
251 int BN_mod_exp_recp(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
,
252 const BIGNUM
*m
, BN_CTX
*ctx
)
254 int i
,j
,bits
,ret
=0,wstart
,wend
,window
,wvalue
;
257 /* Table of variables obtained from 'ctx' */
258 BIGNUM
*val
[TABLE_SIZE
];
261 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0)
263 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
264 BNerr(BN_F_BN_MOD_EXP_RECP
,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
277 aa
= BN_CTX_get(ctx
);
278 val
[0] = BN_CTX_get(ctx
);
279 if(!aa
|| !val
[0]) goto err
;
281 BN_RECP_CTX_init(&recp
);
284 /* ignore sign of 'm' */
285 if (!BN_copy(aa
, m
)) goto err
;
287 if (BN_RECP_CTX_set(&recp
,aa
,ctx
) <= 0) goto err
;
291 if (BN_RECP_CTX_set(&recp
,m
,ctx
) <= 0) goto err
;
294 if (!BN_nnmod(val
[0],a
,m
,ctx
)) goto err
; /* 1 */
295 if (BN_is_zero(val
[0]))
302 window
= BN_window_bits_for_exponent_size(bits
);
305 if (!BN_mod_mul_reciprocal(aa
,val
[0],val
[0],&recp
,ctx
))
310 if(((val
[i
] = BN_CTX_get(ctx
)) == NULL
) ||
311 !BN_mod_mul_reciprocal(val
[i
],val
[i
-1],
317 start
=1; /* This is used to avoid multiplication etc
318 * when there is only the value '1' in the
320 wvalue
=0; /* The 'value' of the window */
321 wstart
=bits
-1; /* The top bit of the window */
322 wend
=0; /* The bottom bit of the window */
324 if (!BN_one(r
)) goto err
;
328 if (BN_is_bit_set(p
,wstart
) == 0)
331 if (!BN_mod_mul_reciprocal(r
,r
,r
,&recp
,ctx
))
333 if (wstart
== 0) break;
337 /* We now have wstart on a 'set' bit, we now need to work out
338 * how bit a window to do. To do this we need to scan
339 * forward until the last set bit before the end of the
344 for (i
=1; i
<window
; i
++)
346 if (wstart
-i
< 0) break;
347 if (BN_is_bit_set(p
,wstart
-i
))
355 /* wend is the size of the current window */
357 /* add the 'bytes above' */
361 if (!BN_mod_mul_reciprocal(r
,r
,r
,&recp
,ctx
))
365 /* wvalue will be an odd number < 2^window */
366 if (!BN_mod_mul_reciprocal(r
,r
,val
[wvalue
>>1],&recp
,ctx
))
369 /* move the 'window' down further */
373 if (wstart
< 0) break;
378 BN_RECP_CTX_free(&recp
);
384 int BN_mod_exp_mont(BIGNUM
*rr
, const BIGNUM
*a
, const BIGNUM
*p
,
385 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
387 int i
,j
,bits
,ret
=0,wstart
,wend
,window
,wvalue
;
391 /* Table of variables obtained from 'ctx' */
392 BIGNUM
*val
[TABLE_SIZE
];
393 BN_MONT_CTX
*mont
=NULL
;
395 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0)
397 return BN_mod_exp_mont_consttime(rr
, a
, p
, m
, ctx
, in_mont
);
406 BNerr(BN_F_BN_MOD_EXP_MONT
,BN_R_CALLED_WITH_EVEN_MODULUS
);
419 val
[0] = BN_CTX_get(ctx
);
420 if (!d
|| !r
|| !val
[0]) goto err
;
422 /* If this is not done, things will break in the montgomery
429 if ((mont
=BN_MONT_CTX_new()) == NULL
) goto err
;
430 if (!BN_MONT_CTX_set(mont
,m
,ctx
)) goto err
;
433 if (a
->neg
|| BN_ucmp(a
,m
) >= 0)
435 if (!BN_nnmod(val
[0],a
,m
,ctx
))
447 if (!BN_to_montgomery(val
[0],aa
,mont
,ctx
)) goto err
; /* 1 */
449 window
= BN_window_bits_for_exponent_size(bits
);
452 if (!BN_mod_mul_montgomery(d
,val
[0],val
[0],mont
,ctx
)) goto err
; /* 2 */
456 if(((val
[i
] = BN_CTX_get(ctx
)) == NULL
) ||
457 !BN_mod_mul_montgomery(val
[i
],val
[i
-1],
463 start
=1; /* This is used to avoid multiplication etc
464 * when there is only the value '1' in the
466 wvalue
=0; /* The 'value' of the window */
467 wstart
=bits
-1; /* The top bit of the window */
468 wend
=0; /* The bottom bit of the window */
470 if (!BN_to_montgomery(r
,BN_value_one(),mont
,ctx
)) goto err
;
473 if (BN_is_bit_set(p
,wstart
) == 0)
477 if (!BN_mod_mul_montgomery(r
,r
,r
,mont
,ctx
))
480 if (wstart
== 0) break;
484 /* We now have wstart on a 'set' bit, we now need to work out
485 * how bit a window to do. To do this we need to scan
486 * forward until the last set bit before the end of the
491 for (i
=1; i
<window
; i
++)
493 if (wstart
-i
< 0) break;
494 if (BN_is_bit_set(p
,wstart
-i
))
502 /* wend is the size of the current window */
504 /* add the 'bytes above' */
508 if (!BN_mod_mul_montgomery(r
,r
,r
,mont
,ctx
))
512 /* wvalue will be an odd number < 2^window */
513 if (!BN_mod_mul_montgomery(r
,r
,val
[wvalue
>>1],mont
,ctx
))
516 /* move the 'window' down further */
520 if (wstart
< 0) break;
522 if (!BN_from_montgomery(rr
,r
,mont
,ctx
)) goto err
;
525 if ((in_mont
== NULL
) && (mont
!= NULL
)) BN_MONT_CTX_free(mont
);
532 /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout
533 * so that accessing any of these table values shows the same access pattern as far
534 * as cache lines are concerned. The following functions are used to transfer a BIGNUM
535 * from/to that table. */
537 static int MOD_EXP_CTIME_COPY_TO_PREBUF(const BIGNUM
*b
, int top
, unsigned char *buf
, int idx
, int width
)
542 top
= b
->top
; /* this works because 'buf' is explicitly zeroed */
543 for (i
= 0, j
=idx
; i
< top
* sizeof b
->d
[0]; i
++, j
+=width
)
545 buf
[j
] = ((unsigned char*)b
->d
)[i
];
551 static int MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM
*b
, int top
, unsigned char *buf
, int idx
, int width
)
555 if (bn_wexpand(b
, top
) == NULL
)
558 for (i
=0, j
=idx
; i
< top
* sizeof b
->d
[0]; i
++, j
+=width
)
560 ((unsigned char*)b
->d
)[i
] = buf
[j
];
568 /* Given a pointer value, compute the next address that is a cache line multiple. */
569 #define MOD_EXP_CTIME_ALIGN(x_) \
570 ((unsigned char*)(x_) + (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - (((size_t)(x_)) & (MOD_EXP_CTIME_MIN_CACHE_LINE_MASK))))
572 /* This variant of BN_mod_exp_mont() uses fixed windows and the special
573 * precomputation memory layout to limit data-dependency to a minimum
574 * to protect secret exponents (cf. the hyper-threading timing attacks
575 * pointed out by Colin Percival,
576 * http://www.daemonology.net/hyperthreading-considered-harmful/)
578 int BN_mod_exp_mont_consttime(BIGNUM
*rr
, const BIGNUM
*a
, const BIGNUM
*p
,
579 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
581 int i
,bits
,ret
=0,window
,wvalue
;
583 BN_MONT_CTX
*mont
=NULL
;
586 unsigned char *powerbufFree
=NULL
;
588 unsigned char *powerbuf
=NULL
;
599 BNerr(BN_F_BN_MOD_EXP_MONT_CONSTTIME
,BN_R_CALLED_WITH_EVEN_MODULUS
);
611 /* Allocate a montgomery context if it was not supplied by the caller.
612 * If this is not done, things will break in the montgomery part.
618 if ((mont
=BN_MONT_CTX_new()) == NULL
) goto err
;
619 if (!BN_MONT_CTX_set(mont
,m
,ctx
)) goto err
;
622 /* Get the window size to use with size of p. */
623 window
= BN_window_bits_for_ctime_exponent_size(bits
);
624 #if defined(OPENSSL_BN_ASM_MONT5)
625 if (window
==6 && bits
<=1024) window
=5; /* ~5% improvement of 2048-bit RSA sign */
628 /* Allocate a buffer large enough to hold all of the pre-computed
629 * powers of am, am itself and tmp.
631 numPowers
= 1 << window
;
632 powerbufLen
= sizeof(m
->d
[0])*(top
*numPowers
+
633 ((2*top
)>numPowers
?(2*top
):numPowers
));
635 if (powerbufLen
< 3072)
636 powerbufFree
= alloca(powerbufLen
+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH
);
639 if ((powerbufFree
=(unsigned char*)OPENSSL_malloc(powerbufLen
+MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH
)) == NULL
)
642 powerbuf
= MOD_EXP_CTIME_ALIGN(powerbufFree
);
643 memset(powerbuf
, 0, powerbufLen
);
646 if (powerbufLen
< 3072)
650 /* lay down tmp and am right after powers table */
651 tmp
.d
= (BN_ULONG
*)(powerbuf
+ sizeof(m
->d
[0])*top
*numPowers
);
653 tmp
.top
= am
.top
= 0;
654 tmp
.dmax
= am
.dmax
= top
;
655 tmp
.neg
= am
.neg
= 0;
656 tmp
.flags
= am
.flags
= BN_FLG_STATIC_DATA
;
658 /* prepare a^0 in Montgomery domain */
660 if (!BN_to_montgomery(&tmp
,BN_value_one(),mont
,ctx
)) goto err
;
662 tmp
.d
[0] = (0-m
->d
[0])&BN_MASK2
; /* 2^(top*BN_BITS2) - m */
664 tmp
.d
[i
] = (~m
->d
[i
])&BN_MASK2
;
668 /* prepare a^1 in Montgomery domain */
669 if (a
->neg
|| BN_ucmp(a
,m
) >= 0)
671 if (!BN_mod(&am
,a
,m
,ctx
)) goto err
;
672 if (!BN_to_montgomery(&am
,&am
,mont
,ctx
)) goto err
;
674 else if (!BN_to_montgomery(&am
,a
,mont
,ctx
)) goto err
;
676 #if defined(OPENSSL_BN_ASM_MONT5)
677 /* This optimization uses ideas from http://eprint.iacr.org/2011/239,
678 * specifically optimization of cache-timing attack countermeasures
679 * and pre-computation optimization. */
681 /* Dedicated window==4 case improves 512-bit RSA sign by ~15%, but as
682 * 512-bit RSA is hardly relevant, we omit it to spare size... */
683 if (window
==5 && top
>1)
685 void bn_mul_mont_gather5(BN_ULONG
*rp
,const BN_ULONG
*ap
,
686 const void *table
,const BN_ULONG
*np
,
687 const BN_ULONG
*n0
,int num
,int power
);
688 void bn_scatter5(const BN_ULONG
*inp
,size_t num
,
689 void *table
,size_t power
);
690 void bn_gather5(BN_ULONG
*out
,size_t num
,
691 void *table
,size_t power
);
693 BN_ULONG
*np
=mont
->N
.d
, *n0
=mont
->n0
;
695 /* BN_to_montgomery can contaminate words above .top
696 * [in BN_DEBUG[_DEBUG] build]... */
697 for (i
=am
.top
; i
<top
; i
++) am
.d
[i
]=0;
698 for (i
=tmp
.top
; i
<top
; i
++) tmp
.d
[i
]=0;
700 bn_scatter5(tmp
.d
,top
,powerbuf
,0);
701 bn_scatter5(am
.d
,am
.top
,powerbuf
,1);
702 bn_mul_mont(tmp
.d
,am
.d
,am
.d
,np
,n0
,top
);
703 bn_scatter5(tmp
.d
,top
,powerbuf
,2);
708 /* Calculate a^i = a^(i-1) * a */
709 bn_mul_mont_gather5(tmp
.d
,am
.d
,powerbuf
,np
,n0
,top
,i
-1);
710 bn_scatter5(tmp
.d
,top
,powerbuf
,i
);
713 /* same as above, but uses squaring for 1/2 of operations */
714 for (i
=4; i
<32; i
*=2)
716 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
717 bn_scatter5(tmp
.d
,top
,powerbuf
,i
);
722 bn_mul_mont_gather5(tmp
.d
,am
.d
,powerbuf
,np
,n0
,top
,i
-1);
723 bn_scatter5(tmp
.d
,top
,powerbuf
,i
);
724 for (j
=2*i
; j
<32; j
*=2)
726 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
727 bn_scatter5(tmp
.d
,top
,powerbuf
,j
);
732 bn_mul_mont_gather5(tmp
.d
,am
.d
,powerbuf
,np
,n0
,top
,i
-1);
733 bn_scatter5(tmp
.d
,top
,powerbuf
,i
);
734 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
735 bn_scatter5(tmp
.d
,top
,powerbuf
,2*i
);
739 bn_mul_mont_gather5(tmp
.d
,am
.d
,powerbuf
,np
,n0
,top
,i
-1);
740 bn_scatter5(tmp
.d
,top
,powerbuf
,i
);
744 for (wvalue
=0, i
=bits
%5; i
>=0; i
--,bits
--)
745 wvalue
= (wvalue
<<1)+BN_is_bit_set(p
,bits
);
746 bn_gather5(tmp
.d
,top
,powerbuf
,wvalue
);
748 /* Scan the exponent one window at a time starting from the most
753 for (wvalue
=0, i
=0; i
<5; i
++,bits
--)
754 wvalue
= (wvalue
<<1)+BN_is_bit_set(p
,bits
);
756 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
757 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
758 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
759 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
760 bn_mul_mont(tmp
.d
,tmp
.d
,tmp
.d
,np
,n0
,top
);
761 bn_mul_mont_gather5(tmp
.d
,tmp
.d
,powerbuf
,np
,n0
,top
,wvalue
);
765 bn_correct_top(&tmp
);
770 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp
, top
, powerbuf
, 0, numPowers
)) goto err
;
771 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&am
, top
, powerbuf
, 1, numPowers
)) goto err
;
773 /* If the window size is greater than 1, then calculate
774 * val[i=2..2^winsize-1]. Powers are computed as a*a^(i-1)
775 * (even powers could instead be computed as (a^(i/2))^2
776 * to use the slight performance advantage of sqr over mul).
780 if (!BN_mod_mul_montgomery(&tmp
,&am
,&am
,mont
,ctx
)) goto err
;
781 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp
, top
, powerbuf
, 2, numPowers
)) goto err
;
782 for (i
=3; i
<numPowers
; i
++)
784 /* Calculate a^i = a^(i-1) * a */
785 if (!BN_mod_mul_montgomery(&tmp
,&am
,&tmp
,mont
,ctx
))
787 if (!MOD_EXP_CTIME_COPY_TO_PREBUF(&tmp
, top
, powerbuf
, i
, numPowers
)) goto err
;
792 for (wvalue
=0, i
=bits
%window
; i
>=0; i
--,bits
--)
793 wvalue
= (wvalue
<<1)+BN_is_bit_set(p
,bits
);
794 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&tmp
,top
,powerbuf
,wvalue
,numPowers
)) goto err
;
796 /* Scan the exponent one window at a time starting from the most
801 wvalue
=0; /* The 'value' of the window */
803 /* Scan the window, squaring the result as we go */
804 for (i
=0; i
<window
; i
++,bits
--)
806 if (!BN_mod_mul_montgomery(&tmp
,&tmp
,&tmp
,mont
,ctx
)) goto err
;
807 wvalue
= (wvalue
<<1)+BN_is_bit_set(p
,bits
);
810 /* Fetch the appropriate pre-computed value from the pre-buf */
811 if (!MOD_EXP_CTIME_COPY_FROM_PREBUF(&am
, top
, powerbuf
, wvalue
, numPowers
)) goto err
;
813 /* Multiply the result into the intermediate result */
814 if (!BN_mod_mul_montgomery(&tmp
,&tmp
,&am
,mont
,ctx
)) goto err
;
818 /* Convert the final result from montgomery to standard format */
819 if (!BN_from_montgomery(rr
,&tmp
,mont
,ctx
)) goto err
;
822 if ((in_mont
== NULL
) && (mont
!= NULL
)) BN_MONT_CTX_free(mont
);
825 OPENSSL_cleanse(powerbuf
,powerbufLen
);
826 if (powerbufFree
) OPENSSL_free(powerbufFree
);
832 int BN_mod_exp_mont_word(BIGNUM
*rr
, BN_ULONG a
, const BIGNUM
*p
,
833 const BIGNUM
*m
, BN_CTX
*ctx
, BN_MONT_CTX
*in_mont
)
835 BN_MONT_CTX
*mont
= NULL
;
841 #define BN_MOD_MUL_WORD(r, w, m) \
842 (BN_mul_word(r, (w)) && \
843 (/* BN_ucmp(r, (m)) < 0 ? 1 :*/ \
844 (BN_mod(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1))))
845 /* BN_MOD_MUL_WORD is only used with 'w' large,
846 * so the BN_ucmp test is probably more overhead
847 * than always using BN_mod (which uses BN_copy if
848 * a similar test returns true). */
849 /* We can use BN_mod and do not need BN_nnmod because our
850 * accumulator is never negative (the result of BN_mod does
851 * not depend on the sign of the modulus).
853 #define BN_TO_MONTGOMERY_WORD(r, w, mont) \
854 (BN_set_word(r, (w)) && BN_to_montgomery(r, r, (mont), ctx))
856 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0)
858 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
859 BNerr(BN_F_BN_MOD_EXP_MONT_WORD
,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
868 BNerr(BN_F_BN_MOD_EXP_MONT_WORD
,BN_R_CALLED_WITH_EVEN_MODULUS
);
872 a
%= m
->d
[0]; /* make sure that 'a' is reduced */
874 bits
= BN_num_bits(p
);
877 /* x**0 mod 1 is still zero. */
898 if (d
== NULL
|| r
== NULL
|| t
== NULL
) goto err
;
904 if ((mont
= BN_MONT_CTX_new()) == NULL
) goto err
;
905 if (!BN_MONT_CTX_set(mont
, m
, ctx
)) goto err
;
908 r_is_one
= 1; /* except for Montgomery factor */
912 /* The result is accumulated in the product r*w. */
913 w
= a
; /* bit 'bits-1' of 'p' is always set */
914 for (b
= bits
-2; b
>= 0; b
--)
916 /* First, square r*w. */
918 if ((next_w
/w
) != w
) /* overflow */
922 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
)) goto err
;
927 if (!BN_MOD_MUL_WORD(r
, w
, m
)) goto err
;
934 if (!BN_mod_mul_montgomery(r
, r
, r
, mont
, ctx
)) goto err
;
937 /* Second, multiply r*w by 'a' if exponent bit is set. */
938 if (BN_is_bit_set(p
, b
))
941 if ((next_w
/a
) != w
) /* overflow */
945 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
)) goto err
;
950 if (!BN_MOD_MUL_WORD(r
, w
, m
)) goto err
;
958 /* Finally, set r:=r*w. */
963 if (!BN_TO_MONTGOMERY_WORD(r
, w
, mont
)) goto err
;
968 if (!BN_MOD_MUL_WORD(r
, w
, m
)) goto err
;
972 if (r_is_one
) /* can happen only if a == 1*/
974 if (!BN_one(rr
)) goto err
;
978 if (!BN_from_montgomery(rr
, r
, mont
, ctx
)) goto err
;
982 if ((in_mont
== NULL
) && (mont
!= NULL
)) BN_MONT_CTX_free(mont
);
989 /* The old fallback, simple version :-) */
990 int BN_mod_exp_simple(BIGNUM
*r
, const BIGNUM
*a
, const BIGNUM
*p
,
991 const BIGNUM
*m
, BN_CTX
*ctx
)
993 int i
,j
,bits
,ret
=0,wstart
,wend
,window
,wvalue
;
996 /* Table of variables obtained from 'ctx' */
997 BIGNUM
*val
[TABLE_SIZE
];
999 if (BN_get_flags(p
, BN_FLG_CONSTTIME
) != 0)
1001 /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */
1002 BNerr(BN_F_BN_MOD_EXP_SIMPLE
,ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
);
1006 bits
=BN_num_bits(p
);
1015 d
= BN_CTX_get(ctx
);
1016 val
[0] = BN_CTX_get(ctx
);
1017 if(!d
|| !val
[0]) goto err
;
1019 if (!BN_nnmod(val
[0],a
,m
,ctx
)) goto err
; /* 1 */
1020 if (BN_is_zero(val
[0]))
1027 window
= BN_window_bits_for_exponent_size(bits
);
1030 if (!BN_mod_mul(d
,val
[0],val
[0],m
,ctx
))
1035 if(((val
[i
] = BN_CTX_get(ctx
)) == NULL
) ||
1036 !BN_mod_mul(val
[i
],val
[i
-1],d
,m
,ctx
))
1041 start
=1; /* This is used to avoid multiplication etc
1042 * when there is only the value '1' in the
1044 wvalue
=0; /* The 'value' of the window */
1045 wstart
=bits
-1; /* The top bit of the window */
1046 wend
=0; /* The bottom bit of the window */
1048 if (!BN_one(r
)) goto err
;
1052 if (BN_is_bit_set(p
,wstart
) == 0)
1055 if (!BN_mod_mul(r
,r
,r
,m
,ctx
))
1057 if (wstart
== 0) break;
1061 /* We now have wstart on a 'set' bit, we now need to work out
1062 * how bit a window to do. To do this we need to scan
1063 * forward until the last set bit before the end of the
1068 for (i
=1; i
<window
; i
++)
1070 if (wstart
-i
< 0) break;
1071 if (BN_is_bit_set(p
,wstart
-i
))
1079 /* wend is the size of the current window */
1081 /* add the 'bytes above' */
1085 if (!BN_mod_mul(r
,r
,r
,m
,ctx
))
1089 /* wvalue will be an odd number < 2^window */
1090 if (!BN_mod_mul(r
,r
,val
[wvalue
>>1],m
,ctx
))
1093 /* move the 'window' down further */
1097 if (wstart
< 0) break;