mpn/generic/sec_powm.c

1.1  mrg /* mpn_sec_powm -- Compute R = U^E mod M.  Secure variant, side-channel silent
1.1  mrg    under the assumption that the multiply instruction is side channel silent.
1.1  mrg
1.1  mrg    Contributed to the GNU project by Torbjrn Granlund.
1.1  mrg
1.1  mrg Copyright 2007-2009, 2011-2014 Free Software Foundation, Inc.
1.1  mrg
1.1  mrg This file is part of the GNU MP Library.
1.1  mrg
1.1  mrg The GNU MP Library is free software; you can redistribute it and/or modify
1.1  mrg it under the terms of either:
1.1  mrg
1.1  mrg   * the GNU Lesser General Public License as published by the Free
1.1  mrg     Software Foundation; either version 3 of the License, or (at your
1.1  mrg     option) any later version.
1.1  mrg
1.1  mrg or
1.1  mrg
1.1  mrg   * the GNU General Public License as published by the Free Software
1.1  mrg     Foundation; either version 2 of the License, or (at your option) any
1.1  mrg     later version.
1.1  mrg
1.1  mrg or both in parallel, as here.
1.1  mrg
1.1  mrg The GNU MP Library is distributed in the hope that it will be useful, but
1.1  mrg WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
1.1  mrg or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
1.1  mrg for more details.
1.1  mrg
1.1  mrg You should have received copies of the GNU General Public License and the
1.1  mrg GNU Lesser General Public License along with the GNU MP Library.  If not,
1.1  mrg see https://www.gnu.org/licenses/.  */
1.1  mrg
1.1  mrg
1.1  mrg /*
1.1  mrg   BASIC ALGORITHM, Compute U^E mod M, where M < B^n is odd.
1.1  mrg
1.1  mrg   1. T <- (B^n * U) mod M                Convert to REDC form
1.1  mrg
1.1  mrg   2. Compute table U^0, U^1, U^2... of E-dependent size
1.1  mrg
1.1  mrg   3. While there are more bits in E
1.1  mrg        W <- power left-to-right base-k
1.1  mrg
1.1  mrg
1.1  mrg   TODO:
1.1  mrg
1.1  mrg    * Make getbits a macro, thereby allowing it to update the index operand.
1.1  mrg      That will simplify the code using getbits.  (Perhaps make getbits' sibling
1.1  mrg      getbit then have similar form, for symmetry.)
1.1  mrg
1.1  mrg    * Choose window size without looping.  (Superoptimize or think(tm).)
1.1  mrg
1.1  mrg    * REDC_1_TO_REDC_2_THRESHOLD might actually represent the cutoff between
1.1  mrg      redc_1 and redc_n.  On such systems, we will switch to redc_2 causing
1.1  mrg      slowdown.
1.1  mrg */
1.1  mrg
1.1  mrg #include "gmp.h"
1.1  mrg #include "gmp-impl.h"
1.1  mrg #include "longlong.h"
1.1  mrg
1.1  mrg #undef MPN_REDC_1_SEC
1.1  mrg #define MPN_REDC_1_SEC(rp, up, mp, n, invm)				\
1.1  mrg   do {									\
1.1  mrg     mp_limb_t cy;							\
1.1  mrg     cy = mpn_redc_1 (rp, up, mp, n, invm);				\
1.1  mrg     mpn_cnd_sub_n (cy, rp, rp, mp, n);					\
1.1  mrg   } while (0)
1.1  mrg
1.1  mrg #undef MPN_REDC_2_SEC
1.1  mrg #define MPN_REDC_2_SEC(rp, up, mp, n, mip)				\
1.1  mrg   do {									\
1.1  mrg     mp_limb_t cy;							\
1.1  mrg     cy = mpn_redc_2 (rp, up, mp, n, mip);				\
1.1  mrg     mpn_cnd_sub_n (cy, rp, rp, mp, n);					\
1.1  mrg   } while (0)
1.1  mrg
1.1  mrg #if HAVE_NATIVE_mpn_addmul_2 || HAVE_NATIVE_mpn_redc_2
1.1  mrg #define WANT_REDC_2 1
1.1  mrg #endif
1.1  mrg
1.1  mrg /* Define our own mpn squaring function.  We do this since we cannot use a
1.1  mrg    native mpn_sqr_basecase over TUNE_SQR_TOOM2_MAX, or a non-native one over
1.1  mrg    SQR_TOOM2_THRESHOLD.  This is so because of fixed size stack allocations
1.1  mrg    made inside mpn_sqr_basecase.  */
1.1  mrg
1.1  mrg #if HAVE_NATIVE_mpn_sqr_diagonal
1.1  mrg #define MPN_SQR_DIAGONAL(rp, up, n)					\
1.1  mrg   mpn_sqr_diagonal (rp, up, n)
1.1  mrg #else
1.1  mrg #define MPN_SQR_DIAGONAL(rp, up, n)					\
1.1  mrg   do {									\
1.1  mrg     mp_size_t _i;							\
1.1  mrg     for (_i = 0; _i < (n); _i++)					\
1.1  mrg       {									\
1.1  mrg 	mp_limb_t ul, lpl;						\
1.1  mrg 	ul = (up)[_i];							\
1.1  mrg 	umul_ppmm ((rp)[2 * _i + 1], lpl, ul, ul << GMP_NAIL_BITS);	\
1.1  mrg 	(rp)[2 * _i] = lpl >> GMP_NAIL_BITS;				\
1.1  mrg       }									\
1.1  mrg   } while (0)
1.1  mrg #endif
1.1  mrg
1.1  mrg
1.1  mrg #if ! HAVE_NATIVE_mpn_sqr_basecase
1.1  mrg /* The limit of the generic code is SQR_TOOM2_THRESHOLD.  */
1.1  mrg #define SQR_BASECASE_LIM  SQR_TOOM2_THRESHOLD
1.1  mrg #endif
1.1  mrg
1.1  mrg #if HAVE_NATIVE_mpn_sqr_basecase
1.1  mrg #ifdef TUNE_SQR_TOOM2_MAX
1.1  mrg /* We slightly abuse TUNE_SQR_TOOM2_MAX here.  If it is set for an assembly
1.1  mrg    mpn_sqr_basecase, it comes from SQR_TOOM2_THRESHOLD_MAX in the assembly
1.1  mrg    file.  An assembly mpn_sqr_basecase that does not define it should allow
1.1  mrg    any size.  */
1.1  mrg #define SQR_BASECASE_LIM  SQR_TOOM2_THRESHOLD
1.1  mrg #endif
1.1  mrg #endif
1.1  mrg
1.1  mrg #ifdef WANT_FAT_BINARY
1.1  mrg /* For fat builds, we use SQR_TOOM2_THRESHOLD which will expand to a read from
1.1  mrg    __gmpn_cpuvec.  Perhaps any possible sqr_basecase.asm allow any size, and we
1.1  mrg    limit the use unnecessarily.  We cannot tell, so play it safe.  FIXME.  */
1.1  mrg #define SQR_BASECASE_LIM  SQR_TOOM2_THRESHOLD
1.1  mrg #endif
1.1  mrg
1.1  mrg #ifndef SQR_BASECASE_LIM
1.1  mrg /* If SQR_BASECASE_LIM is now not defined, use mpn_sqr_basecase for any operand
1.1  mrg    size.  */
1.1  mrg #define mpn_local_sqr(rp,up,n,tp) mpn_sqr_basecase(rp,up,n)
1.1  mrg #else
1.1  mrg /* Else use mpn_sqr_basecase for its allowed sizes, else mpn_mul_basecase.  */
1.1  mrg #define mpn_local_sqr(rp,up,n,tp) \
1.1  mrg   do {									\
1.1  mrg     if (BELOW_THRESHOLD (n, SQR_BASECASE_LIM))				\
1.1  mrg       mpn_sqr_basecase (rp, up, n);					\
1.1  mrg     else								\
1.1  mrg       mpn_mul_basecase(rp, up, n, up, n);				\
1.1  mrg   } while (0)
1.1  mrg #endif
1.1  mrg
1.1  mrg #define getbit(p,bi) \
1.1  mrg   ((p[(bi - 1) / GMP_NUMB_BITS] >> (bi - 1) % GMP_NUMB_BITS) & 1)
1.1  mrg
1.1  mrg /* FIXME: Maybe some things would get simpler if all callers ensure
1.1  mrg    that bi >= nbits. As far as I understand, with the current code bi
1.1  mrg    < nbits can happen only for the final iteration. */
1.1  mrg static inline mp_limb_t
1.1  mrg getbits (const mp_limb_t *p, mp_bitcnt_t bi, int nbits)
1.1  mrg {
1.1  mrg   int nbits_in_r;
1.1  mrg   mp_limb_t r;
1.1  mrg   mp_size_t i;
1.1  mrg
1.1  mrg   if (bi < nbits)
1.1  mrg     {
1.1  mrg       return p[0] & (((mp_limb_t) 1 << bi) - 1);
1.1  mrg     }
1.1  mrg   else
1.1  mrg     {
1.1  mrg       bi -= nbits;			/* bit index of low bit to extract */
1.1  mrg       i = bi / GMP_NUMB_BITS;		/* word index of low bit to extract */
1.1  mrg       bi %= GMP_NUMB_BITS;		/* bit index in low word */
1.1  mrg       r = p[i] >> bi;			/* extract (low) bits */
1.1  mrg       nbits_in_r = GMP_NUMB_BITS - bi;	/* number of bits now in r */
1.1  mrg       if (nbits_in_r < nbits)		/* did we get enough bits? */
1.1  mrg 	r += p[i + 1] << nbits_in_r;	/* prepend bits from higher word */
1.1  mrg       return r & (((mp_limb_t ) 1 << nbits) - 1);
1.1  mrg     }
1.1  mrg }
1.1  mrg
1.1  mrg #ifndef POWM_SEC_TABLE
1.1  mrg #if GMP_NUMB_BITS < 50
1.1  mrg #define POWM_SEC_TABLE  2,33,96,780,2741
1.1  mrg #else
1.1  mrg #define POWM_SEC_TABLE  2,130,524,2578
1.1  mrg #endif
1.1  mrg #endif
1.1  mrg
1.1  mrg #if TUNE_PROGRAM_BUILD
1.1  mrg extern int win_size (mp_bitcnt_t);
1.1  mrg #else
1.1  mrg static inline int
1.1  mrg win_size (mp_bitcnt_t enb)
1.1  mrg {
1.1  mrg   int k;
1.1  mrg   /* Find k, such that x[k-1] < enb <= x[k].
1.1  mrg
1.1  mrg      We require that x[k] >= k, then it follows that enb > x[k-1] >=
1.1  mrg      k-1, which implies k <= enb.
1.1  mrg   */
1.1  mrg   static const mp_bitcnt_t x[] = {0,POWM_SEC_TABLE,~(mp_bitcnt_t)0};
1.1  mrg   for (k = 1; enb > x[k]; k++)
1.1  mrg     ;
1.1  mrg   ASSERT (k <= enb);
1.1  mrg   return k;
1.1  mrg }
1.1  mrg #endif
1.1  mrg
1.1  mrg /* Convert U to REDC form, U_r = B^n * U mod M.
1.1  mrg    Uses scratch space at tp of size 2un + n + 1.  */
1.1  mrg static void
1.1  mrg redcify (mp_ptr rp, mp_srcptr up, mp_size_t un, mp_srcptr mp, mp_size_t n, mp_ptr tp)
1.1  mrg {
1.1  mrg   MPN_ZERO (tp, n);
1.1  mrg   MPN_COPY (tp + n, up, un);
1.1  mrg
1.1  mrg   mpn_sec_div_r (tp, un + n, mp, n, tp + un + n);
1.1  mrg   MPN_COPY (rp, tp, n);
1.1  mrg }
1.1  mrg
1.1  mrg /* {rp, n} <-- {bp, bn} ^ {ep, en} mod {mp, n},
1.1  mrg    where en = ceil (enb / GMP_NUMB_BITS)
1.1  mrg    Requires that {mp, n} is odd (and hence also mp[0] odd).
1.1  mrg    Uses scratch space at tp as defined by mpn_sec_powm_itch.  */
1.1  mrg void
1.1  mrg mpn_sec_powm (mp_ptr rp, mp_srcptr bp, mp_size_t bn,
1.1  mrg 	      mp_srcptr ep, mp_bitcnt_t enb,
1.1  mrg 	      mp_srcptr mp, mp_size_t n, mp_ptr tp)
1.1  mrg {
1.1  mrg   mp_limb_t ip[2], *mip;
1.1  mrg   int windowsize, this_windowsize;
1.1  mrg   mp_limb_t expbits;
1.1  mrg   mp_ptr pp, this_pp;
1.1  mrg   long i;
1.1  mrg   int cnd;
1.1  mrg
1.1  mrg   ASSERT (enb > 0);
1.1  mrg   ASSERT (n > 0);
1.1  mrg   /* The code works for bn = 0, but the defined scratch space is 2 limbs
1.1  mrg      greater than we supply, when converting 1 to redc form .  */
1.1  mrg   ASSERT (bn > 0);
1.1  mrg   ASSERT ((mp[0] & 1) != 0);
1.1  mrg
1.1  mrg   windowsize = win_size (enb);
1.1  mrg
1.1  mrg #if WANT_REDC_2
1.1  mrg   if (BELOW_THRESHOLD (n, REDC_1_TO_REDC_2_THRESHOLD))
1.1  mrg     {
1.1  mrg       mip = ip;
1.1  mrg       binvert_limb (mip[0], mp[0]);
1.1  mrg       mip[0] = -mip[0];
1.1  mrg     }
1.1  mrg   else
1.1  mrg     {
1.1  mrg       mip = ip;
1.1  mrg       mpn_binvert (mip, mp, 2, tp);
1.1  mrg       mip[0] = -mip[0]; mip[1] = ~mip[1];
1.1  mrg     }
1.1  mrg #else
1.1  mrg   mip = ip;
1.1  mrg   binvert_limb (mip[0], mp[0]);
1.1  mrg   mip[0] = -mip[0];
1.1  mrg #endif
1.1  mrg
1.1  mrg   pp = tp;
1.1  mrg   tp += (n << windowsize);	/* put tp after power table */
1.1  mrg
1.1  mrg   /* Compute pp[0] table entry */
1.1  mrg   /* scratch: |   n   | 1 |   n+2    |  */
1.1  mrg   /*          | pp[0] | 1 | redcify  |  */
1.1  mrg   this_pp = pp;
1.1  mrg   this_pp[n] = 1;
1.1  mrg   redcify (this_pp, this_pp + n, 1, mp, n, this_pp + n + 1);
1.1  mrg   this_pp += n;
1.1  mrg
1.1  mrg   /* Compute pp[1] table entry.  To avoid excessive scratch usage in the
1.1  mrg      degenerate situation where B >> M, we let redcify use scratch space which
1.1  mrg      will later be used by the pp table (element 2 and up).  */
1.1  mrg   /* scratch: |   n   |   n   |  bn + n + 1  |  */
1.1  mrg   /*          | pp[0] | pp[1] |   redcify    |  */
1.1  mrg   redcify (this_pp, bp, bn, mp, n, this_pp + n);
1.1  mrg
1.1  mrg   /* Precompute powers of b and put them in the temporary area at pp.  */
1.1  mrg   /* scratch: |   n   |   n   | ...  |                    |   2n      |  */
1.1  mrg   /*          | pp[0] | pp[1] | ...  | pp[2^windowsize-1] |  product  |  */
1.1  mrg   for (i = (1 << windowsize) - 2; i > 0; i--)
1.1  mrg     {
1.1  mrg       mpn_mul_basecase (tp, this_pp, n, pp + n, n);
1.1  mrg       this_pp += n;
1.1  mrg #if WANT_REDC_2
1.1  mrg       if (BELOW_THRESHOLD (n, REDC_1_TO_REDC_2_THRESHOLD))
1.1  mrg 	MPN_REDC_1_SEC (this_pp, tp, mp, n, mip[0]);
1.1  mrg       else
1.1  mrg 	MPN_REDC_2_SEC (this_pp, tp, mp, n, mip);
1.1  mrg #else
1.1  mrg       MPN_REDC_1_SEC (this_pp, tp, mp, n, mip[0]);
1.1  mrg #endif
1.1  mrg     }
1.1  mrg
1.1  mrg   expbits = getbits (ep, enb, windowsize);
1.1  mrg   ASSERT_ALWAYS (enb >= windowsize);
1.1  mrg   enb -= windowsize;
1.1  mrg
1.1  mrg   mpn_sec_tabselect (rp, pp, n, 1 << windowsize, expbits);
1.1  mrg
1.1  mrg   /* Main exponentiation loop.  */
1.1  mrg   /* scratch: |   n   |   n   | ...  |                    |     3n-4n     |  */
1.1  mrg   /*          | pp[0] | pp[1] | ...  | pp[2^windowsize-1] |  loop scratch |  */
1.1  mrg
1.1  mrg #define INNERLOOP							\
1.1  mrg   while (enb != 0)							\
1.1  mrg     {									\
1.1  mrg       expbits = getbits (ep, enb, windowsize);				\
1.1  mrg       this_windowsize = windowsize;					\
1.1  mrg       if (enb < windowsize)						\
1.1  mrg 	{								\
1.1  mrg 	  this_windowsize -= windowsize - enb;				\
1.1  mrg 	  enb = 0;							\
1.1  mrg 	}								\
1.1  mrg       else								\
1.1  mrg 	enb -= windowsize;						\
1.1  mrg 									\
1.1  mrg       do								\
1.1  mrg 	{								\
1.1  mrg 	  mpn_local_sqr (tp, rp, n, tp + 2 * n);			\
1.1  mrg 	  MPN_REDUCE (rp, tp, mp, n, mip);				\
1.1  mrg 	  this_windowsize--;						\
1.1  mrg 	}								\
1.1  mrg       while (this_windowsize != 0);					\
1.1  mrg 									\
1.1  mrg       mpn_sec_tabselect (tp + 2*n, pp, n, 1 << windowsize, expbits);	\
1.1  mrg       mpn_mul_basecase (tp, rp, n, tp + 2*n, n);			\
1.1  mrg 									\
1.1  mrg       MPN_REDUCE (rp, tp, mp, n, mip);					\
1.1  mrg     }
1.1  mrg
1.1  mrg #if WANT_REDC_2
1.1  mrg   if (BELOW_THRESHOLD (n, REDC_1_TO_REDC_2_THRESHOLD))
1.1  mrg     {
1.1  mrg #undef MPN_MUL_N
1.1  mrg #undef MPN_SQR
1.1  mrg #undef MPN_REDUCE
1.1  mrg #define MPN_MUL_N(r,a,b,n)		mpn_mul_basecase (r,a,n,b,n)
1.1  mrg #define MPN_SQR(r,a,n)			mpn_sqr_basecase (r,a,n)
1.1  mrg #define MPN_REDUCE(rp,tp,mp,n,mip)	MPN_REDC_1_SEC (rp, tp, mp, n, mip[0])
1.1  mrg       INNERLOOP;
1.1  mrg     }
1.1  mrg   else
1.1  mrg     {
1.1  mrg #undef MPN_MUL_N
1.1  mrg #undef MPN_SQR
1.1  mrg #undef MPN_REDUCE
1.1  mrg #define MPN_MUL_N(r,a,b,n)		mpn_mul_basecase (r,a,n,b,n)
1.1  mrg #define MPN_SQR(r,a,n)			mpn_sqr_basecase (r,a,n)
1.1  mrg #define MPN_REDUCE(rp,tp,mp,n,mip)	MPN_REDC_2_SEC (rp, tp, mp, n, mip)
1.1  mrg       INNERLOOP;
1.1  mrg     }
1.1  mrg #else
1.1  mrg #undef MPN_MUL_N
1.1  mrg #undef MPN_SQR
1.1  mrg #undef MPN_REDUCE
1.1  mrg #define MPN_MUL_N(r,a,b,n)		mpn_mul_basecase (r,a,n,b,n)
1.1  mrg #define MPN_SQR(r,a,n)			mpn_sqr_basecase (r,a,n)
1.1  mrg #define MPN_REDUCE(rp,tp,mp,n,mip)	MPN_REDC_1_SEC (rp, tp, mp, n, mip[0])
1.1  mrg   INNERLOOP;
1.1  mrg #endif
1.1  mrg
1.1  mrg   MPN_COPY (tp, rp, n);
1.1  mrg   MPN_ZERO (tp + n, n);
1.1  mrg
1.1  mrg #if WANT_REDC_2
1.1  mrg   if (BELOW_THRESHOLD (n, REDC_1_TO_REDC_2_THRESHOLD))
1.1  mrg     MPN_REDC_1_SEC (rp, tp, mp, n, mip[0]);
1.1  mrg   else
1.1  mrg     MPN_REDC_2_SEC (rp, tp, mp, n, mip);
1.1  mrg #else
1.1  mrg   MPN_REDC_1_SEC (rp, tp, mp, n, mip[0]);
1.1  mrg #endif
1.1  mrg   cnd = mpn_sub_n (tp, rp, mp, n);	/* we need just retval */
1.1  mrg   mpn_cnd_sub_n (!cnd, rp, rp, mp, n);
1.1  mrg }
1.1  mrg
1.1  mrg mp_size_t
1.1  mrg mpn_sec_powm_itch (mp_size_t bn, mp_bitcnt_t enb, mp_size_t n)
1.1  mrg {
1.1  mrg   int windowsize;
1.1  mrg   mp_size_t redcify_itch, itch;
1.1  mrg
1.1  mrg   /* The top scratch usage will either be when reducing B in the 2nd redcify
1.1  mrg      call, or more typically n*2^windowsize + 3n or 4n, in the main loop.  (It
1.1  mrg      is 3n or 4n depending on if we use mpn_local_sqr or a native
1.1  mrg      mpn_sqr_basecase.  We assume 4n always for now.) */
1.1  mrg
1.1  mrg   windowsize = win_size (enb);
1.1  mrg
1.1  mrg   /* The 2n term is due to pp[0] and pp[1] at the time of the 2nd redcify call,
1.1  mrg      the (bn + n) term is due to redcify's own usage, and the rest is due to
1.1  mrg      mpn_sec_div_r's usage when called from redcify.  */
1.1  mrg   redcify_itch = (2 * n) + (bn + n) + ((bn + n) + 2 * n + 2);
1.1  mrg
1.1  mrg   /* The n * 2^windowsize term is due to the power table, the 4n term is due to
1.1  mrg      scratch needs of squaring/multiplication in the exponentiation loop.  */
1.1  mrg   itch = (n << windowsize) + (4 * n);
1.1  mrg
1.1  mrg   return MAX (itch, redcify_itch);
1.1  mrg }