1 /* Copyright 2016 Brian Smith.
2 *
3 * Permission to use, copy, modify, and/or distribute this software for any
4 * purpose with or without fee is hereby granted, provided that the above
5 * copyright notice and this permission notice appear in all copies.
6 *
7 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
13 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
14
15 #include "internal.h"
16 #include "../../internal.h"
17
18
19 OPENSSL_STATIC_ASSERT(BN_MONT_CTX_N0_LIMBS == 1 || BN_MONT_CTX_N0_LIMBS == 2,
20 "BN_MONT_CTX_N0_LIMBS value is invalid");
21 OPENSSL_STATIC_ASSERT(sizeof(BN_ULONG) * BN_MONT_CTX_N0_LIMBS == sizeof(uint64_t),
22 "uint64_t is insufficient precision for n0");
23
24 // LG_LITTLE_R is log_2(r).
25 #define LG_LITTLE_R (BN_MONT_CTX_N0_LIMBS * BN_BITS2)
26
27 // bn_neg_inv_r_mod_n_u64 calculates the -1/n mod r; i.e. it calculates |v|
28 // such that u*r - v*n == 1. |r| is the constant defined in |bn_mont_n0|. |n|
29 // must be odd.
30 //
31 // This is derived from |xbinGCD| in Henry S. Warren, Jr.'s "Montgomery
32 // Multiplication" (http://www.hackersdelight.org/MontgomeryMultiplication.pdf).
33 // It is very similar to the MODULAR-INVERSE function in Stephen R. Dussé's and
34 // Burton S. Kaliski Jr.'s "A Cryptographic Library for the Motorola DSP56000"
35 // (http://link.springer.com/chapter/10.1007%2F3-540-46877-3_21).
36 //
37 // This is inspired by Joppe W. Bos's "Constant Time Modular Inversion"
38 // (http://www.joppebos.com/files/CTInversion.pdf) so that the inversion is
39 // constant-time with respect to |n|. We assume uint64_t additions,
40 // subtractions, shifts, and bitwise operations are all constant time, which
41 // may be a large leap of faith on 32-bit targets. We avoid division and
42 // multiplication, which tend to be the most problematic in terms of timing
43 // leaks.
44 //
45 // Most GCD implementations return values such that |u*r + v*n == 1|, so the
46 // caller would have to negate the resultant |v| for the purpose of Montgomery
47 // multiplication. This implementation does the negation implicitly by doing
48 // the computations as a difference instead of a sum.
bn_neg_inv_mod_r_u64(uint64_t n)49 uint64_t bn_neg_inv_mod_r_u64(uint64_t n) {
50 dev_assert_secret(n % 2 == 1);
51
52 // alpha == 2**(lg r - 1) == r / 2.
53 static const uint64_t alpha = UINT64_C(1) << (LG_LITTLE_R - 1);
54
55 const uint64_t beta = n;
56
57 uint64_t u = 1;
58 uint64_t v = 0;
59
60 // The invariant maintained from here on is:
61 // 2**(lg r - i) == u*2*alpha - v*beta.
62 for (size_t i = 0; i < LG_LITTLE_R; ++i) {
63 #if BN_BITS2 == 64 && defined(BN_ULLONG)
64 dev_assert_secret((BN_ULLONG)(1) << (LG_LITTLE_R - i) ==
65 ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
66 #endif
67
68 // Delete a common factor of 2 in u and v if |u| is even. Otherwise, set
69 // |u = (u + beta) / 2| and |v = (v / 2) + alpha|.
70
71 uint64_t u_is_odd = UINT64_C(0) - (u & 1); // Either 0xff..ff or 0.
72
73 // The addition can overflow, so use Dietz's method for it.
74 //
75 // Dietz calculates (x+y)/2 by (x xor y)>>1 + x&y. This is valid for all
76 // (unsigned) x and y, even when x+y overflows. Evidence for 32-bit values
77 // (embedded in 64 bits to so that overflow can be ignored):
78 //
79 // (declare-fun x () (_ BitVec 64))
80 // (declare-fun y () (_ BitVec 64))
81 // (assert (let (
82 // (one (_ bv1 64))
83 // (thirtyTwo (_ bv32 64)))
84 // (and
85 // (bvult x (bvshl one thirtyTwo))
86 // (bvult y (bvshl one thirtyTwo))
87 // (not (=
88 // (bvadd (bvlshr (bvxor x y) one) (bvand x y))
89 // (bvlshr (bvadd x y) one)))
90 // )))
91 // (check-sat)
92 uint64_t beta_if_u_is_odd = beta & u_is_odd; // Either |beta| or 0.
93 u = ((u ^ beta_if_u_is_odd) >> 1) + (u & beta_if_u_is_odd);
94
95 uint64_t alpha_if_u_is_odd = alpha & u_is_odd; /* Either |alpha| or 0. */
96 v = (v >> 1) + alpha_if_u_is_odd;
97 }
98
99 // The invariant now shows that u*r - v*n == 1 since r == 2 * alpha.
100 #if BN_BITS2 == 64 && defined(BN_ULLONG)
101 dev_assert_secret(1 == ((BN_ULLONG)u * 2 * alpha) - ((BN_ULLONG)v * beta));
102 #endif
103
104 return v;
105 }
106