kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Split bn_mod_inverse_ex into bn_mod_inverse_{general, odd}.

Browse Source 
This is a step towards exposing |bn_mod_inverse_odd| for use outside
of crypto/bn/gcd.c.

Change-Id: I2968f1e43306c03775b3573a022edd92f4e91df2
Reviewed-on: https://boringssl-review.googlesource.com/9101
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
Brian Smith 2016-08-02 14:59:46 -10:00 committed by CQ bot account: commit-bot@chromium.org
parent 10b09ad28e
commit f9bdcc1108
1 changed files with 289 additions and 210 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

499
crypto/bn/gcd.c
View File

@ -108,6 +108,8 @@
#include <openssl/bn.h>
#include <assert.h>
#include <openssl/err.h>
#include "internal.h"
@ -227,9 +229,11 @@ static int bn_mod_inverse_no_branch(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx);
static int bn_mod_inverse_ex(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
const BIGNUM *n, BN_CTX *ctx) {
BIGNUM *A, *B, *X, *Y, *M, *D, *T;
static int bn_mod_inverse_odd(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
const BIGNUM *n, BN_CTX *ctx) {
assert(BN_is_odd(n));
BIGNUM *A, *B, *X, *Y;
int ret = 0;
int sign;
@ -239,11 +243,8 @@ static int bn_mod_inverse_ex(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
A = BN_CTX_get(ctx);
B = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
D = BN_CTX_get(ctx);
M = BN_CTX_get(ctx);
Y = BN_CTX_get(ctx);
T = BN_CTX_get(ctx);
if (T == NULL) {
if (Y == NULL) {
goto err;
}
@ -262,224 +263,92 @@ static int bn_mod_inverse_ex(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
* sign*Y*a == A (mod |n|).
*/
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS2 <= 32 ? 450 : 2048))) {
/* Binary inversion algorithm; requires odd modulus.
* This is faster than the general algorithm if the modulus
* is sufficiently small (about 400 .. 500 bits on 32-bit
* sytems, but much more on 64-bit systems) */
int shift;
/* Binary inversion algorithm; requires odd modulus. This is faster than the
* general algorithm if the modulus is sufficiently small (about 400 .. 500
* bits on 32-bit systems, but much more on 64-bit systems) */
int shift;
while (!BN_is_zero(B)) {
/* 0 < B < |n|,
* 0 < A <= |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|) */
while (!BN_is_zero(B)) {
/* 0 < B < |n|,
* 0 < A <= |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|) */
/* Now divide B by the maximum possible power of two in the integers,
* and divide X by the same value mod |n|.
* When we're done, (1) still holds. */
shift = 0;
while (!BN_is_bit_set(B, shift)) {
/* note that 0 < B */
shift++;
/* Now divide B by the maximum possible power of two in the integers,
* and divide X by the same value mod |n|.
* When we're done, (1) still holds. */
shift = 0;
while (!BN_is_bit_set(B, shift)) {
/* note that 0 < B */
shift++;
if (BN_is_odd(X)) {
if (!BN_uadd(X, X, n)) {
goto err;
}
}
/* now X is even, so we can easily divide it by two */
if (!BN_rshift1(X, X)) {
if (BN_is_odd(X)) {
if (!BN_uadd(X, X, n)) {
goto err;
}
}
if (shift > 0) {
if (!BN_rshift(B, B, shift)) {
goto err;
}
}
/* Same for A and Y. Afterwards, (2) still holds. */
shift = 0;
while (!BN_is_bit_set(A, shift)) {
/* note that 0 < A */
shift++;
if (BN_is_odd(Y)) {
if (!BN_uadd(Y, Y, n)) {
goto err;
}
}
/* now Y is even */
if (!BN_rshift1(Y, Y)) {
goto err;
}
}
if (shift > 0) {
if (!BN_rshift(A, A, shift)) {
goto err;
}
}
/* We still have (1) and (2).
* Both A and B are odd.
* The following computations ensure that
*
* 0 <= B < |n|,
* 0 < A < |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|),
*
* and that either A or B is even in the next iteration. */
if (BN_ucmp(B, A) >= 0) {
/* -sign*(X + Y)*a == B - A (mod |n|) */
if (!BN_uadd(X, X, Y)) {
goto err;
}
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
* actually makes the algorithm slower */
if (!BN_usub(B, B, A)) {
goto err;
}
} else {
/* sign*(X + Y)*a == A - B (mod |n|) */
if (!BN_uadd(Y, Y, X)) {
goto err;
}
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
if (!BN_usub(A, A, B)) {
goto err;
}
/* now X is even, so we can easily divide it by two */
if (!BN_rshift1(X, X)) {
goto err;
}
}
if (shift > 0) {
if (!BN_rshift(B, B, shift)) {
goto err;
}
}
} else {
/* general inversion algorithm */
while (!BN_is_zero(B)) {
BIGNUM *tmp;
/* Same for A and Y. Afterwards, (2) still holds. */
shift = 0;
while (!BN_is_bit_set(A, shift)) {
/* note that 0 < A */
shift++;
/*
* 0 < B < A,
* (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|) */
/* (D, M) := (A/B, A%B) ... */
if (BN_num_bits(A) == BN_num_bits(B)) {
if (!BN_one(D)) {
goto err;
}
if (!BN_sub(M, A, B)) {
goto err;
}
} else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
/* A/B is 1, 2, or 3 */
if (!BN_lshift1(T, B)) {
goto err;
}
if (BN_ucmp(A, T) < 0) {
/* A < 2*B, so D=1 */
if (!BN_one(D)) {
goto err;
}
if (!BN_sub(M, A, B)) {
goto err;
}
} else {
/* A >= 2*B, so D=2 or D=3 */
if (!BN_sub(M, A, T)) {
goto err;
}
if (!BN_add(D, T, B)) {
goto err; /* use D (:= 3*B) as temp */
}
if (BN_ucmp(A, D) < 0) {
/* A < 3*B, so D=2 */
if (!BN_set_word(D, 2)) {
goto err;
}
/* M (= A - 2*B) already has the correct value */
} else {
/* only D=3 remains */
if (!BN_set_word(D, 3)) {
goto err;
}
/* currently M = A - 2*B, but we need M = A - 3*B */
if (!BN_sub(M, M, B)) {
goto err;
}
}
}
} else {
if (!BN_div(D, M, A, B, ctx)) {
if (BN_is_odd(Y)) {
if (!BN_uadd(Y, Y, n)) {
goto err;
}
}
/* Now
* A = D*B + M;
* thus we have
* (**) sign*Y*a == D*B + M (mod |n|). */
tmp = A; /* keep the BIGNUM object, the value does not matter */
/* (A, B) := (B, A mod B) ... */
A = B;
B = M;
/* ... so we have 0 <= B < A again */
/* Since the former M is now B and the former B is now A,
* (**) translates into
* sign*Y*a == D*A + B (mod |n|),
* i.e.
* sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into
* -sign*X*a == A (mod |n|).
*
* Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e.
* sign*(Y + D*X)*a == B (mod |n|).
*
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time. */
/* most of the time D is very small, so we can optimize tmp := D*X+Y */
if (BN_is_one(D)) {
if (!BN_add(tmp, X, Y)) {
goto err;
}
} else {
if (BN_is_word(D, 2)) {
if (!BN_lshift1(tmp, X)) {
goto err;
}
} else if (BN_is_word(D, 4)) {
if (!BN_lshift(tmp, X, 2)) {
goto err;
}
} else if (D->top == 1) {
if (!BN_copy(tmp, X)) {
goto err;
}
if (!BN_mul_word(tmp, D->d[0])) {
goto err;
}
} else {
if (!BN_mul(tmp, D, X, ctx)) {
goto err;
}
}
if (!BN_add(tmp, tmp, Y)) {
goto err;
}
/* now Y is even */
if (!BN_rshift1(Y, Y)) {
goto err;
}
}
if (shift > 0) {
if (!BN_rshift(A, A, shift)) {
goto err;
}
}
M = Y; /* keep the BIGNUM object, the value does not matter */
Y = X;
X = tmp;
sign = -sign;
/* We still have (1) and (2).
* Both A and B are odd.
* The following computations ensure that
*
* 0 <= B < |n|,
* 0 < A < |n|,
* (1) -sign*X*a == B (mod |n|),
* (2) sign*Y*a == A (mod |n|),
*
* and that either A or B is even in the next iteration. */
if (BN_ucmp(B, A) >= 0) {
/* -sign*(X + Y)*a == B - A (mod |n|) */
if (!BN_uadd(X, X, Y)) {
goto err;
}
/* NB: we could use BN_mod_add_quick(X, X, Y, n), but that
* actually makes the algorithm slower */
if (!BN_usub(B, B, A)) {
goto err;
}
} else {
/* sign*(X + Y)*a == A - B (mod |n|) */
if (!BN_uadd(Y, Y, X)) {
goto err;
}
/* as above, BN_mod_add_quick(Y, Y, X, n) would slow things down */
if (!BN_usub(A, A, B)) {
goto err;
}
}
}
@ -520,6 +389,216 @@ err:
return ret;
}
static int bn_mod_inverse_general(BIGNUM *out, int *out_no_inverse,
const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx) {
BIGNUM *A, *B, *X, *Y, *M, *D, *T;
int ret = 0;
int sign;
*out_no_inverse = 0;
BN_CTX_start(ctx);
A = BN_CTX_get(ctx);
B = BN_CTX_get(ctx);
X = BN_CTX_get(ctx);
D = BN_CTX_get(ctx);
M = BN_CTX_get(ctx);
Y = BN_CTX_get(ctx);
T = BN_CTX_get(ctx);
if (T == NULL) {
goto err;
}
BIGNUM *R = out;
BN_zero(Y);
if (!BN_one(X) || BN_copy(B, a) == NULL || BN_copy(A, n) == NULL) {
goto err;
}
A->neg = 0;
sign = -1;
/* From B = a mod |n|, A = |n| it follows that
*
* 0 <= B < A,
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
*/
/* general inversion algorithm */
while (!BN_is_zero(B)) {
BIGNUM *tmp;
/*
* 0 < B < A,
* (*) -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|) */
/* (D, M) := (A/B, A%B) ... */
if (BN_num_bits(A) == BN_num_bits(B)) {
if (!BN_one(D)) {
goto err;
}
if (!BN_sub(M, A, B)) {
goto err;
}
} else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
/* A/B is 1, 2, or 3 */
if (!BN_lshift1(T, B)) {
goto err;
}
if (BN_ucmp(A, T) < 0) {
/* A < 2*B, so D=1 */
if (!BN_one(D)) {
goto err;
}
if (!BN_sub(M, A, B)) {
goto err;
}
} else {
/* A >= 2*B, so D=2 or D=3 */
if (!BN_sub(M, A, T)) {
goto err;
}
if (!BN_add(D, T, B)) {
goto err; /* use D (:= 3*B) as temp */
}
if (BN_ucmp(A, D) < 0) {
/* A < 3*B, so D=2 */
if (!BN_set_word(D, 2)) {
goto err;
}
/* M (= A - 2*B) already has the correct value */
} else {
/* only D=3 remains */
if (!BN_set_word(D, 3)) {
goto err;
}
/* currently M = A - 2*B, but we need M = A - 3*B */
if (!BN_sub(M, M, B)) {
goto err;
}
}
}
} else {
if (!BN_div(D, M, A, B, ctx)) {
goto err;
}
}
/* Now
* A = D*B + M;
* thus we have
* (**) sign*Y*a == D*B + M (mod |n|). */
tmp = A; /* keep the BIGNUM object, the value does not matter */
/* (A, B) := (B, A mod B) ... */
A = B;
B = M;
/* ... so we have 0 <= B < A again */
/* Since the former M is now B and the former B is now A,
* (**) translates into
* sign*Y*a == D*A + B (mod |n|),
* i.e.
* sign*Y*a - D*A == B (mod |n|).
* Similarly, (*) translates into
* -sign*X*a == A (mod |n|).
*
* Thus,
* sign*Y*a + D*sign*X*a == B (mod |n|),
* i.e.
* sign*(Y + D*X)*a == B (mod |n|).
*
* So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
* -sign*X*a == B (mod |n|),
* sign*Y*a == A (mod |n|).
* Note that X and Y stay non-negative all the time. */
/* most of the time D is very small, so we can optimize tmp := D*X+Y */
if (BN_is_one(D)) {
if (!BN_add(tmp, X, Y)) {
goto err;
}
} else {
if (BN_is_word(D, 2)) {
if (!BN_lshift1(tmp, X)) {
goto err;
}
} else if (BN_is_word(D, 4)) {
if (!BN_lshift(tmp, X, 2)) {
goto err;
}
} else if (D->top == 1) {
if (!BN_copy(tmp, X)) {
goto err;
}
if (!BN_mul_word(tmp, D->d[0])) {
goto err;
}
} else {
if (!BN_mul(tmp, D, X, ctx)) {
goto err;
}
}
if (!BN_add(tmp, tmp, Y)) {
goto err;
}
}
M = Y; /* keep the BIGNUM object, the value does not matter */
Y = X;
X = tmp;
sign = -sign;
}
if (!BN_is_one(A)) {
*out_no_inverse = 1;
OPENSSL_PUT_ERROR(BN, BN_R_NO_INVERSE);
goto err;
}
/* The while loop (Euclid's algorithm) ends when
* A == gcd(a,n);
* we have
* sign*Y*a == A (mod |n|),
* where Y is non-negative. */
if (sign < 0) {
if (!BN_sub(Y, n, Y)) {
goto err;
}
}
/* Now Y*a == A (mod |n|). */
/* Y*a == 1 (mod |n|) */
if (!Y->neg && BN_ucmp(Y, n) < 0) {
if (!BN_copy(R, Y)) {
goto err;
}
} else {
if (!BN_nnmod(R, Y, n, ctx)) {
goto err;
}
}
ret = 1;
err:
BN_CTX_end(ctx);
return ret;
}
static int bn_mod_inverse_ex(BIGNUM *out, int *out_no_inverse, const BIGNUM *a,
const BIGNUM *n, BN_CTX *ctx) {
if (BN_is_odd(n) && (BN_num_bits(n) <= (BN_BITS2 <= 32 ? 450 : 2048))) {
return bn_mod_inverse_odd(out, out_no_inverse, a, n, ctx);
}
return bn_mod_inverse_general(out, out_no_inverse, a, n, ctx);
}
BIGNUM *BN_mod_inverse(BIGNUM *out, const BIGNUM *a, const BIGNUM *n,
BN_CTX *ctx) {
int no_inverse;