| blob | 3dea5e721ad4795a788b754f2b4a222eea838a61 |
1 /* ***** BEGIN LICENSE BLOCK *****
2 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
3 *
4 * The contents of this file are subject to the Mozilla Public License Version
5 * 1.1 (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
7 * http://www.mozilla.org/MPL/
8 *
9 * Software distributed under the License is distributed on an "AS IS" basis,
10 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
11 * for the specific language governing rights and limitations under the
12 * License.
13 *
14 * The Original Code is the Netscape security libraries.
15 *
16 * The Initial Developer of the Original Code is
17 * Netscape Communications Corporation.
18 * Portions created by the Initial Developer are Copyright (C) 2000
19 * the Initial Developer. All Rights Reserved.
20 *
21 * Contributor(s):
22 * Sheueling Chang Shantz <sheueling.chang@sun.com>,
23 * Stephen Fung <stephen.fung@sun.com>, and
24 * Douglas Stebila <douglas@stebila.ca> of Sun Laboratories.
25 *
26 * Alternatively, the contents of this file may be used under the terms of
27 * either the GNU General Public License Version 2 or later (the "GPL"), or
28 * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
29 * in which case the provisions of the GPL or the LGPL are applicable instead
30 * of those above. If you wish to allow use of your version of this file only
31 * under the terms of either the GPL or the LGPL, and not to allow others to
32 * use your version of this file under the terms of the MPL, indicate your
33 * decision by deleting the provisions above and replace them with the notice
34 * and other provisions required by the GPL or the LGPL. If you do not delete
35 * the provisions above, a recipient may use your version of this file under
36 * the terms of any one of the MPL, the GPL or the LGPL.
37 *
38 * ***** END LICENSE BLOCK ***** */
39 /* $Id: mpmontg.c,v 1.20 2006/08/29 02:41:38 nelson%bolyard.com Exp $ */
41 /* This file implements moduluar exponentiation using Montgomery's
42 * method for modular reduction. This file implements the method
43 * described as "Improvement 1" in the paper "A Cryptogrpahic Library for
44 * the Motorola DSP56000" by Stephen R. Dusse' and Burton S. Kaliski Jr.
45 * published in "Advances in Cryptology: Proceedings of EUROCRYPT '90"
46 * "Lecture Notes in Computer Science" volume 473, 1991, pg 230-244,
47 * published by Springer Verlag.
48 */
50 #define MP_USING_CACHE_SAFE_MOD_EXP 1
51 #include <string.h>
55 #ifdef MP_USING_MONT_MULF
57 #endif
60 /* if MP_CHAR_STORE_SLOW is defined, we */
61 /* need to know endianness of this platform. */
62 #ifdef MP_CHAR_STORE_SLOW
63 #if !defined(MP_IS_BIG_ENDIAN) && !defined(MP_IS_LITTLE_ENDIAN)
65 " if you define MP_CHAR_STORE_SLOW."
66 #endif
67 #endif
69 #define STATIC
73 #if defined(_WIN32_WCE)
74 #define ABORT res = MP_UNDEF; goto CLEANUP
75 #else
76 #define ABORT abort()
77 #endif
79 /* computes T = REDC(T), 2^b == R */
81 {
82 mp_err res;
83 mp_size i;
89 /* T += N * m_i * (MP_RADIX ** i); */
91 }
94 /* T /= R */
98 /* T = T - N */
100 #ifdef DEBUG
104 }
105 #endif
106 }
108 CLEANUP:
110 }
112 #if !defined(MP_ASSEMBLY_MUL_MONT) && !defined(MP_MONT_USE_MP_MUL)
115 {
117 mp_digit m_i;
118 mp_err res;
119 mp_size ib;
128 }
142 /* Outer loop: Digits of b */
147 /* Inner product: Digits of a */
152 }
157 }
158 }
163 }
166 CLEANUP:
168 }
169 #endif
171 STATIC
173 {
174 mp_err res;
176 /* xMont = x * R mod N where N is modulus */
179 CLEANUP:
181 }
183 #ifdef MP_USING_MONT_MULF
185 /* the floating point multiply is already cache safe,
186 * don't turn on cache safe unless we specifically
187 * force it */
188 #ifndef MP_FORCE_CACHE_SAFE
189 #undef MP_USING_CACHE_SAFE_MOD_EXP
190 #endif
194 /* computes montgomery square of the integer in mResult */
195 #define SQR \
196 conv_i32_to_d32_and_d16(dm1, d16Tmp, mResult, nLen); \
197 mont_mulf_noconv(mResult, dm1, d16Tmp, \
198 dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
200 /* computes montgomery product of x and the integer in mResult */
201 #define MUL(x) \
202 conv_i32_to_d32(dm1, mResult, nLen); \
203 mont_mulf_noconv(mResult, dm1, oddPowers[x], \
204 dTmp, dn, MP_DIGITS(modulus), nLen, dn0)
206 /* Do modular exponentiation using floating point multiply code. */
213 mp_size bits_in_exponent,
214 mp_size window_bits,
215 mp_size odd_ints)
216 {
220 mp_size i;
221 mp_err res;
224 mp_int accum1;
227 /* function for computing n0prime only works if n0 is odd */
254 }
257 /* Make dn and dn0 */
261 /* Make dSqr */
271 }
276 mp_size smallExp;
282 SQR;
286 ABORT;
287 }
300 ABORT;
301 }
316 ABORT;
317 }
334 ABORT;
335 }
337 ABORT;
338 }
339 }
346 CLEANUP:
352 }
355 }
356 #undef SQR
357 #undef MUL
358 #endif
360 #define SQR(a,b) \
361 MP_CHECKOK( mp_sqr(a, b) );\
362 MP_CHECKOK( s_mp_redc(b, mmm) )
364 #if defined(MP_MONT_USE_MP_MUL)
365 #define MUL(x,a,b) \
366 MP_CHECKOK( mp_mul(a, oddPowers + (x), b) ); \
367 MP_CHECKOK( s_mp_redc(b, mmm) )
368 #else
369 #define MUL(x,a,b) \
370 MP_CHECKOK( s_mp_mul_mont(a, oddPowers + (x), b, mmm) )
371 #endif
373 #define SWAPPA ptmp = pa1; pa1 = pa2; pa2 = ptmp
375 /* Do modular exponentiation using integer multiply code. */
382 mp_size bits_in_exponent,
383 mp_size window_bits,
384 mp_size odd_ints)
385 {
387 mp_size i;
388 mp_err res;
392 /* power2 = base ** 2; oddPowers[i] = base ** (2*i + 1); */
393 /* oddPowers[i] = base ** (2*i + 1); */
400 }
415 }
417 /* set accumulator to montgomery residue of 1 */
424 mp_size smallExp;
434 ABORT;
435 }
452 ABORT;
453 }
474 ABORT;
475 }
500 ABORT;
501 }
503 ABORT;
504 }
505 }
510 CLEANUP:
516 }
518 }
519 #undef SQR
520 #undef MUL
522 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
524 #endif
527 {
528 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
531 #else
534 }
536 #endif
537 }
539 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
540 #define WEAVE_WORD_SIZE 4
542 #ifndef MP_CHAR_STORE_SLOW
543 /*
544 * mpi_to_weave takes an array of bignums, a matrix in which each bignum
545 * occupies all the columns of a row, and transposes it into a matrix in
546 * which each bignum occupies a column of every row. The first row of the
547 * input matrix becomes the first column of the output matrix. The n'th
548 * row of input becomes the n'th column of output. The input data is said
549 * to be "interleaved" or "woven" into the output matrix.
550 *
551 * The array of bignums is left in this woven form. Each time a single
552 * bignum value is needed, it is recreated by fetching the n'th column,
553 * forming a single row which is the new bignum.
554 *
555 * The purpose of this interleaving is make it impossible to determine which
556 * of the bignums is being used in any one operation by examining the pattern
557 * of cache misses.
558 *
559 * The weaving function does not transpose the entire input matrix in one call.
560 * It transposes 4 rows of mp_ints into their respective columns of output.
561 *
562 * There are two different implementations of the weaving and unweaving code
563 * in this file. One uses byte loads and stores. The second uses loads and
564 * stores of mp_weave_word size values. The weaved forms of these two
565 * implementations differ. Consequently, each one has its own explanation.
566 *
567 * Here is the explanation for the byte-at-a-time implementation.
568 *
569 * This implementation treats each mp_int bignum as an array of bytes,
570 * rather than as an array of mp_digits. It stores those bytes as a
571 * column of bytes in the output matrix. It doesn't care if the machine
572 * uses big-endian or little-endian byte ordering within mp_digits.
573 * The first byte of the mp_digit array becomes the first byte in the output
574 * column, regardless of whether that byte is the MSB or LSB of the mp_digit.
575 *
576 * "bignums" is an array of mp_ints.
577 * It points to four rows, four mp_ints, a subset of a larger array of mp_ints.
578 *
579 * "weaved" is the weaved output matrix.
580 * The first byte of bignums[0] is stored in weaved[0].
581 *
582 * "nBignums" is the total number of bignums in the array of which "bignums"
583 * is a part.
584 *
585 * "nDigits" is the size in mp_digits of each mp_int in the "bignums" array.
586 * mp_ints that use less than nDigits digits are logically padded with zeros
587 * while being stored in the weaved array.
588 */
593 {
594 mp_size i;
609 }
613 }
614 }
617 }
619 /* Reverse the operation above for one mp_int.
620 * Reconstruct one mp_int from its column in the weaved array.
621 * "pSrc" points to the offset into the weave array of the bignum we
622 * are going to reconstruct.
623 */
628 {
637 }
640 }
642 #else
644 /* Need a primitive that we know is 32 bits long... */
645 /* this is true on all modern processors we know of today*/
648 /*
649 * on some platforms character stores into memory is very expensive since they
650 * generate a read/modify/write operation on the bus. On those platforms
651 * we need to do integer writes to the bus. Because of some unrolled code,
652 * in this current code the size of mp_weave_word must be four. The code that
653 * makes this assumption explicity is called out. (on some platforms a write
654 * of 4 bytes still requires a single read-modify-write operation.
655 *
656 * This function is takes the identical parameters as the function above,
657 * however it lays out the final array differently. Where the previous function
658 * treats the mpi_int as an byte array, this function treats it as an array of
659 * mp_digits where each digit is stored in big endian order.
660 *
661 * since we need to interleave on a byte by byte basis, we need to collect
662 * several mpi structures together into a single uint32 before we write. We
663 * also need to make sure the uint32 is arranged so that the first value of
664 * the first array winds up in b[0]. This means construction of that uint32
665 * is endian specific (even though the layout of the mp_digits in the array
666 * is always big endian).
667 *
668 * The final data is stored as follows :
669 *
670 * Our same logical array p array, m is sizeof(mp_digit),
671 * N is still count and n is now b_size. If we define p[i].digit[j]0 as the
672 * most significant byte of the word p[i].digit[j], p[i].digit[j]1 as
673 * the next most significant byte of p[i].digit[j], ... and p[i].digit[j]m-1
674 * is the least significant byte.
675 * Our array would look like:
676 * p[0].digit[0]0 p[1].digit[0]0 ... p[N-2].digit[0]0 p[N-1].digit[0]0
677 * p[0].digit[0]1 p[1].digit[0]1 ... p[N-2].digit[0]1 p[N-1].digit[0]1
678 * . .
679 * p[0].digit[0]m-1 p[1].digit[0]m-1 ... p[N-2].digit[0]m-1 p[N-1].digit[0]m-1
680 * p[0].digit[1]0 p[1].digit[1]0 ... p[N-2].digit[1]0 p[N-1].digit[1]0
681 * . .
682 * . .
683 * p[0].digit[n-1]m-2 p[1].digit[n-1]m-2 ... p[N-2].digit[n-1]m-2 p[N-1].digit[n-1]m-2
684 * p[0].digit[n-1]m-1 p[1].digit[n-1]m-1 ... p[N-2].digit[n-1]m-1 p[N-1].digit[n-1]m-1
685 *
686 */
689 {
690 mp_size i;
695 mp_size useda0;
696 mp_size useda1;
697 mp_size useda2;
698 mp_size useda3;
703 /* this code pretty much depends on this ! */
704 #if MP_ARGCHK == 2
707 #endif
727 #define SAFE_FETCH(digit, used, word) ((word) < (used) ? (digit[word]) : 0)
736 /*
737 * ONE_STEP takes the MSB of each of our current digits and places that
738 * byte in the appropriate position for writing to the weaved array.
739 * On little endian:
740 * b3 b2 b1 b0
741 * On big endian:
742 * b0 b1 b2 b3
743 * When the data is written it would always wind up:
744 * b[0] = b0
745 * b[1] = b1
746 * b[2] = b2
747 * b[3] = b3
748 *
749 * Once we've written the MSB, we shift the whole digit up left one
750 * byte, putting the Next Most Significant Byte in the MSB position,
751 * so we we repeat the next one step that byte will be written.
752 * NOTE: This code assumes sizeof(mp_weave_word) and MP_WEAVE_WORD_SIZE
753 * is 4.
754 */
755 #ifdef MP_IS_LITTLE_ENDIAN
756 #define MPI_WEAVE_ONE_STEP \
761 *weaved = acc; weaved += count;
762 #else
763 #define MPI_WEAVE_ONE_STEP \
768 *weaved = acc; weaved += count;
769 #endif
772 MPI_WEAVE_ONE_STEP
773 MPI_WEAVE_ONE_STEP
774 MPI_WEAVE_ONE_STEP
775 MPI_WEAVE_ONE_STEP
776 MPI_WEAVE_ONE_STEP
777 MPI_WEAVE_ONE_STEP
778 MPI_WEAVE_ONE_STEP
779 MPI_WEAVE_ONE_STEP
780 MPI_WEAVE_ONE_STEP
781 MPI_WEAVE_ONE_STEP
782 MPI_WEAVE_ONE_STEP
783 MPI_WEAVE_ONE_STEP
784 MPI_WEAVE_ONE_STEP
785 MPI_WEAVE_ONE_STEP
786 MPI_WEAVE_ONE_STEP
787 MPI_WEAVE_ONE_STEP
789 MPI_WEAVE_ONE_STEP
790 MPI_WEAVE_ONE_STEP
791 MPI_WEAVE_ONE_STEP
792 MPI_WEAVE_ONE_STEP
793 MPI_WEAVE_ONE_STEP
794 MPI_WEAVE_ONE_STEP
795 MPI_WEAVE_ONE_STEP
796 MPI_WEAVE_ONE_STEP
798 MPI_WEAVE_ONE_STEP
799 MPI_WEAVE_ONE_STEP
800 MPI_WEAVE_ONE_STEP
801 MPI_WEAVE_ONE_STEP
803 MPI_WEAVE_ONE_STEP
804 MPI_WEAVE_ONE_STEP
806 MPI_WEAVE_ONE_STEP
808 MPI_WEAVE_ONE_STEP
810 }
811 }
814 }
816 /* reverse the operation above for one entry.
817 * b points to the offset into the weave array of the power we are
818 * calculating */
821 {
832 #define MPI_UNWEAVE_ONE_STEP digit |= *b; b += count; digit = digit << 8;
835 MPI_UNWEAVE_ONE_STEP
836 MPI_UNWEAVE_ONE_STEP
837 MPI_UNWEAVE_ONE_STEP
838 MPI_UNWEAVE_ONE_STEP
839 MPI_UNWEAVE_ONE_STEP
840 MPI_UNWEAVE_ONE_STEP
841 MPI_UNWEAVE_ONE_STEP
842 MPI_UNWEAVE_ONE_STEP
843 MPI_UNWEAVE_ONE_STEP
844 MPI_UNWEAVE_ONE_STEP
845 MPI_UNWEAVE_ONE_STEP
846 MPI_UNWEAVE_ONE_STEP
847 MPI_UNWEAVE_ONE_STEP
848 MPI_UNWEAVE_ONE_STEP
849 MPI_UNWEAVE_ONE_STEP
850 MPI_UNWEAVE_ONE_STEP
852 MPI_UNWEAVE_ONE_STEP
853 MPI_UNWEAVE_ONE_STEP
854 MPI_UNWEAVE_ONE_STEP
855 MPI_UNWEAVE_ONE_STEP
856 MPI_UNWEAVE_ONE_STEP
857 MPI_UNWEAVE_ONE_STEP
858 MPI_UNWEAVE_ONE_STEP
859 MPI_UNWEAVE_ONE_STEP
861 MPI_UNWEAVE_ONE_STEP
862 MPI_UNWEAVE_ONE_STEP
863 MPI_UNWEAVE_ONE_STEP
864 MPI_UNWEAVE_ONE_STEP
866 MPI_UNWEAVE_ONE_STEP
867 MPI_UNWEAVE_ONE_STEP
870 }
874 }
877 }
878 #endif
881 #define SQR(a,b) \
882 MP_CHECKOK( mp_sqr(a, b) );\
883 MP_CHECKOK( s_mp_redc(b, mmm) )
885 #if defined(MP_MONT_USE_MP_MUL)
886 #define MUL_NOWEAVE(x,a,b) \
887 MP_CHECKOK( mp_mul(a, x, b) ); \
888 MP_CHECKOK( s_mp_redc(b, mmm) )
889 #else
890 #define MUL_NOWEAVE(x,a,b) \
891 MP_CHECKOK( s_mp_mul_mont(a, x, b, mmm) )
892 #endif
894 #define MUL(x,a,b) \
895 MP_CHECKOK( weave_to_mpi(&tmp, powers + (x), nLen, num_powers) ); \
896 MUL_NOWEAVE(&tmp,a,b)
898 #define SWAPPA ptmp = pa1; pa1 = pa2; pa2 = ptmp
899 #define MP_ALIGN(x,y) ((((ptrdiff_t)(x))+((y)-1))&(((ptrdiff_t)0)-(y)))
901 /* Do modular exponentiation using integer multiply code. */
908 mp_size bits_in_exponent,
909 mp_size window_bits,
910 mp_size num_powers)
911 {
913 mp_size i;
914 mp_size first_window;
915 mp_err res;
918 mp_int tmp;
934 }
936 /* powers[i] = base ** (i); */
939 /* grab the first window value. This allows us to preload accumulator1
940 * and save a conversion, some squares and a multiple*/
949 /* build the first WEAVE_WORD powers inline */
950 /* if WEAVE_WORD_SIZE is not 4, this code will have to change */
965 }
971 /* assert first_window == 1? */
973 }
974 }
976 /*
977 * calculate all the powers in the powers array.
978 * this adds 2**(k-1)-2 square operations over just calculating the
979 * odd powers where k is the window size in the two other mp_modexpt
980 * implementations in this file. We will get some of that
981 * back by not needing the first 'k' squares and one multiply for the
982 * first window */
987 /* we've filled the array do our 'per array' processing */
996 }
997 }
999 /* up to 8 we can find 2^i-1 in the accum array, but at 8 we our source
1000 * and target are the same so we need to copy.. After that, the
1001 * value is overwritten, so we need to fetch it from the stored
1002 * weave array */
1009 /* copy is cheaper than weave_to_mpi */
1014 }
1015 }
1016 }
1017 }
1018 /* if the accum1 isn't set, Then there is something wrong with our logic
1019 * above and is an internal programming error.
1020 */
1021 #if MP_ARGCHK == 2
1023 #endif
1025 /* set accumulator to montgomery residue of 1 */
1030 mp_size smallExp;
1034 /* handle unroll the loops */
1042 ABORT;
1043 }
1047 /* fall through */
1058 }
1059 }
1064 CLEANUP:
1072 /* PORT_Memset(powers,0,num_powers*nLen*sizeof(mp_digit)); */
1075 }
1076 #undef SQR
1077 #undef MUL
1078 #endif
1082 {
1085 mp_err res;
1088 mp_mont_modulus mmm;
1089 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
1091 #endif
1093 /* function for computing n0prime only works if n0 is odd */
1106 }
1116 /* compute n0', given n0, n0' = -(n0 ** -1) mod MP_RADIX
1117 ** where n0 = least significant mp_digit of N, the modulus.
1118 */
1124 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
1132 /* RSA public key exponents are typically under 20 bits (common values
1133 * are: 3, 17, 65537) and a 4-bit window is inefficient
1134 */
1135 else
1138 #endif
1145 /* RSA public key exponents are typically under 20 bits (common values
1146 * are: 3, 17, 65537) and a 4-bit window is inefficient
1147 */
1148 else
1151 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
1152 /*
1153 * clamp the window size based on
1154 * the cache line size.
1155 */
1158 /* processor has no cache, use 'fast' code always */
1161 }
1169 }
1171 /* clamp the window size down before we caclulate bits_in_exponent */
1175 }
1176 }
1177 #endif
1183 }
1185 #ifdef MP_USING_MONT_MULF
1191 #endif
1192 #ifdef MP_USING_CACHE_SAFE_MOD_EXP
1197 #endif
1201 CLEANUP:
1204 /* Don't mp_clear mmm.N because it is merely a copy of modulus.
1205 ** Just zap it.
1206 */
1209 }