2 * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the OpenSSL license (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
10 #include "internal/cryptlib.h"
13 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b);
15 int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
29 if (BN_copy(a, in_a) == NULL)
31 if (BN_copy(b, in_b) == NULL)
36 if (BN_cmp(a, b) < 0) {
45 if (BN_copy(r, t) == NULL)
54 static BIGNUM *euclid(BIGNUM *a, BIGNUM *b)
63 while (!BN_is_zero(b)) {
70 if (!BN_rshift1(a, a))
72 if (BN_cmp(a, b) < 0) {
77 } else { /* a odd - b even */
79 if (!BN_rshift1(b, b))
81 if (BN_cmp(a, b) < 0) {
87 } else { /* a is even */
90 if (!BN_rshift1(a, a))
92 if (BN_cmp(a, b) < 0) {
97 } else { /* a even - b even */
99 if (!BN_rshift1(a, a))
101 if (!BN_rshift1(b, b))
110 if (!BN_lshift(a, a, shifts))
119 /* solves ax == 1 (mod n) */
120 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
121 const BIGNUM *a, const BIGNUM *n,
124 BIGNUM *BN_mod_inverse(BIGNUM *in,
125 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
129 rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
131 BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
135 BIGNUM *int_bn_mod_inverse(BIGNUM *in,
136 const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
139 BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
146 if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
147 || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
148 return BN_mod_inverse_no_branch(in, a, n, ctx);
174 if (BN_copy(B, a) == NULL)
176 if (BN_copy(A, n) == NULL)
179 if (B->neg || (BN_ucmp(B, A) >= 0)) {
180 if (!BN_nnmod(B, B, A, ctx))
185 * From B = a mod |n|, A = |n| it follows that
188 * -sign*X*a == B (mod |n|),
189 * sign*Y*a == A (mod |n|).
192 if (BN_is_odd(n) && (BN_num_bits(n) <= 2048)) {
194 * Binary inversion algorithm; requires odd modulus. This is faster
195 * than the general algorithm if the modulus is sufficiently small
196 * (about 400 .. 500 bits on 32-bit systems, but much more on 64-bit
201 while (!BN_is_zero(B)) {
205 * (1) -sign*X*a == B (mod |n|),
206 * (2) sign*Y*a == A (mod |n|)
210 * Now divide B by the maximum possible power of two in the
211 * integers, and divide X by the same value mod |n|. When we're
212 * done, (1) still holds.
215 while (!BN_is_bit_set(B, shift)) { /* note that 0 < B */
219 if (!BN_uadd(X, X, n))
223 * now X is even, so we can easily divide it by two
225 if (!BN_rshift1(X, X))
229 if (!BN_rshift(B, B, shift))
234 * Same for A and Y. Afterwards, (2) still holds.
237 while (!BN_is_bit_set(A, shift)) { /* note that 0 < A */
241 if (!BN_uadd(Y, Y, n))
245 if (!BN_rshift1(Y, Y))
249 if (!BN_rshift(A, A, shift))
254 * We still have (1) and (2).
255 * Both A and B are odd.
256 * The following computations ensure that
260 * (1) -sign*X*a == B (mod |n|),
261 * (2) sign*Y*a == A (mod |n|),
263 * and that either A or B is even in the next iteration.
265 if (BN_ucmp(B, A) >= 0) {
266 /* -sign*(X + Y)*a == B - A (mod |n|) */
267 if (!BN_uadd(X, X, Y))
270 * NB: we could use BN_mod_add_quick(X, X, Y, n), but that
271 * actually makes the algorithm slower
273 if (!BN_usub(B, B, A))
276 /* sign*(X + Y)*a == A - B (mod |n|) */
277 if (!BN_uadd(Y, Y, X))
280 * as above, BN_mod_add_quick(Y, Y, X, n) would slow things down
282 if (!BN_usub(A, A, B))
287 /* general inversion algorithm */
289 while (!BN_is_zero(B)) {
294 * (*) -sign*X*a == B (mod |n|),
295 * sign*Y*a == A (mod |n|)
298 /* (D, M) := (A/B, A%B) ... */
299 if (BN_num_bits(A) == BN_num_bits(B)) {
302 if (!BN_sub(M, A, B))
304 } else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
305 /* A/B is 1, 2, or 3 */
306 if (!BN_lshift1(T, B))
308 if (BN_ucmp(A, T) < 0) {
309 /* A < 2*B, so D=1 */
312 if (!BN_sub(M, A, B))
315 /* A >= 2*B, so D=2 or D=3 */
316 if (!BN_sub(M, A, T))
318 if (!BN_add(D, T, B))
319 goto err; /* use D (:= 3*B) as temp */
320 if (BN_ucmp(A, D) < 0) {
321 /* A < 3*B, so D=2 */
322 if (!BN_set_word(D, 2))
325 * M (= A - 2*B) already has the correct value
328 /* only D=3 remains */
329 if (!BN_set_word(D, 3))
332 * currently M = A - 2*B, but we need M = A - 3*B
334 if (!BN_sub(M, M, B))
339 if (!BN_div(D, M, A, B, ctx))
347 * (**) sign*Y*a == D*B + M (mod |n|).
350 tmp = A; /* keep the BIGNUM object, the value does not matter */
352 /* (A, B) := (B, A mod B) ... */
355 /* ... so we have 0 <= B < A again */
358 * Since the former M is now B and the former B is now A,
359 * (**) translates into
360 * sign*Y*a == D*A + B (mod |n|),
362 * sign*Y*a - D*A == B (mod |n|).
363 * Similarly, (*) translates into
364 * -sign*X*a == A (mod |n|).
367 * sign*Y*a + D*sign*X*a == B (mod |n|),
369 * sign*(Y + D*X)*a == B (mod |n|).
371 * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
372 * -sign*X*a == B (mod |n|),
373 * sign*Y*a == A (mod |n|).
374 * Note that X and Y stay non-negative all the time.
378 * most of the time D is very small, so we can optimize tmp := D*X+Y
381 if (!BN_add(tmp, X, Y))
384 if (BN_is_word(D, 2)) {
385 if (!BN_lshift1(tmp, X))
387 } else if (BN_is_word(D, 4)) {
388 if (!BN_lshift(tmp, X, 2))
390 } else if (D->top == 1) {
391 if (!BN_copy(tmp, X))
393 if (!BN_mul_word(tmp, D->d[0]))
396 if (!BN_mul(tmp, D, X, ctx))
399 if (!BN_add(tmp, tmp, Y))
403 M = Y; /* keep the BIGNUM object, the value does not matter */
411 * The while loop (Euclid's algorithm) ends when
414 * sign*Y*a == A (mod |n|),
415 * where Y is non-negative.
419 if (!BN_sub(Y, n, Y))
422 /* Now Y*a == A (mod |n|). */
425 /* Y*a == 1 (mod |n|) */
426 if (!Y->neg && BN_ucmp(Y, n) < 0) {
430 if (!BN_nnmod(R, Y, n, ctx))
440 if ((ret == NULL) && (in == NULL))
448 * BN_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
449 * not contain branches that may leak sensitive information.
451 static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
452 const BIGNUM *a, const BIGNUM *n,
455 BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
482 if (BN_copy(B, a) == NULL)
484 if (BN_copy(A, n) == NULL)
488 if (B->neg || (BN_ucmp(B, A) >= 0)) {
490 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
491 * BN_div_no_branch will be called eventually.
496 BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
497 if (!BN_nnmod(B, &local_B, A, ctx))
499 /* Ensure local_B goes out of scope before any further use of B */
504 * From B = a mod |n|, A = |n| it follows that
507 * -sign*X*a == B (mod |n|),
508 * sign*Y*a == A (mod |n|).
511 while (!BN_is_zero(B)) {
516 * (*) -sign*X*a == B (mod |n|),
517 * sign*Y*a == A (mod |n|)
521 * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
522 * BN_div_no_branch will be called eventually.
527 BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
529 /* (D, M) := (A/B, A%B) ... */
530 if (!BN_div(D, M, &local_A, B, ctx))
532 /* Ensure local_A goes out of scope before any further use of A */
539 * (**) sign*Y*a == D*B + M (mod |n|).
542 tmp = A; /* keep the BIGNUM object, the value does not
545 /* (A, B) := (B, A mod B) ... */
548 /* ... so we have 0 <= B < A again */
551 * Since the former M is now B and the former B is now A,
552 * (**) translates into
553 * sign*Y*a == D*A + B (mod |n|),
555 * sign*Y*a - D*A == B (mod |n|).
556 * Similarly, (*) translates into
557 * -sign*X*a == A (mod |n|).
560 * sign*Y*a + D*sign*X*a == B (mod |n|),
562 * sign*(Y + D*X)*a == B (mod |n|).
564 * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
565 * -sign*X*a == B (mod |n|),
566 * sign*Y*a == A (mod |n|).
567 * Note that X and Y stay non-negative all the time.
570 if (!BN_mul(tmp, D, X, ctx))
572 if (!BN_add(tmp, tmp, Y))
575 M = Y; /* keep the BIGNUM object, the value does not
583 * The while loop (Euclid's algorithm) ends when
586 * sign*Y*a == A (mod |n|),
587 * where Y is non-negative.
591 if (!BN_sub(Y, n, Y))
594 /* Now Y*a == A (mod |n|). */
597 /* Y*a == 1 (mod |n|) */
598 if (!Y->neg && BN_ucmp(Y, n) < 0) {
602 if (!BN_nnmod(R, Y, n, ctx))
606 BNerr(BN_F_BN_MOD_INVERSE_NO_BRANCH, BN_R_NO_INVERSE);
611 if ((ret == NULL) && (in == NULL))
projects / openssl.git / blob