bn_gcd.c 19 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645
  1. /*
  2. * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
  3. *
  4. * Licensed under the OpenSSL license (the "License"). You may not use
  5. * this file except in compliance with the License. You can obtain a copy
  6. * in the file LICENSE in the source distribution or at
  7. * https://www.openssl.org/source/license.html
  8. */
  9. #include "internal/cryptlib.h"
  10. #include "bn_local.h"
  11. /*
  12. * bn_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
  13. * not contain branches that may leak sensitive information.
  14. *
  15. * This is a static function, we ensure all callers in this file pass valid
  16. * arguments: all passed pointers here are non-NULL.
  17. */
  18. static ossl_inline
  19. BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
  20. const BIGNUM *a, const BIGNUM *n,
  21. BN_CTX *ctx, int *pnoinv)
  22. {
  23. BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
  24. BIGNUM *ret = NULL;
  25. int sign;
  26. bn_check_top(a);
  27. bn_check_top(n);
  28. BN_CTX_start(ctx);
  29. A = BN_CTX_get(ctx);
  30. B = BN_CTX_get(ctx);
  31. X = BN_CTX_get(ctx);
  32. D = BN_CTX_get(ctx);
  33. M = BN_CTX_get(ctx);
  34. Y = BN_CTX_get(ctx);
  35. T = BN_CTX_get(ctx);
  36. if (T == NULL)
  37. goto err;
  38. if (in == NULL)
  39. R = BN_new();
  40. else
  41. R = in;
  42. if (R == NULL)
  43. goto err;
  44. BN_one(X);
  45. BN_zero(Y);
  46. if (BN_copy(B, a) == NULL)
  47. goto err;
  48. if (BN_copy(A, n) == NULL)
  49. goto err;
  50. A->neg = 0;
  51. if (B->neg || (BN_ucmp(B, A) >= 0)) {
  52. /*
  53. * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
  54. * BN_div_no_branch will be called eventually.
  55. */
  56. {
  57. BIGNUM local_B;
  58. bn_init(&local_B);
  59. BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
  60. if (!BN_nnmod(B, &local_B, A, ctx))
  61. goto err;
  62. /* Ensure local_B goes out of scope before any further use of B */
  63. }
  64. }
  65. sign = -1;
  66. /*-
  67. * From B = a mod |n|, A = |n| it follows that
  68. *
  69. * 0 <= B < A,
  70. * -sign*X*a == B (mod |n|),
  71. * sign*Y*a == A (mod |n|).
  72. */
  73. while (!BN_is_zero(B)) {
  74. BIGNUM *tmp;
  75. /*-
  76. * 0 < B < A,
  77. * (*) -sign*X*a == B (mod |n|),
  78. * sign*Y*a == A (mod |n|)
  79. */
  80. /*
  81. * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
  82. * BN_div_no_branch will be called eventually.
  83. */
  84. {
  85. BIGNUM local_A;
  86. bn_init(&local_A);
  87. BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
  88. /* (D, M) := (A/B, A%B) ... */
  89. if (!BN_div(D, M, &local_A, B, ctx))
  90. goto err;
  91. /* Ensure local_A goes out of scope before any further use of A */
  92. }
  93. /*-
  94. * Now
  95. * A = D*B + M;
  96. * thus we have
  97. * (**) sign*Y*a == D*B + M (mod |n|).
  98. */
  99. tmp = A; /* keep the BIGNUM object, the value does not
  100. * matter */
  101. /* (A, B) := (B, A mod B) ... */
  102. A = B;
  103. B = M;
  104. /* ... so we have 0 <= B < A again */
  105. /*-
  106. * Since the former M is now B and the former B is now A,
  107. * (**) translates into
  108. * sign*Y*a == D*A + B (mod |n|),
  109. * i.e.
  110. * sign*Y*a - D*A == B (mod |n|).
  111. * Similarly, (*) translates into
  112. * -sign*X*a == A (mod |n|).
  113. *
  114. * Thus,
  115. * sign*Y*a + D*sign*X*a == B (mod |n|),
  116. * i.e.
  117. * sign*(Y + D*X)*a == B (mod |n|).
  118. *
  119. * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
  120. * -sign*X*a == B (mod |n|),
  121. * sign*Y*a == A (mod |n|).
  122. * Note that X and Y stay non-negative all the time.
  123. */
  124. if (!BN_mul(tmp, D, X, ctx))
  125. goto err;
  126. if (!BN_add(tmp, tmp, Y))
  127. goto err;
  128. M = Y; /* keep the BIGNUM object, the value does not
  129. * matter */
  130. Y = X;
  131. X = tmp;
  132. sign = -sign;
  133. }
  134. /*-
  135. * The while loop (Euclid's algorithm) ends when
  136. * A == gcd(a,n);
  137. * we have
  138. * sign*Y*a == A (mod |n|),
  139. * where Y is non-negative.
  140. */
  141. if (sign < 0) {
  142. if (!BN_sub(Y, n, Y))
  143. goto err;
  144. }
  145. /* Now Y*a == A (mod |n|). */
  146. if (BN_is_one(A)) {
  147. /* Y*a == 1 (mod |n|) */
  148. if (!Y->neg && BN_ucmp(Y, n) < 0) {
  149. if (!BN_copy(R, Y))
  150. goto err;
  151. } else {
  152. if (!BN_nnmod(R, Y, n, ctx))
  153. goto err;
  154. }
  155. } else {
  156. *pnoinv = 1;
  157. /* caller sets the BN_R_NO_INVERSE error */
  158. goto err;
  159. }
  160. ret = R;
  161. *pnoinv = 0;
  162. err:
  163. if ((ret == NULL) && (in == NULL))
  164. BN_free(R);
  165. BN_CTX_end(ctx);
  166. bn_check_top(ret);
  167. return ret;
  168. }
  169. /*
  170. * This is an internal function, we assume all callers pass valid arguments:
  171. * all pointers passed here are assumed non-NULL.
  172. */
  173. BIGNUM *int_bn_mod_inverse(BIGNUM *in,
  174. const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
  175. int *pnoinv)
  176. {
  177. BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
  178. BIGNUM *ret = NULL;
  179. int sign;
  180. /* This is invalid input so we don't worry about constant time here */
  181. if (BN_abs_is_word(n, 1) || BN_is_zero(n)) {
  182. *pnoinv = 1;
  183. return NULL;
  184. }
  185. *pnoinv = 0;
  186. if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
  187. || (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
  188. return bn_mod_inverse_no_branch(in, a, n, ctx, pnoinv);
  189. }
  190. bn_check_top(a);
  191. bn_check_top(n);
  192. BN_CTX_start(ctx);
  193. A = BN_CTX_get(ctx);
  194. B = BN_CTX_get(ctx);
  195. X = BN_CTX_get(ctx);
  196. D = BN_CTX_get(ctx);
  197. M = BN_CTX_get(ctx);
  198. Y = BN_CTX_get(ctx);
  199. T = BN_CTX_get(ctx);
  200. if (T == NULL)
  201. goto err;
  202. if (in == NULL)
  203. R = BN_new();
  204. else
  205. R = in;
  206. if (R == NULL)
  207. goto err;
  208. BN_one(X);
  209. BN_zero(Y);
  210. if (BN_copy(B, a) == NULL)
  211. goto err;
  212. if (BN_copy(A, n) == NULL)
  213. goto err;
  214. A->neg = 0;
  215. if (B->neg || (BN_ucmp(B, A) >= 0)) {
  216. if (!BN_nnmod(B, B, A, ctx))
  217. goto err;
  218. }
  219. sign = -1;
  220. /*-
  221. * From B = a mod |n|, A = |n| it follows that
  222. *
  223. * 0 <= B < A,
  224. * -sign*X*a == B (mod |n|),
  225. * sign*Y*a == A (mod |n|).
  226. */
  227. if (BN_is_odd(n) && (BN_num_bits(n) <= 2048)) {
  228. /*
  229. * Binary inversion algorithm; requires odd modulus. This is faster
  230. * than the general algorithm if the modulus is sufficiently small
  231. * (about 400 .. 500 bits on 32-bit systems, but much more on 64-bit
  232. * systems)
  233. */
  234. int shift;
  235. while (!BN_is_zero(B)) {
  236. /*-
  237. * 0 < B < |n|,
  238. * 0 < A <= |n|,
  239. * (1) -sign*X*a == B (mod |n|),
  240. * (2) sign*Y*a == A (mod |n|)
  241. */
  242. /*
  243. * Now divide B by the maximum possible power of two in the
  244. * integers, and divide X by the same value mod |n|. When we're
  245. * done, (1) still holds.
  246. */
  247. shift = 0;
  248. while (!BN_is_bit_set(B, shift)) { /* note that 0 < B */
  249. shift++;
  250. if (BN_is_odd(X)) {
  251. if (!BN_uadd(X, X, n))
  252. goto err;
  253. }
  254. /*
  255. * now X is even, so we can easily divide it by two
  256. */
  257. if (!BN_rshift1(X, X))
  258. goto err;
  259. }
  260. if (shift > 0) {
  261. if (!BN_rshift(B, B, shift))
  262. goto err;
  263. }
  264. /*
  265. * Same for A and Y. Afterwards, (2) still holds.
  266. */
  267. shift = 0;
  268. while (!BN_is_bit_set(A, shift)) { /* note that 0 < A */
  269. shift++;
  270. if (BN_is_odd(Y)) {
  271. if (!BN_uadd(Y, Y, n))
  272. goto err;
  273. }
  274. /* now Y is even */
  275. if (!BN_rshift1(Y, Y))
  276. goto err;
  277. }
  278. if (shift > 0) {
  279. if (!BN_rshift(A, A, shift))
  280. goto err;
  281. }
  282. /*-
  283. * We still have (1) and (2).
  284. * Both A and B are odd.
  285. * The following computations ensure that
  286. *
  287. * 0 <= B < |n|,
  288. * 0 < A < |n|,
  289. * (1) -sign*X*a == B (mod |n|),
  290. * (2) sign*Y*a == A (mod |n|),
  291. *
  292. * and that either A or B is even in the next iteration.
  293. */
  294. if (BN_ucmp(B, A) >= 0) {
  295. /* -sign*(X + Y)*a == B - A (mod |n|) */
  296. if (!BN_uadd(X, X, Y))
  297. goto err;
  298. /*
  299. * NB: we could use BN_mod_add_quick(X, X, Y, n), but that
  300. * actually makes the algorithm slower
  301. */
  302. if (!BN_usub(B, B, A))
  303. goto err;
  304. } else {
  305. /* sign*(X + Y)*a == A - B (mod |n|) */
  306. if (!BN_uadd(Y, Y, X))
  307. goto err;
  308. /*
  309. * as above, BN_mod_add_quick(Y, Y, X, n) would slow things down
  310. */
  311. if (!BN_usub(A, A, B))
  312. goto err;
  313. }
  314. }
  315. } else {
  316. /* general inversion algorithm */
  317. while (!BN_is_zero(B)) {
  318. BIGNUM *tmp;
  319. /*-
  320. * 0 < B < A,
  321. * (*) -sign*X*a == B (mod |n|),
  322. * sign*Y*a == A (mod |n|)
  323. */
  324. /* (D, M) := (A/B, A%B) ... */
  325. if (BN_num_bits(A) == BN_num_bits(B)) {
  326. if (!BN_one(D))
  327. goto err;
  328. if (!BN_sub(M, A, B))
  329. goto err;
  330. } else if (BN_num_bits(A) == BN_num_bits(B) + 1) {
  331. /* A/B is 1, 2, or 3 */
  332. if (!BN_lshift1(T, B))
  333. goto err;
  334. if (BN_ucmp(A, T) < 0) {
  335. /* A < 2*B, so D=1 */
  336. if (!BN_one(D))
  337. goto err;
  338. if (!BN_sub(M, A, B))
  339. goto err;
  340. } else {
  341. /* A >= 2*B, so D=2 or D=3 */
  342. if (!BN_sub(M, A, T))
  343. goto err;
  344. if (!BN_add(D, T, B))
  345. goto err; /* use D (:= 3*B) as temp */
  346. if (BN_ucmp(A, D) < 0) {
  347. /* A < 3*B, so D=2 */
  348. if (!BN_set_word(D, 2))
  349. goto err;
  350. /*
  351. * M (= A - 2*B) already has the correct value
  352. */
  353. } else {
  354. /* only D=3 remains */
  355. if (!BN_set_word(D, 3))
  356. goto err;
  357. /*
  358. * currently M = A - 2*B, but we need M = A - 3*B
  359. */
  360. if (!BN_sub(M, M, B))
  361. goto err;
  362. }
  363. }
  364. } else {
  365. if (!BN_div(D, M, A, B, ctx))
  366. goto err;
  367. }
  368. /*-
  369. * Now
  370. * A = D*B + M;
  371. * thus we have
  372. * (**) sign*Y*a == D*B + M (mod |n|).
  373. */
  374. tmp = A; /* keep the BIGNUM object, the value does not matter */
  375. /* (A, B) := (B, A mod B) ... */
  376. A = B;
  377. B = M;
  378. /* ... so we have 0 <= B < A again */
  379. /*-
  380. * Since the former M is now B and the former B is now A,
  381. * (**) translates into
  382. * sign*Y*a == D*A + B (mod |n|),
  383. * i.e.
  384. * sign*Y*a - D*A == B (mod |n|).
  385. * Similarly, (*) translates into
  386. * -sign*X*a == A (mod |n|).
  387. *
  388. * Thus,
  389. * sign*Y*a + D*sign*X*a == B (mod |n|),
  390. * i.e.
  391. * sign*(Y + D*X)*a == B (mod |n|).
  392. *
  393. * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
  394. * -sign*X*a == B (mod |n|),
  395. * sign*Y*a == A (mod |n|).
  396. * Note that X and Y stay non-negative all the time.
  397. */
  398. /*
  399. * most of the time D is very small, so we can optimize tmp := D*X+Y
  400. */
  401. if (BN_is_one(D)) {
  402. if (!BN_add(tmp, X, Y))
  403. goto err;
  404. } else {
  405. if (BN_is_word(D, 2)) {
  406. if (!BN_lshift1(tmp, X))
  407. goto err;
  408. } else if (BN_is_word(D, 4)) {
  409. if (!BN_lshift(tmp, X, 2))
  410. goto err;
  411. } else if (D->top == 1) {
  412. if (!BN_copy(tmp, X))
  413. goto err;
  414. if (!BN_mul_word(tmp, D->d[0]))
  415. goto err;
  416. } else {
  417. if (!BN_mul(tmp, D, X, ctx))
  418. goto err;
  419. }
  420. if (!BN_add(tmp, tmp, Y))
  421. goto err;
  422. }
  423. M = Y; /* keep the BIGNUM object, the value does not matter */
  424. Y = X;
  425. X = tmp;
  426. sign = -sign;
  427. }
  428. }
  429. /*-
  430. * The while loop (Euclid's algorithm) ends when
  431. * A == gcd(a,n);
  432. * we have
  433. * sign*Y*a == A (mod |n|),
  434. * where Y is non-negative.
  435. */
  436. if (sign < 0) {
  437. if (!BN_sub(Y, n, Y))
  438. goto err;
  439. }
  440. /* Now Y*a == A (mod |n|). */
  441. if (BN_is_one(A)) {
  442. /* Y*a == 1 (mod |n|) */
  443. if (!Y->neg && BN_ucmp(Y, n) < 0) {
  444. if (!BN_copy(R, Y))
  445. goto err;
  446. } else {
  447. if (!BN_nnmod(R, Y, n, ctx))
  448. goto err;
  449. }
  450. } else {
  451. *pnoinv = 1;
  452. goto err;
  453. }
  454. ret = R;
  455. err:
  456. if ((ret == NULL) && (in == NULL))
  457. BN_free(R);
  458. BN_CTX_end(ctx);
  459. bn_check_top(ret);
  460. return ret;
  461. }
  462. /* solves ax == 1 (mod n) */
  463. BIGNUM *BN_mod_inverse(BIGNUM *in,
  464. const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
  465. {
  466. BN_CTX *new_ctx = NULL;
  467. BIGNUM *rv;
  468. int noinv = 0;
  469. if (ctx == NULL) {
  470. ctx = new_ctx = BN_CTX_new();
  471. if (ctx == NULL) {
  472. BNerr(BN_F_BN_MOD_INVERSE, ERR_R_MALLOC_FAILURE);
  473. return NULL;
  474. }
  475. }
  476. rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
  477. if (noinv)
  478. BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
  479. BN_CTX_free(new_ctx);
  480. return rv;
  481. }
  482. /*-
  483. * This function is based on the constant-time GCD work by Bernstein and Yang:
  484. * https://eprint.iacr.org/2019/266
  485. * Generalized fast GCD function to allow even inputs.
  486. * The algorithm first finds the shared powers of 2 between
  487. * the inputs, and removes them, reducing at least one of the
  488. * inputs to an odd value. Then it proceeds to calculate the GCD.
  489. * Before returning the resulting GCD, we take care of adding
  490. * back the powers of two removed at the beginning.
  491. * Note 1: we assume the bit length of both inputs is public information,
  492. * since access to top potentially leaks this information.
  493. */
  494. int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx)
  495. {
  496. BIGNUM *g, *temp = NULL;
  497. BN_ULONG mask = 0;
  498. int i, j, top, rlen, glen, m, bit = 1, delta = 1, cond = 0, shifts = 0, ret = 0;
  499. /* Note 2: zero input corner cases are not constant-time since they are
  500. * handled immediately. An attacker can run an attack under this
  501. * assumption without the need of side-channel information. */
  502. if (BN_is_zero(in_b)) {
  503. ret = BN_copy(r, in_a) != NULL;
  504. r->neg = 0;
  505. return ret;
  506. }
  507. if (BN_is_zero(in_a)) {
  508. ret = BN_copy(r, in_b) != NULL;
  509. r->neg = 0;
  510. return ret;
  511. }
  512. bn_check_top(in_a);
  513. bn_check_top(in_b);
  514. BN_CTX_start(ctx);
  515. temp = BN_CTX_get(ctx);
  516. g = BN_CTX_get(ctx);
  517. /* make r != 0, g != 0 even, so BN_rshift is not a potential nop */
  518. if (g == NULL
  519. || !BN_lshift1(g, in_b)
  520. || !BN_lshift1(r, in_a))
  521. goto err;
  522. /* find shared powers of two, i.e. "shifts" >= 1 */
  523. for (i = 0; i < r->dmax && i < g->dmax; i++) {
  524. mask = ~(r->d[i] | g->d[i]);
  525. for (j = 0; j < BN_BITS2; j++) {
  526. bit &= mask;
  527. shifts += bit;
  528. mask >>= 1;
  529. }
  530. }
  531. /* subtract shared powers of two; shifts >= 1 */
  532. if (!BN_rshift(r, r, shifts)
  533. || !BN_rshift(g, g, shifts))
  534. goto err;
  535. /* expand to biggest nword, with room for a possible extra word */
  536. top = 1 + ((r->top >= g->top) ? r->top : g->top);
  537. if (bn_wexpand(r, top) == NULL
  538. || bn_wexpand(g, top) == NULL
  539. || bn_wexpand(temp, top) == NULL)
  540. goto err;
  541. /* re arrange inputs s.t. r is odd */
  542. BN_consttime_swap((~r->d[0]) & 1, r, g, top);
  543. /* compute the number of iterations */
  544. rlen = BN_num_bits(r);
  545. glen = BN_num_bits(g);
  546. m = 4 + 3 * ((rlen >= glen) ? rlen : glen);
  547. for (i = 0; i < m; i++) {
  548. /* conditionally flip signs if delta is positive and g is odd */
  549. cond = (-delta >> (8 * sizeof(delta) - 1)) & g->d[0] & 1
  550. /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
  551. & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1)));
  552. delta = (-cond & -delta) | ((cond - 1) & delta);
  553. r->neg ^= cond;
  554. /* swap */
  555. BN_consttime_swap(cond, r, g, top);
  556. /* elimination step */
  557. delta++;
  558. if (!BN_add(temp, g, r))
  559. goto err;
  560. BN_consttime_swap(g->d[0] & 1 /* g is odd */
  561. /* make sure g->top > 0 (i.e. if top == 0 then g == 0 always) */
  562. & (~((g->top - 1) >> (sizeof(g->top) * 8 - 1))),
  563. g, temp, top);
  564. if (!BN_rshift1(g, g))
  565. goto err;
  566. }
  567. /* remove possible negative sign */
  568. r->neg = 0;
  569. /* add powers of 2 removed, then correct the artificial shift */
  570. if (!BN_lshift(r, r, shifts)
  571. || !BN_rshift1(r, r))
  572. goto err;
  573. ret = 1;
  574. err:
  575. BN_CTX_end(ctx);
  576. bn_check_top(r);
  577. return ret;
  578. }