6052766189

Committed 01 Sep 2023 06:22PM UTC coverage: 91.715% (+0.004%) from 91.711%

Build # 6052766189

Build Type

Pull #3686

github

Committed by

web-flow

Commit Message

Merge e5329a91e into 560aec3a8

Pull Request Pull Request #3686: Add a S390x CI build

Run Details

78585 of 85684 relevant lines covered (91.71%)

8525653.79 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

97.12

/src/lib/pubkey/mce/gf2m_rootfind_dcmp.cpp

/*
 * (C) 2014 cryptosource GmbH
 * (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 *
 */

#include <botan/internal/polyn_gf2m.h>

#include <botan/exceptn.h>
#include <botan/internal/bit_ops.h>
#include <botan/internal/code_based_util.h>

namespace Botan {

namespace {

void patch_root_array(gf2m res_root_arr[], size_t res_root_arr_len, size_t root_pos) {
   volatile gf2m patch_elem = 0x01;
   volatile gf2m cond_mask = (root_pos == res_root_arr_len);
   cond_mask = expand_mask_16bit(cond_mask);
   cond_mask = ~cond_mask; /* now cond = 1 if not enough roots */
   patch_elem = patch_elem & cond_mask;
   for(size_t i = 0; i < res_root_arr_len; i++) {
      patch_elem = patch_elem + 1;
      gf2m masked_patch_elem = patch_elem & cond_mask;
      res_root_arr[i] ^= masked_patch_elem++;
   }
}

class gf2m_decomp_rootfind_state {
   public:
      gf2m_decomp_rootfind_state(const polyn_gf2m& p_polyn, size_t code_length);

      void calc_LiK(const polyn_gf2m& sigma);
      gf2m calc_Fxj_j_neq_0(const polyn_gf2m& sigma, gf2m j_gray);
      void calc_next_Aij();
      void calc_Ai_zero(const polyn_gf2m& sigma);
      secure_vector<gf2m> find_roots(const polyn_gf2m& sigma);

   private:
      size_t m_code_length;
      secure_vector<gf2m> m_Lik;  // size is outer_summands * m
      secure_vector<gf2m> m_Aij;  // ...
      uint32_t m_outer_summands;
      gf2m m_j;
      gf2m m_j_gray;
      gf2m m_sigma_3_l;
      gf2m m_sigma_3_neq_0_mask;
};

/**
* calculates ceil((t-4)/5) = outer_summands - 1
*/
uint32_t brootf_decomp_calc_sum_limit(uint32_t t) {
   uint32_t result;
   if(t < 4) {
      return 0;
   }
   result = t - 4;
   result += 4;
   result /= 5;
   return result;
}

gf2m_decomp_rootfind_state::gf2m_decomp_rootfind_state(const polyn_gf2m& polyn, size_t code_length) :
      m_code_length(code_length), m_j(0), m_j_gray(0) {
   gf2m coeff_3;
   gf2m coeff_head;
   std::shared_ptr<GF2m_Field> sp_field = polyn.get_sp_field();
   int deg_sigma = polyn.get_degree();
   if(deg_sigma <= 3) {
      throw Internal_Error("Unexpected degree in gf2m_decomp_rootfind_state");
   }

   coeff_3 = polyn.get_coef(3);
   coeff_head = polyn.get_coef(deg_sigma); /* dummy value for SCA CM */
   if(coeff_3 != 0) {
      this->m_sigma_3_l = sp_field->gf_l_from_n(coeff_3);
      this->m_sigma_3_neq_0_mask = 0xFFFF;
   } else {
      // dummy value needed for timing countermeasure
      this->m_sigma_3_l = sp_field->gf_l_from_n(coeff_head);
      this->m_sigma_3_neq_0_mask = 0;
   }

   this->m_outer_summands = 1 + brootf_decomp_calc_sum_limit(deg_sigma);
   this->m_Lik.resize(this->m_outer_summands * sp_field->get_extension_degree());
   this->m_Aij.resize(this->m_outer_summands);
}

void gf2m_decomp_rootfind_state::calc_Ai_zero(const polyn_gf2m& sigma) {
   uint32_t i;
   /*
   * this function assumes this the first gray code element is zero
   */
   for(i = 0; i < this->m_outer_summands; i++) {
      this->m_Aij[i] = sigma.get_coef(5 * i);
   }
   this->m_j = 0;
   this->m_j_gray = 0;
}

void gf2m_decomp_rootfind_state::calc_next_Aij() {
   /*
   * upon function entry, we have in the state j, Aij.
   * first thing, we declare Aij Aij_minusone and increase j.
   * Case j=0 upon function entry also included, then Aij contains A_{i,j=0}.
   */
   uint32_t i;
   gf2m diff, new_j_gray;
   uint32_t Lik_pos_base;

   this->m_j++;

   new_j_gray = lex_to_gray(this->m_j);

   if(this->m_j & 1) /* half of the times */
   {
      Lik_pos_base = 0;
   } else if(this->m_j & 2) /* one quarter of the times */
   {
      Lik_pos_base = this->m_outer_summands;
   } else if(this->m_j & 4) /* one eighth of the times */
   {
      Lik_pos_base = this->m_outer_summands * 2;
   } else if(this->m_j & 8) /* one sixteenth of the times */
   {
      Lik_pos_base = this->m_outer_summands * 3;
   } else if(this->m_j & 16) /* ... */
   {
      Lik_pos_base = this->m_outer_summands * 4;
   } else {
      gf2m delta_offs = 5;
      diff = this->m_j_gray ^ new_j_gray;
      while(((static_cast<gf2m>(1) << delta_offs) & diff) == 0) {
         delta_offs++;
      }
      Lik_pos_base = delta_offs * this->m_outer_summands;
   }
   this->m_j_gray = new_j_gray;

   i = 0;
   for(; i < this->m_outer_summands; i++) {
      this->m_Aij[i] ^= this->m_Lik[Lik_pos_base + i];
   }
}

void gf2m_decomp_rootfind_state::calc_LiK(const polyn_gf2m& sigma) {
   std::shared_ptr<GF2m_Field> sp_field = sigma.get_sp_field();
   uint32_t i, k, d;
   d = sigma.get_degree();
   for(k = 0; k < sp_field->get_extension_degree(); k++) {
      uint32_t Lik_pos_base = k * this->m_outer_summands;
      gf2m alpha_l_k_tt2_ttj[4];
      alpha_l_k_tt2_ttj[0] = sp_field->gf_l_from_n(static_cast<gf2m>(1) << k);
      alpha_l_k_tt2_ttj[1] = sp_field->gf_mul_rrr(alpha_l_k_tt2_ttj[0], alpha_l_k_tt2_ttj[0]);
      alpha_l_k_tt2_ttj[2] = sp_field->gf_mul_rrr(alpha_l_k_tt2_ttj[1], alpha_l_k_tt2_ttj[1]);

      alpha_l_k_tt2_ttj[3] = sp_field->gf_mul_rrr(alpha_l_k_tt2_ttj[2], alpha_l_k_tt2_ttj[2]);
      for(i = 0; i < this->m_outer_summands; i++) {
         uint32_t j;
         uint32_t five_i = 5 * i;
         uint32_t Lik_pos = Lik_pos_base + i;
         this->m_Lik[Lik_pos] = 0;
         for(j = 0; j <= 3; j++) {
            gf2m f, x;
            uint32_t f_ind = five_i + (static_cast<uint32_t>(1) << j);
            if(f_ind > d) {
               break;
            }
            f = sigma.get_coef(f_ind);

            x = sp_field->gf_mul_zrz(alpha_l_k_tt2_ttj[j], f);
            this->m_Lik[Lik_pos] ^= x;
         }
      }
   }
}

gf2m gf2m_decomp_rootfind_state::calc_Fxj_j_neq_0(const polyn_gf2m& sigma, gf2m j_gray) {
   //needs the A_{ij} to compute F(x)_j
   gf2m sum = 0;
   uint32_t i;
   std::shared_ptr<GF2m_Field> sp_field = sigma.get_sp_field();
   const gf2m jl_gray = sp_field->gf_l_from_n(j_gray);
   gf2m xl_j_tt_5 = sp_field->gf_square_rr(jl_gray);
   gf2m xl_gray_tt_3 = sp_field->gf_mul_rrr(xl_j_tt_5, jl_gray);
   xl_j_tt_5 = sp_field->gf_mul_rrr(xl_j_tt_5, xl_gray_tt_3);

   sum = sp_field->gf_mul_nrr(xl_gray_tt_3, this->m_sigma_3_l);
   sum &= this->m_sigma_3_neq_0_mask;
   /* here, we rely on compiler to be unable to optimize
   * for the state->sigma_3_neq_0_mask value
   */
   /* treat i = 0 special: */
   sum ^= this->m_Aij[0];
   /* treat i = 1 special also */

   if(this->m_outer_summands > 1) {
      gf2m x;
      x = sp_field->gf_mul_zrz(xl_j_tt_5, this->m_Aij[1]); /* x_j^{5i} A_i^j */
      sum ^= x;
   }

   gf2m xl_j_tt_5i = xl_j_tt_5;

   for(i = 2; i < this->m_outer_summands; i++) {
      gf2m x;
      xl_j_tt_5i = sp_field->gf_mul_rrr(xl_j_tt_5i, xl_j_tt_5);
      // now x_j_tt_5i lives up to its name
      x = sp_field->gf_mul_zrz(xl_j_tt_5i, this->m_Aij[i]); /* x_j^{5i} A_i^(j) */
      sum ^= x;
   }
   return sum;
}

secure_vector<gf2m> gf2m_decomp_rootfind_state::find_roots(const polyn_gf2m& sigma) {
   const int sigma_degree = sigma.get_degree();
   BOTAN_ASSERT(sigma_degree > 0, "Valid sigma");
   secure_vector<gf2m> result(sigma_degree);
   uint32_t root_pos = 0;

   this->calc_Ai_zero(sigma);
   this->calc_LiK(sigma);
   for(;;) {
      gf2m eval_result;

      if(this->m_j_gray == 0) {
         eval_result = sigma.get_coef(0);
      } else {
         eval_result = this->calc_Fxj_j_neq_0(sigma, this->m_j_gray);
      }

      if(eval_result == 0) {
         result[root_pos] = this->m_j_gray;
         root_pos++;
      }

      if(this->m_j + static_cast<uint32_t>(1) == m_code_length) {
         break;
      }
      this->calc_next_Aij();
   }

   // side channel / fault attack countermeasure:
   patch_root_array(result.data(), result.size(), root_pos);
   return result;
}

}  // end anonymous namespace

secure_vector<gf2m> find_roots_gf2m_decomp(const polyn_gf2m& polyn, size_t code_length) {
   gf2m_decomp_rootfind_state state(polyn, code_length);
   return state.find_roots(polyn);
}

}  // end namespace Botan

1	/*
2	* (C) 2014 cryptosource GmbH
3	* (C) 2014 Falko Strenzke fstrenzke@cryptosource.de
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*
7	*/
8
9	#include <botan/internal/polyn_gf2m.h>
10
11	#include <botan/exceptn.h>
12	#include <botan/internal/bit_ops.h>
13	#include <botan/internal/code_based_util.h>
14
15	namespace Botan {
16
17	namespace {
18
19	void patch_root_array(gf2m res_root_arr[], size_t res_root_arr_len, size_t root_pos) {	2,646✔
20	volatile gf2m patch_elem = 0x01;	2,646✔
21	volatile gf2m cond_mask = (root_pos == res_root_arr_len);	2,646✔
22	cond_mask = expand_mask_16bit(cond_mask);	2,646✔
23	cond_mask = ~cond_mask; /* now cond = 1 if not enough roots */	2,646✔
24	patch_elem = patch_elem & cond_mask;	2,646✔
25	for(size_t i = 0; i < res_root_arr_len; i++) {	84,285✔
26	patch_elem = patch_elem + 1;	81,639✔
27	gf2m masked_patch_elem = patch_elem & cond_mask;	81,639✔
28	res_root_arr[i] ^= masked_patch_elem++;	81,639✔
29	}
30	}	2,646✔
31
32	class gf2m_decomp_rootfind_state {
33	public:
34	gf2m_decomp_rootfind_state(const polyn_gf2m& p_polyn, size_t code_length);
35
36	void calc_LiK(const polyn_gf2m& sigma);
37	gf2m calc_Fxj_j_neq_0(const polyn_gf2m& sigma, gf2m j_gray);
38	void calc_next_Aij();
39	void calc_Ai_zero(const polyn_gf2m& sigma);
40	secure_vector<gf2m> find_roots(const polyn_gf2m& sigma);
41
42	private:
43	size_t m_code_length;
44	secure_vector<gf2m> m_Lik; // size is outer_summands * m
45	secure_vector<gf2m> m_Aij; // ...
46	uint32_t m_outer_summands;
47	gf2m m_j;
48	gf2m m_j_gray;
49	gf2m m_sigma_3_l;
50	gf2m m_sigma_3_neq_0_mask;
51	};
52
53	/**
54	* calculates ceil((t-4)/5) = outer_summands - 1
55	*/
56	uint32_t brootf_decomp_calc_sum_limit(uint32_t t) {	2,646✔
57	uint32_t result;	2,646✔
58	if(t < 4) {	2,646✔
59	return 0;
60	}
61	result = t - 4;	2,646✔
62	result += 4;	2,646✔
63	result /= 5;	2,646✔
64	return result;	2,646✔
65	}
66
67	gf2m_decomp_rootfind_state::gf2m_decomp_rootfind_state(const polyn_gf2m& polyn, size_t code_length) :	2,646✔
68	m_code_length(code_length), m_j(0), m_j_gray(0) {	2,646✔
69	gf2m coeff_3;	2,646✔
70	gf2m coeff_head;	2,646✔
71	std::shared_ptr<GF2m_Field> sp_field = polyn.get_sp_field();	2,646✔
72	int deg_sigma = polyn.get_degree();	2,646✔
73	if(deg_sigma <= 3) {	2,646✔
74	throw Internal_Error("Unexpected degree in gf2m_decomp_rootfind_state");	×
75	}
76
77	coeff_3 = polyn.get_coef(3);	2,646✔
78	coeff_head = polyn.get_coef(deg_sigma); /* dummy value for SCA CM */	2,646✔
79	if(coeff_3 != 0) {	2,646✔
80	this->m_sigma_3_l = sp_field->gf_l_from_n(coeff_3);	2,646✔
81	this->m_sigma_3_neq_0_mask = 0xFFFF;	2,646✔
82	} else {
83	// dummy value needed for timing countermeasure
84	this->m_sigma_3_l = sp_field->gf_l_from_n(coeff_head);	×
85	this->m_sigma_3_neq_0_mask = 0;	×
86	}
87
88	this->m_outer_summands = 1 + brootf_decomp_calc_sum_limit(deg_sigma);	2,646✔
89	this->m_Lik.resize(this->m_outer_summands * sp_field->get_extension_degree());	2,646✔
90	this->m_Aij.resize(this->m_outer_summands);	2,646✔
91	}	2,646✔
92
93	void gf2m_decomp_rootfind_state::calc_Ai_zero(const polyn_gf2m& sigma) {	2,646✔
94	uint32_t i;	2,646✔
95	/*
96	* this function assumes this the first gray code element is zero
97	*/
98	for(i = 0; i < this->m_outer_summands; i++) {	20,607✔
99	this->m_Aij[i] = sigma.get_coef(5 * i);	17,961✔
100	}
101	this->m_j = 0;	2,646✔
102	this->m_j_gray = 0;	2,646✔
103	}
104
105	void gf2m_decomp_rootfind_state::calc_next_Aij() {	3,628,234✔
106	/*
107	* upon function entry, we have in the state j, Aij.
108	* first thing, we declare Aij Aij_minusone and increase j.
109	* Case j=0 upon function entry also included, then Aij contains A_{i,j=0}.
110	*/
111	uint32_t i;	3,628,234✔
112	gf2m diff, new_j_gray;	3,628,234✔
113	uint32_t Lik_pos_base;	3,628,234✔
114
115	this->m_j++;	3,628,234✔
116
117	new_j_gray = lex_to_gray(this->m_j);	3,628,234✔
118
119	if(this->m_j & 1) /* half of the times */	3,628,234✔
120	{
121	Lik_pos_base = 0;
122	} else if(this->m_j & 2) /* one quarter of the times */	1,812,794✔
123	{
124	Lik_pos_base = this->m_outer_summands;	907,720✔
125	} else if(this->m_j & 4) /* one eighth of the times */	905,074✔
126	{
127	Lik_pos_base = this->m_outer_summands * 2;	453,860✔
128	} else if(this->m_j & 8) /* one sixteenth of the times */	451,214✔
129	{
130	Lik_pos_base = this->m_outer_summands * 3;	226,930✔
131	} else if(this->m_j & 16) /* ... */	224,284✔
132	{
133	Lik_pos_base = this->m_outer_summands * 4;	113,461✔
134	} else {
135	gf2m delta_offs = 5;	110,823✔
136	diff = this->m_j_gray ^ new_j_gray;	110,823✔
137	while(((static_cast<gf2m>(1) << delta_offs) & diff) == 0) {	209,453✔
138	delta_offs++;	98,630✔
139	}
140	Lik_pos_base = delta_offs * this->m_outer_summands;	110,823✔
141	}
142	this->m_j_gray = new_j_gray;	3,628,234✔
143
144	i = 0;	3,628,234✔
145	for(; i < this->m_outer_summands; i++) {	49,049,121✔
146	this->m_Aij[i] ^= this->m_Lik[Lik_pos_base + i];	45,420,887✔
147	}
148	}	3,628,234✔
149
150	void gf2m_decomp_rootfind_state::calc_LiK(const polyn_gf2m& sigma) {	2,646✔
151	std::shared_ptr<GF2m_Field> sp_field = sigma.get_sp_field();	2,646✔
152	uint32_t i, k, d;	2,646✔
153	d = sigma.get_degree();	2,646✔
154	for(k = 0; k < sp_field->get_extension_degree(); k++) {	28,666✔
155	uint32_t Lik_pos_base = k * this->m_outer_summands;	26,020✔
156	gf2m alpha_l_k_tt2_ttj[4];	26,020✔
157	alpha_l_k_tt2_ttj[0] = sp_field->gf_l_from_n(static_cast<gf2m>(1) << k);	26,020✔
158	alpha_l_k_tt2_ttj[1] = sp_field->gf_mul_rrr(alpha_l_k_tt2_ttj[0], alpha_l_k_tt2_ttj[0]);	26,020✔
159	alpha_l_k_tt2_ttj[2] = sp_field->gf_mul_rrr(alpha_l_k_tt2_ttj[1], alpha_l_k_tt2_ttj[1]);	26,020✔
160
161	alpha_l_k_tt2_ttj[3] = sp_field->gf_mul_rrr(alpha_l_k_tt2_ttj[2], alpha_l_k_tt2_ttj[2]);	26,020✔
162	for(i = 0; i < this->m_outer_summands; i++) {	218,166✔
163	uint32_t j;	192,146✔
164	uint32_t five_i = 5 * i;	192,146✔
165	uint32_t Lik_pos = Lik_pos_base + i;	192,146✔
166	this->m_Lik[Lik_pos] = 0;	192,146✔
167	for(j = 0; j <= 3; j++) {	880,390✔
168	gf2m f, x;	730,198✔
169	uint32_t f_ind = five_i + (static_cast<uint32_t>(1) << j);	730,198✔
170	if(f_ind > d) {	730,198✔
171	break;
172	}
173	f = sigma.get_coef(f_ind);	688,244✔
174
175	x = sp_field->gf_mul_zrz(alpha_l_k_tt2_ttj[j], f);	688,244✔
176	this->m_Lik[Lik_pos] ^= x;	688,244✔
177	}
178	}
179	}
180	}	2,646✔
181
182	gf2m gf2m_decomp_rootfind_state::calc_Fxj_j_neq_0(const polyn_gf2m& sigma, gf2m j_gray) {	3,628,234✔
183	//needs the A_{ij} to compute F(x)_j
184	gf2m sum = 0;	3,628,234✔
185	uint32_t i;	3,628,234✔
186	std::shared_ptr<GF2m_Field> sp_field = sigma.get_sp_field();	3,628,234✔
187	const gf2m jl_gray = sp_field->gf_l_from_n(j_gray);	3,628,234✔
188	gf2m xl_j_tt_5 = sp_field->gf_square_rr(jl_gray);	3,628,234✔
189	gf2m xl_gray_tt_3 = sp_field->gf_mul_rrr(xl_j_tt_5, jl_gray);	3,628,234✔
190	xl_j_tt_5 = sp_field->gf_mul_rrr(xl_j_tt_5, xl_gray_tt_3);	3,628,234✔
191
192	sum = sp_field->gf_mul_nrr(xl_gray_tt_3, this->m_sigma_3_l);	3,628,234✔
193	sum &= this->m_sigma_3_neq_0_mask;	3,628,234✔
194	/* here, we rely on compiler to be unable to optimize
195	* for the state->sigma_3_neq_0_mask value
196	*/
197	/* treat i = 0 special: */
198	sum ^= this->m_Aij[0];	3,628,234✔
199	/* treat i = 1 special also */
200
201	if(this->m_outer_summands > 1) {	3,628,234✔
202	gf2m x;	3,628,234✔
203	x = sp_field->gf_mul_zrz(xl_j_tt_5, this->m_Aij[1]); /* x_j^{5i} A_i^j */	3,628,234✔
204	sum ^= x;	3,628,234✔
205	}
206
207	gf2m xl_j_tt_5i = xl_j_tt_5;
208
209	for(i = 2; i < this->m_outer_summands; i++) {	41,792,653✔
210	gf2m x;	38,164,419✔
211	xl_j_tt_5i = sp_field->gf_mul_rrr(xl_j_tt_5i, xl_j_tt_5);	38,164,419✔
212	// now x_j_tt_5i lives up to its name
213	x = sp_field->gf_mul_zrz(xl_j_tt_5i, this->m_Aij[i]); /* x_j^{5i} A_i^(j) */	38,164,419✔
214	sum ^= x;	38,164,419✔
215	}
216	return sum;	3,628,234✔
217	}	3,628,234✔
218
219	secure_vector<gf2m> gf2m_decomp_rootfind_state::find_roots(const polyn_gf2m& sigma) {	2,646✔
220	const int sigma_degree = sigma.get_degree();	2,646✔
221	BOTAN_ASSERT(sigma_degree > 0, "Valid sigma");	2,646✔
222	secure_vector<gf2m> result(sigma_degree);	2,646✔
223	uint32_t root_pos = 0;	2,646✔
224
225	this->calc_Ai_zero(sigma);	2,646✔
226	this->calc_LiK(sigma);	2,646✔
227	for(;;) {	7,259,114✔
228	gf2m eval_result;	3,630,880✔
229
230	if(this->m_j_gray == 0) {	3,630,880✔
231	eval_result = sigma.get_coef(0);	2,646✔
232	} else {
233	eval_result = this->calc_Fxj_j_neq_0(sigma, this->m_j_gray);	3,628,234✔
234	}
235
236	if(eval_result == 0) {	3,630,880✔
237	result[root_pos] = this->m_j_gray;	81,639✔
238	root_pos++;	81,639✔
239	}
240
241	if(this->m_j + static_cast<uint32_t>(1) == m_code_length) {	3,630,880✔
242	break;
243	}
244	this->calc_next_Aij();	3,628,234✔
245	}	3,628,234✔
246
247	// side channel / fault attack countermeasure:
248	patch_root_array(result.data(), result.size(), root_pos);	2,646✔
249	return result;	2,646✔
250	}	×
251
252	} // end anonymous namespace
253
254	secure_vector<gf2m> find_roots_gf2m_decomp(const polyn_gf2m& polyn, size_t code_length) {	2,646✔
255	gf2m_decomp_rootfind_state state(polyn, code_length);	2,646✔
256	return state.find_roots(polyn);	5,292✔
257	}	2,646✔
258
259	} // end namespace Botan

randombit / botan / 6052766189

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous