Lookuptable mont entries (#273)

* Add support for montgomery entries in the lookup table.

* Add functions to move to and from montgomery form.

Co-authored-by: Jeff <[email protected]>

Author: jeffspel-crypto

src/electionguard/facades/Hacl_Bignum4096.cpp

@@ -1,6 +1,7 @@
 #include "Hacl_Bignum4096.hpp"
 
 #include "../../karamel/Hacl_Bignum4096.h"
+#include "../../karamel/Hacl_GenericField64.h"
 #include "../log.hpp"
 
 using electionguard::Log;
@@ -80,6 +81,21 @@ namespace hacl
         return Hacl_Bignum4096_mod_exp_vartime_precomp(context.get(), a, bBits, b, res);
     }
 
+    void Bignum4096::to_montgomery_form(uint64_t *a, uint64_t *aM) const
+    {
+        Hacl_GenericField64_to_field(context.get(), a, aM);
+    }
+
+    void Bignum4096::from_montgomery_form(uint64_t *aM, uint64_t *a) const
+    {
+        Hacl_GenericField64_from_field(context.get(), aM, a);
+    }
+
+    void Bignum4096::montgomery_mod_mul_stay_in_mont_form(uint64_t *aM, uint64_t *bM, uint64_t *cM) const
+    {
+        Hacl_GenericField64_mul(context.get(), aM, bM, cM);
+    }
+
     const Bignum4096 &CONTEXT_P()
     {
         static Bignum4096 instance{const_cast<uint64_t *>(P_ARRAY_REVERSE)};

src/electionguard/facades/Hacl_Bignum4096.hpp

@@ -54,6 +54,13 @@ namespace hacl
         void modExp(uint64_t *a, uint32_t bBits, uint64_t *b, uint64_t *res,
                     bool useConstTime = false) const;
 
+        void to_montgomery_form(uint64_t *a, uint64_t *aM) const;
+
+        void from_montgomery_form(uint64_t *aM, uint64_t *a) const;
+
+        void montgomery_mod_mul_stay_in_mont_form(uint64_t *aM, uint64_t *bM,
+                                                         uint64_t *cM) const;
+
       private:
         struct handle_destructor {
             void operator()(Hacl_Bignum_MontArithmetic_bn_mont_ctx_u64 *handle) const

src/electionguard/lookup_table.hpp

@@ -53,9 +53,14 @@ namespace electionguard
         /// </summary>
         std::vector<uint64_t> pow_mod_p(uint64_t (&exponent)[MAX_Q_LEN]) const
         {
-            uint64_t result[MAX_P_LEN] = {1UL};
+            uint64_t montgomery_result[MAX_P_LEN] = {};
+            uint64_t result[MAX_P_LEN] = {};
             uint8_t exponentBytes[MAX_Q_SIZE] = {};
 
+            // copy the 1 in montgomery form into montgomery_result to start
+            copy((uint64_t *)one_in_montgomery_form, (uint64_t *)one_in_montgomery_form + MAX_P_LEN,
+                 montgomery_result);
+
             // convert the bignum to byte array
             // which aligns with the k window size
             Bignum256::toBytes(static_cast<uint64_t *>(exponent),
@@ -73,9 +78,13 @@ namespace electionguard
                     continue;
                 }
 
-                mul_mod_p(result, const_cast<uint64_t *>(_lookupTable[i][slice]), result);
+                mul_mod_p_mont(montgomery_result, const_cast<uint64_t *>(_lookupTable[i][slice]),
+                          montgomery_result);
             }
 
+            // convert from montogomery form
+            CONTEXT_P().from_montgomery_form(montgomery_result, result);
+
             // wrap in a vector for convenience
             std::vector<uint64_t> vec(begin(result), end(result));
             return vec;
@@ -91,31 +100,38 @@ namespace electionguard
 
             uint64_t row_base[MAX_P_LEN] = {};
             uint64_t running_base[MAX_P_LEN] = {};
+            uint64_t one[MAX_P_LEN] = {1UL};
+
+
+            // convert base to montgomery form
+            CONTEXT_P().to_montgomery_form(base, row_base);
 
             // assign initial values
-            copy(base, base + len, row_base);
-            copy(base, base + len, running_base);
+            copy(row_base, row_base + len, running_base);
 
             // iterate over each m-row in the table
             for (uint64_t i = 0; i < TableLength; i++) {
                 // iterate over each b-bit and compute the table values
                 for (uint64_t j = 1; j < OrderBits; j++) {
                     copy(begin(running_base), end(running_base), begin(_lookupTable[i][j]));
-                    mul_mod_p(running_base, row_base, running_base);
+                    mul_mod_p_mont(running_base, row_base, running_base);
                 }
                 copy(begin(running_base), end(running_base), begin(row_base));
             }
+
+            // also convert 1 to montgomery form and store it because we use it to
+            // start every table based exponentiation and there is no point in
+            // computing it each time
+            CONTEXT_P().to_montgomery_form(one, one_in_montgomery_form);
         }
 
-        void mul_mod_p(uint64_t *lhs, uint64_t *rhs, uint64_t *res) const
+        void mul_mod_p_mont(uint64_t *lhs, uint64_t *rhs, uint64_t *res) const
         {
-            uint64_t mulResult[MAX_P_LEN_DOUBLE] = {};
-            Bignum4096::mul(lhs, rhs, static_cast<uint64_t *>(mulResult));
-            CONTEXT_P().mod(static_cast<uint64_t *>(mulResult), res);
+            CONTEXT_P().montgomery_mod_mul_stay_in_mont_form(lhs, rhs, res);
         }
-
       private:
         FixedBaseTable _lookupTable = {};
+        uint64_t one_in_montgomery_form[MAX_P_LEN] = {};
     };
 
     typedef LookupTable<LUT_WINDOW_SIZE, LUT_ORDER_BITS, LUT_TABLE_LENGTH> LookupTableType;