SAKKE perf. opts.

Author: peterdettman

core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMExtractor.java

@@ -6,6 +6,7 @@
 import org.bouncycastle.crypto.EncapsulatedSecretExtractor;
 import org.bouncycastle.crypto.params.SAKKEPrivateKeyParameters;
 import org.bouncycastle.crypto.params.SAKKEPublicKeyParameters;
+import org.bouncycastle.math.ec.ECAlgorithms;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
@@ -93,9 +94,22 @@ public byte[] extractSecret(byte[] encapsulation)
         BigInteger r = SAKKEKEMSGenerator.hashToIntegerRange(Arrays.concatenate(ssv.toByteArray(), b.toByteArray()), q, digest);
 
         // Step 5: Validate R_bS
-        ECPoint bP = P.multiply(b).normalize();
-        ECPoint Test = bP.add(Z_S).multiply(r).normalize();
-        if (!R_bS.equals(Test))
+        ECPoint Test;
+
+        BigInteger order = curve.getOrder();
+        if (order == null)
+        {
+            Test = P.multiply(b).add(Z_S).multiply(r);
+        }
+        else
+        {
+            BigInteger a = b.multiply(r).mod(order);
+            Test = ECAlgorithms.sumOfTwoMultiplies(P, a, Z_S, r);
+        }
+
+        Test = Test.subtract(R_bS);
+
+        if (!Test.isInfinity())
         {
             throw new IllegalStateException("Validation of R_bS failed");
         }
@@ -122,7 +136,7 @@ public int getEncapsulationLength()
     static BigInteger computePairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger q)
     {
         // v = (1,0) in F_p^2
-        BigInteger[] v = new BigInteger[]{BigInteger.ONE, BigInteger.ZERO};
+        BigInteger[] v = new BigInteger[]{ BigInteger.ONE, BigInteger.ZERO };
         ECPoint C = R;
 
         BigInteger qMinusOne = q.subtract(BigInteger.ONE);
@@ -131,23 +145,21 @@ static BigInteger computePairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger
         BigInteger Qy = Q.getAffineYCoord().toBigInteger();
         BigInteger Rx = R.getAffineXCoord().toBigInteger();
         BigInteger Ry = R.getAffineYCoord().toBigInteger();
-        BigInteger l, Cx, Cy;
         final BigInteger three = BigInteger.valueOf(3);
-        final BigInteger two = BigInteger.valueOf(2);
 
         // Miller loop
         for (int i = numBits - 2; i >= 0; i--)
         {
-            Cx = C.getAffineXCoord().toBigInteger();
-            Cy = C.getAffineYCoord().toBigInteger();
+            BigInteger Cx = C.getAffineXCoord().toBigInteger();
+            BigInteger Cy = C.getAffineYCoord().toBigInteger();
 
             // Compute l = (3 * (Cx^2 - 1)) / (2 * Cy) mod p
-            l = three.multiply(Cx.multiply(Cx).subtract(BigInteger.ONE))
-                .multiply(Cy.multiply(two).modInverse(p)).mod(p);
+            BigInteger l = Cx.multiply(Cx).mod(p).subtract(BigInteger.ONE).multiply(three)
+                .multiply(BigIntegers.modOddInverse(p, Cy.shiftLeft(1))).mod(p);
 
             // Compute v = v^2 * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) )
             v = fp2PointSquare(v[0], v[1], p);
-            v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy), Qy, p);
+            v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy).mod(p), Qy, p);
 
             C = C.twice().normalize();  // C = [2]C
 
@@ -157,55 +169,56 @@ static BigInteger computePairing(ECPoint R, ECPoint Q, BigInteger p, BigInteger
                 Cy = C.getAffineYCoord().toBigInteger();
 
                 // Compute l = (Cy - Ry) / (Cx - Rx) mod p
-                l = Cy.subtract(Ry).multiply(Cx.subtract(Rx).modInverse(p)).mod(p);
+                l = Cy.subtract(Ry).multiply(BigIntegers.modOddInverse(p, Cx.subtract(Rx))).mod(p);
 
                 // Compute v = v * ( l*( Q_x + C_x ) + ( i*Q_y - C_y ) )
-                v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy), Qy, p);
+                v = fp2Multiply(v[0], v[1], l.multiply(Qx.add(Cx)).subtract(Cy).mod(p), Qy, p);
 
-                C = C.add(R).normalize();
+                if (i > 0)
+                {
+                    C = C.add(R).normalize();
+                }
             }
         }
 
         // Final exponentiation: t = v^c
         v = fp2PointSquare(v[0], v[1], p);
         v = fp2PointSquare(v[0], v[1], p);
-        return v[1].multiply(v[0].modInverse(p)).mod(p);
+        BigInteger v0Inv = BigIntegers.modOddInverse(p, v[0]);
+        return v[1].multiply(v0Inv).mod(p);
     }
 
     /**
      * Performs multiplication in F_p^2 field.
      *
-     * @param x_real Real component of first operand
-     * @param x_imag Imaginary component of first operand
-     * @param y_real Real component of second operand
-     * @param y_imag Imaginary component of second operand
+     * @param a0 Real component of first operand
+     * @param b0 Imaginary component of first operand
+     * @param a1 Real component of second operand
+     * @param b1 Imaginary component of second operand
      * @param p      Prime field characteristic
      * @return Result of multiplication in F_p^2 as [real, imaginary] array
      */
-    static BigInteger[] fp2Multiply(BigInteger x_real, BigInteger x_imag, BigInteger y_real, BigInteger y_imag, BigInteger p)
+    static BigInteger[] fp2Multiply(BigInteger a0, BigInteger b0, BigInteger a1, BigInteger b1, BigInteger p)
     {
         return new BigInteger[]{
-            x_real.multiply(y_real).subtract(x_imag.multiply(y_imag)).mod(p),
-            x_real.multiply(y_imag).add(x_imag.multiply(y_real)).mod(p)
+            a0.multiply(a1).subtract(b0.multiply(b1)).mod(p),
+            a0.multiply(b1).add(b0.multiply(a1)).mod(p)
         };
     }
 
     /**
      * Computes squaring operation in F_p^2 field.
      *
-     * @param currentX Real component of input
-     * @param currentY Imaginary component of input
+     * @param a Real component of input
+     * @param b Imaginary component of input
      * @param p        Prime field characteristic
      * @return Squared result in F_p^2 as [newX, newY] array
      */
-    static BigInteger[] fp2PointSquare(BigInteger currentX, BigInteger currentY, BigInteger p)
+    static BigInteger[] fp2PointSquare(BigInteger a, BigInteger b, BigInteger p)
     {
-        BigInteger xPlusY = currentX.add(currentY).mod(p);
-        BigInteger xMinusY = currentX.subtract(currentY).mod(p);
-        BigInteger newX = xPlusY.multiply(xMinusY).mod(p);
-
-        // Compute newY = 2xy mod p
-        BigInteger newY = currentX.multiply(currentY).multiply(BigInteger.valueOf(2)).mod(p);
-        return new BigInteger[]{newX, newY};
+        return new BigInteger[]{
+            a.add(b).multiply(a.subtract(b)).mod(p),
+            a.multiply(b).shiftLeft(1).mod(p)
+        };
     }
 }

core/src/main/java/org/bouncycastle/crypto/kems/SAKKEKEMSGenerator.java

@@ -8,6 +8,7 @@
 import org.bouncycastle.crypto.SecretWithEncapsulation;
 import org.bouncycastle.crypto.params.AsymmetricKeyParameter;
 import org.bouncycastle.crypto.params.SAKKEPublicKeyParameters;
+import org.bouncycastle.math.ec.ECAlgorithms;
 import org.bouncycastle.math.ec.ECCurve;
 import org.bouncycastle.math.ec.ECPoint;
 import org.bouncycastle.util.Arrays;
@@ -85,51 +86,53 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
 
 
         // 3. Compute R_(b,S) = [r]([b]P + Z_S)
-        ECPoint bP = P.multiply(b).normalize();
-        ECPoint R_bS = bP.add(Z).multiply(r).normalize();
+        ECPoint R_bS;
+
+        BigInteger order = curve.getOrder();
+        if (order == null)
+        {
+            R_bS = P.multiply(b).add(Z).multiply(r).normalize();
+        }
+        else
+        {
+            BigInteger a = b.multiply(r).mod(order);
+            R_bS = ECAlgorithms.sumOfTwoMultiplies(P, a, Z, r).normalize();
+        }
 
         // 4. Compute H = SSV XOR HashToIntegerRange( g^r, 2^n )
         BigInteger pointX = BigInteger.ONE;
         BigInteger pointY = g;
-        BigInteger[] v = new BigInteger[2];
 
         // Initialize result with the original point
-        BigInteger currentX = BigInteger.ONE;
-        BigInteger currentY = g;
-        ECPoint current = curve.createPoint(currentX, currentY);
+        BigInteger v0 = BigInteger.ONE;
+        BigInteger v1 = g;
+        ECPoint current = curve.createPoint(v0, v1);
 
-        int numBits = r.bitLength();
-        BigInteger[] rlt;
         // Process bits from MSB-1 down to 0
-        for (int i = numBits - 2; i >= 0; i--)
+        for (int i = r.bitLength() - 2; i >= 0; i--)
         {
             // Square the current point
-            rlt = SAKKEKEMExtractor.fp2PointSquare(currentX, currentY, p);
+            BigInteger[] rlt = SAKKEKEMExtractor.fp2PointSquare(v0, v1, p);
             current = current.timesPow2(2);
-            currentX = rlt[0];
-            currentY = rlt[1];
+            v0 = rlt[0];
+            v1 = rlt[1];
             // Multiply if bit is set
             if (r.testBit(i))
             {
-                rlt = SAKKEKEMExtractor.fp2Multiply(currentX, currentY, pointX, pointY, p);
+                rlt = SAKKEKEMExtractor.fp2Multiply(v0, v1, pointX, pointY, p);
 
-                currentX = rlt[0];
-                currentY = rlt[1];
+                v0 = rlt[0];
+                v1 = rlt[1];
             }
         }
 
-        v[0] = currentX;
-        v[1] = currentY;
-        BigInteger g_r = v[1].multiply(v[0].modInverse(p)).mod(p);
+        BigInteger v0Inv = BigIntegers.modOddInverse(p, v0);
+        BigInteger g_r = v1.multiply(v0Inv).mod(p);
 
         BigInteger mask = hashToIntegerRange(g_r.toByteArray(), BigInteger.ONE.shiftLeft(n), digest); // 2^n
 
         BigInteger H = ssv.xor(mask);
         // 5. Encode encapsulated data (R_bS, H)
-//        byte[] encapsulated = Arrays.concatenate(new byte[]{(byte)0x04},
-//            BigIntegers.asUnsignedByteArray(n, R_bS.getXCoord().toBigInteger()),
-//            BigIntegers.asUnsignedByteArray(n, R_bS.getYCoord().toBigInteger()),
-//            BigIntegers.asUnsignedByteArray(16, H));
         byte[] encapsulated = Arrays.concatenate(R_bS.getEncoded(false), BigIntegers.asUnsignedByteArray(16, H));
 
         return new SecretWithEncapsulationImpl(
@@ -141,20 +144,21 @@ public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recip
     static BigInteger hashToIntegerRange(byte[] input, BigInteger q, Digest digest)
     {
         // RFC 6508 Section 5.1: Hashing to an Integer Range
-        byte[] hash = new byte[digest.getDigestSize()];
+        byte[] A = new byte[digest.getDigestSize()];
 
         // Step 1: Compute A = hashfn(s)
         digest.update(input, 0, input.length);
-        digest.doFinal(hash, 0);
-        byte[] A = Arrays.clone(hash);
+        digest.doFinal(A, 0);
 
         // Step 2: Initialize h_0 to all-zero bytes of hashlen size
         byte[] h = new byte[digest.getDigestSize()];
 
         // Step 3: Compute l = Ceiling(lg(n)/hashlen)
+        // FIXME Seems hardcoded to 256 bit digest?
         int l = q.bitLength() >> 8;
 
         BigInteger v = BigInteger.ZERO;
+        byte[] v_i = new byte[digest.getDigestSize()];
 
         // Step 4: Compute h_i and v_i
         for (int i = 0; i <= l; i++)
@@ -165,7 +169,6 @@ static BigInteger hashToIntegerRange(byte[] input, BigInteger q, Digest digest)
             // v_i = hashfn(h_i || A)
             digest.update(h, 0, h.length);
             digest.update(A, 0, A.length);
-            byte[] v_i = new byte[digest.getDigestSize()];
             digest.doFinal(v_i, 0);
             // Append v_i to v'
             v = v.shiftLeft(v_i.length * 8).add(new BigInteger(1, v_i));