Review suggestions from Mike

include/big.h.in

@@ -408,41 +408,41 @@ extern int BIG_XXX_comp(BIG_XXX x,BIG_XXX y);
 	@return -1 is x<y, 0 if x=y, 1 if x>y
  */
 extern int BIG_XXX_dcomp(DBIG_XXX x,DBIG_XXX y);
-/**	@brief Calculate number of bits in a BIG - output normalised
+/**	@brief Calculate number of bits in a BIG - output normalised - leaks log2(x)
  *
 	@param x BIG number
 	@return Number of bits in x
  */
 extern int BIG_XXX_nbits(BIG_XXX x);
-/**	@brief Calculate number of bits in a DBIG - output normalised
+/**	@brief Calculate number of bits in a DBIG - output normalised - leaks log2(x)
  *
 	@param x DBIG number
 	@return Number of bits in x
  */
 extern int BIG_XXX_dnbits(DBIG_XXX x);
-/**	@brief Reduce x mod n - input and output normalised
+/**	@brief Reduce x mod n - input and output normalised - leaks log2(x)-log2(n)
  *
 	Slow but rarely used
 	@param x BIG number to be reduced mod n
 	@param n The modulus
  */
 extern void BIG_XXX_mod(BIG_XXX x,BIG_XXX n);
-/**	@brief Divide x by n - output normalised
+/**	@brief Divide x by n - output normalised - leaks log2(x)-log2(n)
  *
 	Slow but rarely used
 	@param x BIG number to be divided by n
 	@param n The Divisor
  */
 extern void BIG_XXX_sdiv(BIG_XXX x,BIG_XXX n);
-/**	@brief  x=y mod n - output normalised
+/**	@brief  x=y mod n - output normalised - leaks log2(y)-log2(n)
  *
 	Slow but rarely used. y is destroyed.
 	@param x BIG number, on exit = y mod n
 	@param y DBIG number
 	@param n Modulus
  */
 extern void BIG_XXX_dmod(BIG_XXX x,DBIG_XXX y,BIG_XXX n);
-/**	@brief  x=y/n - output normalised
+/**	@brief  x=y/n - output normalised - leaks log2(y)-log2(n)
  *
 	Slow but rarely used. y is destroyed.
 	@param x BIG number, on exit = y/n
@@ -477,7 +477,7 @@ extern int BIG_XXX_lastbits(BIG_XXX x,int n);
 	@param r A pointer to a Cryptographically Secure Random Number Generator
  */
 extern void BIG_XXX_random(BIG_XXX x,csprng *r);
-/**	@brief  Create an unbiased random BIG from a random number generator, reduced with respect to a modulus
+/**	@brief  Create an unbiased random BIG from a random number generator, reduced with respect to a modulus - leaks log2(n)
  *
 	Assumes that the random number generator has been suitably initialised
 	@param x BIG number, on exit a random number
@@ -496,7 +496,7 @@ extern void BIG_XXX_randomnum(BIG_XXX x,BIG_XXX n,csprng *r);
 	return + or - 1, 3 or 5
 */
 
-/**	@brief  Calculate x=y*z mod n
+/**	@brief  Calculate x=y*z mod n - leaks log2(x)-log2(n)
  *
 	Slow method for modular multiplication
 	@param x BIG number, on exit = y*z mod n
@@ -505,7 +505,7 @@ extern void BIG_XXX_randomnum(BIG_XXX x,BIG_XXX n,csprng *r);
 	@param n The BIG Modulus
  */
 extern void BIG_XXX_modmul(BIG_XXX x,BIG_XXX y,BIG_XXX z,BIG_XXX n);
-/**	@brief  Calculate x=y/z mod n
+/**	@brief  Calculate x=y/z mod n - leaks log2(x)-log2(n)
  *
 	Slow method for modular division
 	@param x BIG number, on exit = y/z mod n
@@ -514,23 +514,23 @@ extern void BIG_XXX_modmul(BIG_XXX x,BIG_XXX y,BIG_XXX z,BIG_XXX n);
 	@param n The BIG Modulus
  */
 extern void BIG_XXX_moddiv(BIG_XXX x,BIG_XXX y,BIG_XXX z,BIG_XXX n);
-/**	@brief  Calculate x=y^2 mod n
+/**	@brief  Calculate x=y^2 mod n - leaks log2(x)-log2(n)
  *
 	Slow method for modular squaring
 	@param x BIG number, on exit = y^2 mod n
 	@param y BIG number
 	@param n The BIG Modulus
  */
 extern void BIG_XXX_modsqr(BIG_XXX x,BIG_XXX y,BIG_XXX n);
-/**	@brief  Calculate x=-y mod n
+/**	@brief  Calculate x=-y mod n - leaks log2(x)-log2(n)
  *
 	Modular negation
 	@param x BIG number, on exit = -y mod n
 	@param y BIG number
 	@param n The BIG Modulus
  */
 extern void BIG_XXX_modneg(BIG_XXX x,BIG_XXX y,BIG_XXX n);
-/**	@brief  Calculate jacobi Symbol (x/y)
+/**	@brief  Calculate jacobi Symbol (x/y) - not constant time
  *
 	@param x BIG number
 	@param y BIG number

include/ff.h.in

@@ -66,6 +66,13 @@ extern void FF_WWW_zero(BIG_XXX *x,int n);
 	@return 1 if zero, else returns 0
  */
 extern int FF_WWW_iszilch(BIG_XXX *x,int n);
+/**	@brief Tests for FF element equal to one
+ *
+	@param x FF number to be tested
+	@param n size of FF in BIGs
+	@return 1 if unity, else returns 0
+ */
+extern int FF_WWW_isunity(BIG_XXX *x,int n);
 /**	@brief  return parity of an FF, that is the least significant bit
  *
 	@param x FF number
@@ -178,7 +185,7 @@ extern void FF_WWW_fromOctet(BIG_XXX *x,octet *S,int n);
 	@param n size of FF in BIGs
  */
 extern void FF_WWW_mul(BIG_XXX *x,BIG_XXX *y,BIG_XXX *z,int n);
-/**	@brief Reduce FF mod a modulus
+/**	@brief Reduce FF mod a modulus - leaks log2(p)-log2(n)
  *
 	This is slow
 	@param x FF instance to be reduced mod p - on exit = x mod p
@@ -194,7 +201,7 @@ extern void FF_WWW_mod(BIG_XXX *x,BIG_XXX *p,int n);
 	@param n size of FF in BIGs
  */
 extern void FF_WWW_sqr(BIG_XXX *x,BIG_XXX *y,int n);
-/**	@brief Reduces a double-length FF with respect to a given modulus
+/**	@brief Reduces a double-length FF with respect to a given modulus - leaks log2(y)-log2(z)
  *
 	This is slow
 	@param x FF instance, on exit = y mod z
@@ -225,7 +232,7 @@ extern void FF_WWW_invmod2m(BIG_XXX U[],BIG_XXX a[],int n);
 	@param n size of FF in BIGs
  */
 extern void FF_WWW_random(BIG_XXX *x,csprng *R,int n);
-/**	@brief Create a random FF less than a given modulus from a random number generator
+/**	@brief Create a random FF less than a given modulus from a random number generator - leaks log2(y)
  *
 	@param x FF instance, on exit x is a random number < y
 	@param y FF instance, the modulus
@@ -242,7 +249,7 @@ extern void FF_WWW_randomnum(BIG_XXX *x,BIG_XXX *y,csprng *R,int n);
 	@param n size of FF in BIGs
 	@param en size of the exponent in BIGs
  */
-extern void FF_WWW_skpow(BIG_XXX *r,BIG_XXX *x,BIG_XXX * e,BIG_XXX *p,int n, int en);
+extern void FF_WWW_ct_pow(BIG_XXX *r,BIG_XXX *x,BIG_XXX * e,BIG_XXX *p,int n, int en);
 /**	@brief Calculate r=x^e mod p, side channel resistant
  *
 	For short BIG exponent
@@ -252,7 +259,7 @@ extern void FF_WWW_skpow(BIG_XXX *r,BIG_XXX *x,BIG_XXX * e,BIG_XXX *p,int n, int
 	@param p FF modulus
 	@param n size of FF in BIGs
  */
-extern void FF_WWW_skspow(BIG_XXX *r,BIG_XXX *x,BIG_XXX e,BIG_XXX *p,int n);
+extern void FF_WWW_ct_pow_big(BIG_XXX *r,BIG_XXX *x,BIG_XXX e,BIG_XXX *p,int n);
 /**	@brief Calculate r=x^e.y^f mod p for FF e and f, side channel resistant
  *
 	@param r  FF instance, on exit = x^e.y^f mod p
@@ -264,7 +271,7 @@ extern void FF_WWW_skspow(BIG_XXX *r,BIG_XXX *x,BIG_XXX e,BIG_XXX *p,int n);
 	@param n  size of FF in BIGs
 	@param en size of the exponent in BIGs
  */
-extern void FF_WWW_skpow2(BIG_XXX *r,BIG_XXX *x, BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *p, int n, int en);
+extern void FF_WWW_ct_pow_2(BIG_XXX *r,BIG_XXX *x, BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *p, int n, int en);
 /**	@brief Calculate r=x^e.y^f.z^g mod p for FF e, f and g, side channel resistant
  *
 	@param r  FF instance, on exit = x^e.y^f.z^g mod p
@@ -278,8 +285,8 @@ extern void FF_WWW_skpow2(BIG_XXX *r,BIG_XXX *x, BIG_XXX *e, BIG_XXX *y, BIG_XXX
 	@param n  size of FF in BIGs
 	@param en size of the exponent in BIGs
  */
-extern void FF_WWW_skpow3(BIG_XXX *r,BIG_XXX *x, BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *z, BIG_XXX *g, BIG_XXX *p, int n, int en);
-/**	@brief Calculate r=x^e mod p
+extern void FF_WWW_ct_pow_3(BIG_XXX *r,BIG_XXX *x, BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *z, BIG_XXX *g, BIG_XXX *p, int n, int en);
+/**	@brief Calculate r=x^e mod p. Faster but not constant time
  *
 	For very short integer exponent
 	@param r  FF instance, on exit = x^e mod p
@@ -288,7 +295,7 @@ extern void FF_WWW_skpow3(BIG_XXX *r,BIG_XXX *x, BIG_XXX *e, BIG_XXX *y, BIG_XXX
 	@param p  FF modulus
 	@param n  size of FF in BIGs
  */
-extern void FF_WWW_power(BIG_XXX *r,BIG_XXX *x,int e,BIG_XXX *p,int n);
+extern void FF_WWW_nt_pow_int(BIG_XXX *r,BIG_XXX *x,int e,BIG_XXX *p,int n);
 /**	@brief Calculate r=x^e mod p
  *
 	@param r  FF instance, on exit = x^e mod p
@@ -298,7 +305,7 @@ extern void FF_WWW_power(BIG_XXX *r,BIG_XXX *x,int e,BIG_XXX *p,int n);
 	@param n  size of base in BIGs
 	@param en size of exponent in BIGs
  */
-extern void FF_WWW_pow(BIG_XXX *r, BIG_XXX *x, BIG_XXX *e, BIG_XXX *p, int n, int en);
+extern void FF_WWW_nt_pow(BIG_XXX *r, BIG_XXX *x, BIG_XXX *e, BIG_XXX *p, int n, int en);
 /**	@brief Calculate r=x^e.y^f mod p. Faster but non constant time
  *
 	@param r  FF instance, on exit = x^e.y^f mod p
@@ -310,7 +317,7 @@ extern void FF_WWW_pow(BIG_XXX *r, BIG_XXX *x, BIG_XXX *e, BIG_XXX *p, int n, in
 	@param n   size of FF in BIGs
 	@param en size of exponent in BIGs
  */
-void FF_WWW_pow2(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *p,int n, int en);
+void FF_WWW_nt_pow_2(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *p,int n, int en);
 /**	@brief Calculate r=x^e.y^f.z^g mod p. Faster but non constant time
  *
 	@param r  FF instance, on exit = x^e.y^f.z^g mod p
@@ -324,7 +331,7 @@ void FF_WWW_pow2(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_X
 	@param n  size of FF in BIGs
 	@param en size of exponent in BIGs
  */
-void FF_WWW_pow3(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *z, BIG_XXX *g, BIG_XXX *p, int n, int en);
+void FF_WWW_nt_pow_3(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *z, BIG_XXX *g, BIG_XXX *p, int n, int en);
 /**	@brief Calculate r=x^e.y^f.z^g.w^h mod p. Faster but non constant time
  *
 	@param r  FF instance, on exit = x^e.y^f.z^g.w^h mod p
@@ -340,7 +347,7 @@ void FF_WWW_pow3(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_X
 	@param n  size of FF in BIGs
 	@param en size of exponent in BIGs
  */
-extern void FF_WWW_pow4(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *z, BIG_XXX *g, BIG_XXX *w, BIG_XXX *h, BIG_XXX *p, int n, int en);
+extern void FF_WWW_nt_pow_4(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e, BIG_XXX *y, BIG_XXX *f, BIG_XXX *z, BIG_XXX *g, BIG_XXX *w, BIG_XXX *h, BIG_XXX *p, int n, int en);
 /**	@brief Test if an FF has factor in common with integer s
  *
 	@param x FF instance to be tested
@@ -360,13 +367,14 @@ extern int FF_WWW_cfactor(BIG_XXX *x,sign32 s,int n);
 extern int FF_WWW_prime(BIG_XXX *x,csprng *R,int n);
 /**	@brief Combine rp and rq using the Chinese Remainder Theorem
  *
-	@param r  FF instance, on exit the solution of the system
-	@param rp FF instance, solution modulo p
-	@param rq FF instance, solution modulo q
-	@param p  FF instance, MUST be coprime with q
-	@param q  FF instance, MUST be coprime with p
-	@param n size of p and q in BIGs
+	@param r     FF instance, on exit the solution of the system
+	@param rp    FF instance, solution modulo p
+	@param rq    FF instance, solution modulo q
+	@param p     FF instance, MUST be coprime with q
+	@param invpq FF instance, p^(-1) mod q
+	@param pq    FF instance, p*q
+	@param n     size of p in BIGs
  */
-extern void FF_WWW_crt(BIG_XXX *r, BIG_XXX *rp, BIG_XXX *rq, BIG_XXX *p, BIG_XXX *q, int n);
+extern void FF_WWW_crt(BIG_XXX *r, BIG_XXX *rp, BIG_XXX *rq, BIG_XXX *p, BIG_XXX *invpq, BIG_XXX *pq, int n);
 
 #endif

include/paillier.h

@@ -68,6 +68,8 @@ typedef struct
     BIG_1024_58 invp[FFLEN_2048]; /**< Precomputed \f$ p^{-1} \pmod{2^m} \f$ */
     BIG_1024_58 invq[FFLEN_2048]; /**< Precomputed \f$ q^{-1} \pmod{2^m} \f$ */
 
+    BIG_1024_58 invpq[HFLEN_2048]; /**< Precomputed \f$ p^{-1} \pmod{q} \f$ */
+
     BIG_1024_58 p2[FFLEN_2048]; /**< Precomputed \f$ p^2 \f$ */
     BIG_1024_58 q2[FFLEN_2048]; /**< Precomputed \f$ q^2 \f$ */
 

python/run_bls_ZZZ.py.in

@@ -24,11 +24,11 @@ under the License.
 example for using bls
 
 """
+
 import cffi
 import platform
 import os
 import bls_ZZZ
-
 if __name__ == "__main__":
     # Print hex values
     DEBUG = False

src/big.c.in

@@ -29,6 +29,10 @@ int BIG_XXX_iszilch(BIG_XXX a)
     int i;
     chunk d = 0;
 
+#ifdef DEBUG_NORM
+    if ((a[MPV_XXX]!=1 && a[MPV_XXX]!=0) || a[MNV_XXX]!=0) printf("Input to iszilch not normed\n");
+#endif
+
     for (i=0; i<NLEN_XXX; i++)
         d |= a[i];
 
@@ -45,6 +49,10 @@ int BIG_XXX_isunity(BIG_XXX a)
     int i;
     chunk d = 0;
 
+#ifdef DEBUG_NORM
+    if ((a[MPV_XXX]!=1 && a[MPV_XXX]!=0) || a[MNV_XXX]!=0) printf("Input to isunity not normed\n");
+#endif
+
     for(i=1; i<NLEN_XXX; i++)
         d |= a[i];
 
@@ -58,6 +66,10 @@ int BIG_XXX_diszilch(DBIG_XXX a)
     int i;
     chunk d = 0;
 
+#ifdef DEBUG_NORM
+    if ((a[DMPV_XXX]!=1 && a[DMPV_XXX]!=0) || a[DMNV_XXX]!=0) printf("Input to diszilch not normed\n");
+#endif
+
     for (i=0; i<DNLEN_XXX; i++)
         d |= a[i];
 
@@ -1027,6 +1039,11 @@ int BIG_XXX_comp(BIG_XXX b1,BIG_XXX b2)
     chunk gt = 0;
     chunk eq = 1;
 
+#ifdef DEBUG_NORM
+    if ((b1[MPV_XXX]!=1 && b1[MPV_XXX]!=0) || b1[MNV_XXX]!=0) printf("First input to comp not normed\n");
+    if ((b2[MPV_XXX]!=1 && b2[MPV_XXX]!=0) || b2[MNV_XXX]!=0) printf("Second input to comp not normed\n");
+#endif
+
     for (i = NLEN_XXX-1; i>=0; i--)
     {
         gt |= ((b2[i]-b1[i]) >> BASEBITS_XXX) & eq;
@@ -1045,6 +1062,11 @@ int BIG_XXX_dcomp(DBIG_XXX b1,DBIG_XXX b2)
     chunk gt = 0;
     chunk eq = 1;
 
+#ifdef DEBUG_NORM
+    if ((b1[DMPV_XXX]!=1 && b1[DMPV_XXX]!=0) || b1[DMNV_XXX]!=0) printf("First input to dcomp not normed\n");
+    if ((b2[DMPV_XXX]!=1 && b2[DMPV_XXX]!=0) || b2[DMNV_XXX]!=0) printf("Second input to dcomp not normed\n");
+#endif
+
     for (i=DNLEN_XXX-1; i>=0; i--)
     {
         gt |= ((b2[i]-b1[i]) >> BASEBITS_XXX) & eq;
@@ -1497,7 +1519,8 @@ void BIG_XXX_invmodp(BIG_XXX r,BIG_XXX a,BIG_XXX p)
     BIG_XXX u, v, s, w;
 
     BIG_XXX_copy(u, p);
-    BIG_XXX_copy(v,a);
+    BIG_XXX_copy(v, a);
+    BIG_XXX_mod(v, p);
     BIG_XXX_zero(r);
     BIG_XXX_one(s);
 
@@ -1515,7 +1538,7 @@ void BIG_XXX_invmodp(BIG_XXX r,BIG_XXX a,BIG_XXX p)
     for (k = 0; k < 2 * BIGBITS_XXX; k++)
     {
         p1 = !BIG_XXX_iszilch(v);
-        
+
         pu = BIG_XXX_parity(u);
         pv = BIG_XXX_parity(v);
         // Cases 2-4 of Kaliski
@@ -1547,7 +1570,7 @@ void BIG_XXX_invmodp(BIG_XXX r,BIG_XXX a,BIG_XXX p)
 
         // Restore u,v,r,s to the original position
         BIG_XXX_cswap(u, v, psw);
-        BIG_XXX_cswap(r, s, psw);        
+        BIG_XXX_cswap(r, s, psw);
     }
 
     // Last step of kaliski