README
¶
constbn - a constant time Golang BigNum library
This is an implementation of bignums with a focus on constant time operations. Unless anything else is mentioned, all operations are constant time. The initial implementation is based on the i31 implementation from BearSSL. It uses uint32 values as the limbs, but only 31 bits are actually used.
The main goal of this implementation is to make it possible to have a generic constant time modular exponentiation operation on bignums large enough to implement modern cryptographyic algorithms, since the Golang big/int library is not constant time. Other operations might be added with time, making this a more generic library, but the focus is initially to serve the needs of the otr3 project.
API Documentation
Security and assumptions
- The code in this library assumes that the uint32 multiplication routines are constant time on the machine in question.
- The constant time nature of the modpow (Exp) implementation has been tested using
dudect. You can see the code and the results from this testing in theconst_testingsub directory in this repository. The summary is that this specific tests gives a good inidication that the code is actually constant time.
Caveats and notes
- This is not a general purpose bignum implementation. It is specifically aimed at cryptography, and specifically cryptography in a constant time setting, with specific limitiations. For example, the Int type does not support negative numbers. It is also not possible to do an exponentiation with an even modulus.
- The code has not been audited. That said, it is a fairly straightforward translation from a small subset of BearSSL, and I have added a significant amount of test vectors. If something is wrong with this implementation, it's a strong possibility that something is also wrong with the BearSSL implementation.
- The API is subject to change
- Currently, there is no good documentation - the code itself is the most appropriate to read to understand what's going on right now.
- Unless specifically documented, all operations are constant time.
Authors
- Centro de Autonomía Digital
License
This project is licensed under the GNU GENERAL PUBLIC LICENSE VERSION 3.0.
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func Decode ¶
Decode will decode the given number from a big endian unsigned byte array. The given result should be an array with sufficient size for the number
Types ¶
type Base ¶
type Base uint32
Base represents the numerical type used for representing internal numbers
type Int ¶
type Int struct {
// contains filtered or unexported fields
}
Int represents an arbitrarily sized integer
func (*Int) Bytes ¶
Bytes returns the absolute value of x as a big-endian byte slice. This method is not constant time in the length of the value, but is constant time in terms of its value.
func (*Int) Exp ¶
Exp sets and returns the value x to the power of y, mod m. m has to be an odd number. x has to be smaller than m. This method is constant time in that it does not reveal the values, but it is not constant time in the conversion of the y-value. It is constant time in terms of value, but not in length. If this is not acceptable, the ExpB method is fully constant time.
func (*Int) ExpB ¶
ExpB sets and returns the value x to the power of y, mod m. m has to be an odd number. y is the representation of a number in big-endian byte order. x has to be smaller than m. This method is constant time.
func (*Int) GetBigInt ¶
GetBigInt returns a big.Int that represents the same value as this int This method is not constant time.
func (*Int) Set ¶
Set sets the value of the receiver to the argument This method is constant time in value, but not in length.
func (*Int) SetBigInt ¶
SetBigInt sets the value this int to the value in the big.Int The implementation of decoding bytes is constant time in constbn and does not leak the value or length of the value. However, this method uses the Bytes method on big.Int - which is not constant time.
Source Files
Directories