xref: /freebsd/crypto/openssl/doc/man3/BN_mod_exp_mont.pod (revision 1719886f6d08408b834d270c59ffcfd821c8f63a)
1=pod
2
3=head1 NAME
4
5BN_mod_exp_mont, BN_mod_exp_mont_consttime, BN_mod_exp_mont_consttime_x2 -
6Montgomery exponentiation
7
8=head1 SYNOPSIS
9
10 #include <openssl/bn.h>
11
12 int BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
13                     const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont);
14
15 int BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p,
16                               const BIGNUM *m, BN_CTX *ctx,
17                               BN_MONT_CTX *in_mont);
18
19 int BN_mod_exp_mont_consttime_x2(BIGNUM *rr1, const BIGNUM *a1,
20                                  const BIGNUM *p1, const BIGNUM *m1,
21                                  BN_MONT_CTX *in_mont1, BIGNUM *rr2,
22                                  const BIGNUM *a2, const BIGNUM *p2,
23                                  const BIGNUM *m2, BN_MONT_CTX *in_mont2,
24                                  BN_CTX *ctx);
25
26=head1 DESCRIPTION
27
28BN_mod_exp_mont() computes I<a> to the I<p>-th power modulo I<m> (C<rr=a^p % m>)
29using Montgomery multiplication. I<in_mont> is a Montgomery context and can be
30NULL. In the case I<in_mont> is NULL, it will be initialized within the
31function, so you can save time on initialization if you provide it in advance.
32
33BN_mod_exp_mont_consttime() computes I<a> to the I<p>-th power modulo I<m>
34(C<rr=a^p % m>) using Montgomery multiplication. It is a variant of
35L<BN_mod_exp_mont(3)> that uses fixed windows and the special precomputation
36memory layout to limit data-dependency to a minimum to protect secret exponents.
37It is called automatically when L<BN_mod_exp_mont(3)> is called with parameters
38I<a>, I<p>, I<m>, any of which have B<BN_FLG_CONSTTIME> flag.
39
40BN_mod_exp_mont_consttime_x2() computes two independent exponentiations I<a1> to
41the I<p1>-th power modulo I<m1> (C<rr1=a1^p1 % m1>) and I<a2> to the I<p2>-th
42power modulo I<m2> (C<rr2=a2^p2 % m2>) using Montgomery multiplication. For some
43fixed and equal modulus sizes I<m1> and I<m2> it uses optimizations that allow
44to speedup two exponentiations. In all other cases the function reduces to two
45calls of L<BN_mod_exp_mont_consttime(3)>.
46
47=head1 RETURN VALUES
48
49For all functions 1 is returned for success, 0 on error.
50The error codes can be obtained by L<ERR_get_error(3)>.
51
52=head1 SEE ALSO
53
54L<ERR_get_error(3)>, L<BN_mod_exp_mont(3)>
55
56=head1 COPYRIGHT
57
58Copyright 2000-2021 The OpenSSL Project Authors. All Rights Reserved.
59
60Licensed under the Apache License 2.0 (the "License").  You may not use
61this file except in compliance with the License.  You can obtain a copy
62in the file LICENSE in the source distribution or at
63L<https://www.openssl.org/source/license.html>.
64
65=cut
66