[base/hardened_memory] Add modular reduce, add, and sub

For the arithmetic sharings for ECC, we use a modular subtraction,
implement helper functions which are constant time and hardened against
fault injection.

Also added a functest for the hardened arithmetic operations to
check whether they are constant time and whether they are correct on a
RV platform.

The functions including the add and sub functions are written to use the
risc-v instructions when on such a platform. This is to enforce the
constant time nature of the operations. Helper functions for add, sub,
and select are created.

Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>

Author: siemen11

sw/device/lib/base/hardened_memory.c

@@ -301,6 +301,76 @@ status_t randomized_bytexor_in_place(void *restrict x, const void *restrict y,
   return (status_t){.value = (int32_t)launder32((uint32_t)OTCRYPTO_OK.value)};
 }
 
+#ifdef OT_PLATFORM_RV32
+/**
+ * Call the RISC-V addition with carry.
+ *
+ * @param x First input of the addition.
+ * @param y Second input of the addition.
+ * @param carry The carry-in, updates to the carry-out.
+ * @return The addition of x, y, and carry.
+ */
+static inline uint32_t rv32_addc(uint32_t x, uint32_t y, uint32_t *carry) {
+  uint32_t res, next_carry, c1, c2;
+  __asm__ __volatile__(
+      "add  %[res], %[x], %[c_in]\n\t"
+      "sltu %[c1], %[res], %[c_in]\n\t"
+      "add  %[res], %[res], %[y]\n\t"
+      "sltu %[c2], %[res], %[y]\n\t"
+      "or   %[next_c], %[c1], %[c2]"
+      : [res] "=&r"(res), [next_c] "=&r"(next_carry), [c1] "=&r"(c1),
+        [c2] "=&r"(c2)
+      : [x] "r"(x), [y] "r"(y), [c_in] "r"(*carry));
+  *carry = next_carry;
+  return res;
+}
+
+/**
+ * Call the RISC-V subtraction with borrow.
+ *
+ * @param x First input of the subtraction.
+ * @param y Second input of the subtraction.
+ * @param borrow The borrow-in, updates to the borrow-out.
+ * @return The subtraction of x, y, and borrow.
+ */
+static inline uint32_t rv32_subc(uint32_t x, uint32_t y, uint32_t *borrow) {
+  uint32_t res, next_borrow, b1, b2;
+  __asm__ __volatile__(
+      "sltu %[b1], %[x], %[b_in]\n\t"
+      "sub  %[res], %[x], %[b_in]\n\t"
+      "sltu %[b2], %[res], %[y]\n\t"
+      "sub  %[res], %[res], %[y]\n\t"
+      "or   %[next_b], %[b1], %[b2]"
+      : [res] "=&r"(res), [next_b] "=&r"(next_borrow), [b1] "=&r"(b1),
+        [b2] "=&r"(b2)
+      : [x] "r"(x), [y] "r"(y), [b_in] "r"(*borrow));
+  *borrow = next_borrow;
+  return res;
+}
+
+/**
+ * Call the RISC-V select.
+ *
+ *
+ * @param a First input of the select.
+ * @param b Second input of the select.
+ * @param cond The condition to select.
+ * @return `a` if `cond == 1`, or `b` if `cond == 0`.
+ */
+static inline uint32_t rv32_sel(uint32_t cond, uint32_t a, uint32_t b) {
+  uint32_t res, mask, tmp;
+  __asm__ __volatile__(
+      "neg  %[mask], %[cond]\n\t"     // mask = 0 - cond (0xFFFFFFFF if 1,
+                                      // 0x00000000 if 0)
+      "xor  %[tmp],  %[a], %[b]\n\t"  // tmp = a ^ b
+      "and  %[tmp],  %[tmp],   %[mask]\n\t"  // tmp = (a ^ b) & mask
+      "xor  %[res],  %[b], %[tmp]"           // out = b ^ ((a ^ b) & mask)
+      : [res] "=r"(res), [mask] "=&r"(mask), [tmp] "=&r"(tmp)
+      : [cond] "r"(cond), [a] "r"(a), [b] "r"(b));
+  return res;
+}
+#endif
+
 status_t hardened_add(const uint32_t *restrict x, const uint32_t *restrict y,
                       size_t word_len, uint32_t *restrict dest) {
   // Randomize the content of the output buffer before writing to it.
@@ -310,6 +380,9 @@ status_t hardened_add(const uint32_t *restrict x, const uint32_t *restrict y,
   size_t count = 0;
 
   for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    dest[count] = rv32_addc(x[count], y[count], &carry);
+#else
     uint32_t x_val = x[count];
     uint32_t y_val = y[count];
 
@@ -321,6 +394,7 @@ status_t hardened_add(const uint32_t *restrict x, const uint32_t *restrict y,
 
     dest[count] = res;
     carry = next_carry;
+#endif
   }
   HARDENED_CHECK_EQ(count, word_len);
 
@@ -336,6 +410,9 @@ status_t hardened_sub(const uint32_t *restrict x, const uint32_t *restrict y,
   size_t count = 0;
 
   for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    dest[count] = rv32_subc(x[count], y[count], &borrow);
+#else
     uint32_t x_val = x[count];
     uint32_t y_val = y[count];
 
@@ -348,6 +425,141 @@ status_t hardened_sub(const uint32_t *restrict x, const uint32_t *restrict y,
 
     dest[count] = res;
     borrow = next_borrow;
+#endif
+  }
+  HARDENED_CHECK_EQ(count, word_len);
+
+  return (status_t){.value = (int32_t)launder32((uint32_t)OTCRYPTO_OK.value)};
+}
+
+status_t hardened_sub_mod(const uint32_t *restrict x,
+                          const uint32_t *restrict y,
+                          const uint32_t *restrict n, size_t word_len,
+                          uint32_t *restrict dest) {
+  // Randomize the content of the output buffer before writing to it.
+  hardened_memshred(dest, word_len);
+
+  // temp_sub = x - y
+  uint32_t temp_sub[word_len];
+  uint32_t borrow = 0;
+  size_t count = 0;
+  for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    temp_sub[count] = rv32_subc(x[count], y[count], &borrow);
+#else
+    uint32_t x_val = x[count];
+    uint32_t y_val = y[count];
+    uint32_t res = x_val - borrow;
+    uint32_t next_borrow = (x_val < borrow);
+    next_borrow += (res < y_val);
+    res -= y_val;
+    temp_sub[count] = res;
+    borrow = next_borrow;
+#endif
+  }
+  HARDENED_CHECK_EQ(count, word_len);
+
+  // temp_add = temp_sub + n
+  uint32_t temp_add[word_len];
+  uint32_t carry = 0;
+  count = 0;
+  for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    temp_add[count] = rv32_addc(temp_sub[count], n[count], &carry);
+#else
+    uint32_t x_val = temp_sub[count];
+    uint32_t y_val = n[count];
+    uint32_t res = x_val + carry;
+    uint32_t next_carry = (res < carry);
+    res += y_val;
+    next_carry += (res < y_val);
+    temp_add[count] = res;
+    carry = next_carry;
+#endif
+  }
+  HARDENED_CHECK_EQ(count, word_len);
+
+  // If borrow is 1, choose temp_add, otherwise choose temp_sub.
+  uint32_t is_borrow = launder32(borrow);
+
+  count = 0;
+  for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    dest[count] = rv32_sel(is_borrow, temp_add[count], temp_sub[count]);
+#else
+    // The mask is all 1s if borrow is 1, and all 0s if borrow is 0.
+    uint32_t mask = ~(is_borrow - 1);
+    // Prevent optimizations of mask.
+    mask = launder32(mask);
+    dest[count] = (temp_add[count] & launder32(mask)) |
+                  (temp_sub[count] & launder32(~mask));
+#endif
+  }
+  HARDENED_CHECK_EQ(count, word_len);
+
+  return (status_t){.value = (int32_t)launder32((uint32_t)OTCRYPTO_OK.value)};
+}
+
+status_t hardened_add_mod(const uint32_t *restrict x,
+                          const uint32_t *restrict y,
+                          const uint32_t *restrict n, size_t word_len,
+                          uint32_t *restrict dest) {
+  // Randomize the content of the output buffer before writing to it.
+  hardened_memshred(dest, word_len);
+
+  // temp_add = x + y
+  uint32_t temp_add[word_len];
+  uint32_t carry = 0;
+  size_t count = 0;
+  for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    temp_add[count] = rv32_addc(x[count], y[count], &carry);
+#else
+    uint32_t x_val = x[count];
+    uint32_t y_val = y[count];
+    uint32_t res = x_val + carry;
+    uint32_t next_carry = (res < carry);
+    res += y_val;
+    next_carry += (res < y_val);
+    temp_add[count] = res;
+    carry = next_carry;
+#endif
+  }
+  HARDENED_CHECK_EQ(count, word_len);
+
+  // temp_sub = temp_add - n
+  uint32_t temp_sub[word_len];
+  uint32_t borrow = 0;
+  count = 0;
+  for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    temp_sub[count] = rv32_subc(temp_add[count], n[count], &borrow);
+#else
+    uint32_t x_val = temp_add[count];
+    uint32_t y_val = n[count];
+    uint32_t res = x_val - borrow;
+    uint32_t next_borrow = (x_val < borrow);
+    next_borrow += (res < y_val);
+    res -= y_val;
+    temp_sub[count] = res;
+    borrow = next_borrow;
+#endif
+  }
+  HARDENED_CHECK_EQ(count, word_len);
+
+  uint32_t is_ge = launder32(carry) | (1 - launder32(borrow));
+
+  count = 0;
+  for (; launderw(count) < word_len; count = launderw(count) + 1) {
+#ifdef OT_PLATFORM_RV32
+    dest[count] = rv32_sel(is_ge, temp_sub[count], temp_add[count]);
+#else
+    uint32_t mask = ~(is_ge - 1);
+    // Prevent optimizations of mask
+    mask = launder32(mask);
+    dest[count] = (temp_sub[count] & launder32(mask)) |
+                  (temp_add[count] & launder32(~mask));
+#endif
   }
   HARDENED_CHECK_EQ(count, word_len);
 
@@ -367,12 +579,16 @@ status_t hardened_range_check(const uint32_t *value, const uint32_t *N,
     // Accumulate bits to check if value is zero.
     is_zero_acc = launder32(is_zero_acc) | launder32(val_word);
 
+#ifdef OT_PLATFORM_RV32
+    (void)rv32_subc(val_word, n_word, &borrow);
+#else
     // Compute borrow to check if value < N.
     uint32_t res = val_word - borrow;
     uint32_t next_borrow = (val_word < borrow);
     next_borrow += (res < n_word);
 
     borrow = next_borrow;
+#endif
   }
   HARDENED_CHECK_EQ(count, word_len);
 
@@ -388,3 +604,106 @@ status_t hardened_range_check(const uint32_t *value, const uint32_t *N,
 
   return (status_t){.value = (int32_t)launder32((uint32_t)OTCRYPTO_OK.value)};
 }
+
+status_t hardened_mod_reduce(const uint32_t *value, const uint32_t *n,
+                             size_t word_len, uint32_t *result) {
+  // This function computes modular reduction (value % n).
+  // It implements a constant-time shift-and-subtract division. It iterates
+  // through the bits of the dividend (`value`) from MSB to LSB, shifting them
+  // into a remainder `r`, and subtracting the divisor `n` in constant time.
+
+  // Remainder, twice the size of the modulus to handle the left shift.
+  uint32_t r[2 * word_len];
+  // Intermediate storing of (r - n).
+  uint32_t r_sub[2 * word_len];
+
+  size_t i = 0;
+
+  // Initialize remainder arrays to zero.
+  for (; launderw(i) < 2 * word_len; i = launderw(i) + 1) {
+    r[i] = 0;
+    r_sub[i] = 0;
+  }
+  HARDENED_CHECK_EQ(i, 2 * word_len);
+
+  // Process each bit of `value` from Most Significant Bit (MSB) down to LSB.
+  i = word_len * 32;
+  for (; launderw(i) > 0; i = launderw(i) - 1) {
+    size_t bit_idx = i - 1;
+    size_t word_idx = bit_idx >> 5;
+    size_t bit_in_word = bit_idx % 32;
+
+    // Shift the current remainder `r` left by 1 bit.
+    uint32_t carry = 0;
+    size_t j = 0;
+    for (; launderw(j) < 2 * word_len; j = launderw(j) + 1) {
+      uint32_t next_carry = (r[j] >> 31);
+      r[j] = (r[j] << 1) | carry;
+      carry = next_carry;
+    }
+    HARDENED_CHECK_EQ(j, 2 * word_len);
+
+    // Inject the current top bit of `value` into the LSB of `r`.
+    uint32_t bit = (value[word_idx] >> bit_in_word) & 1;
+    r[0] = r[0] ^ ((r[0] ^ bit) & 1);
+
+    // Compute `r_sub = r - n`.
+    uint32_t borrow = 0;
+    j = 0;
+    for (; launderw(j) < word_len; j = launderw(j) + 1) {
+#ifdef OT_PLATFORM_RV32
+      r_sub[j] = rv32_subc(r[j], n[j], &borrow);
+#else
+      uint32_t r_word = r[j];
+      uint32_t n_word = n[j];
+      uint32_t res = r_word - borrow;
+      uint32_t next_borrow = (r_word < borrow);
+      next_borrow |= (res < n_word);
+      res -= n_word;
+      r_sub[j] = res;
+      borrow = next_borrow;
+#endif
+    }
+    HARDENED_CHECK_EQ(j, word_len);
+
+    // Propagate the borrow through the upper half of r
+    j = word_len;
+    for (; launderw(j) < 2 * word_len; j = launderw(j) + 1) {
+#ifdef OT_PLATFORM_RV32
+      r_sub[j] = rv32_subc(r[j], 0, &borrow);
+#else
+      uint32_t res = r[j] - borrow;
+      borrow = (r[j] < borrow);
+      r_sub[j] = res;
+#endif
+    }
+    HARDENED_CHECK_EQ(j, 2 * word_len);
+
+    // Conditional swap.
+    // If r < n, the final borrow is 1. If r >= n, the final borrow is 0.
+#ifdef OT_PLATFORM_RV32
+    uint32_t cond = launder32(1 - launder32(borrow));
+#else
+    uint32_t mask = borrow - 1;
+    // Prevent compiler optimizations of the mask.
+    mask = launder32(mask);
+#endif
+
+    j = 0;
+    for (; launderw(j) < 2 * word_len; j = launderw(j) + 1) {
+#ifdef OT_PLATFORM_RV32
+      r[j] = rv32_sel(cond, r_sub[j], r[j]);
+#else
+      r[j] = (r_sub[j] & launder32(mask)) | (r[j] & launder32(~mask));
+#endif
+    }
+    HARDENED_CHECK_EQ(j, 2 * word_len);
+  }
+  HARDENED_CHECK_EQ(i, 0);
+
+  // Copy the lower word_len elements of the final remainder into the result
+  // array.
+  TRY(hardened_memcpy(result, r, word_len));
+
+  return (status_t){.value = (int32_t)launder32((uint32_t)OTCRYPTO_OK.value)};
+}