Class H2cUtils

java.lang.Object
org.bouncycastle.crypto.hash2curve.H2cUtils
public class H2cUtils extends Object
Utility functions for hash 2 curve

This implementation follows the straight-line, branch-free algorithmic structure required by RFC 9380, ensuring that all code paths perform the same sequence of mathematical operations regardless of input values. However, it relies on Java’s BigInteger arithmetic and standard JVM execution characteristics, neither of which provides strict guarantees of constant-time behavior at the microarchitectural level. Operations such as modular exponentiation, multiplication, inversion, and even conditional value selection (cmov) may execute in variable time depending on internal optimizations, operand size, and JIT behavior.

For most applications, this is sufficient to avoid the major side-channel pitfalls associated with probabilistic or data-dependent loops (e.g., try-and-increment). But if your threat model requires strong, formally constant-time guarantees, such as protection against local timing attacks or hostile co-tenant environments, you should consider using a lower-level language with fixed-limb field arithmetic and verifiable constant-time primitives. Java cannot practically provide such guarantees with BigInteger-based implementations.

  • Constructor Details

    • H2cUtils

      public H2cUtils()

  • Method Details

    • cmov

      public static BigInteger cmov(BigInteger a, BigInteger b, boolean condition)
      Constant time implementation of selection of value based on condition
      Parameters:
      a - value selected on condition = false
      b - value selected on condition = true
      condition - condition
      Returns:
      'a' if condition is false, else 'b'

    • isSquare

      public static boolean isSquare(BigInteger val, BigInteger order)
      Test if a value is square in a prime field order
      Parameters:
      val - value to test
      order - prime field order
      Returns:
      true if val is square

    • sqrt

      public static BigInteger sqrt(BigInteger val, BigInteger order)
      Calculate the square root of val in a prime field order
      Parameters:
      val - value
      order - prime field order
      Returns:
      square root of val in field order

    • sgn0

      public static int sgn0(BigInteger val, ECCurve curve)
      Returns the sign of the BigInteger 'val' using the given ECCurve 'curve'.
      Parameters:
      val - the BigInteger value
      curve - the EC curve specifying the curve field
      Returns:
      the sign of 'val'
      Throws:
      IllegalArgumentException - if curve.getField().getDimension() != 1

    • inv0

      public static BigInteger inv0(BigInteger val, BigInteger order)
      Calculates the modular inverse of a BigInteger 'val' with respect to a given BigInteger 'order'.
      Parameters:
      val - the BigInteger value to calculate the inverse for
      order - the BigInteger representing the order
      Returns:
      the modular inverse of 'val' with respect to 'order'

    • i2osp

      public static byte[] i2osp(int val, int len)
      Convert an integer value to a byte array of a specified length.
      Parameters:
      val - the integer value to be converted
      len - the length of the resulting byte array
      Returns:
      the byte array representation of the integer value
      Throws:
      IllegalArgumentException - if the value requires more bytes than the assigned length size

    • os2ip

      public static BigInteger os2ip(byte[] val)
      Converts a byte array to a BigInteger.
      Parameters:
      val - the byte array to convert
      Returns:
      the BigInteger representation of the byte array

    • xor

      public static byte[] xor(byte[] arg1, byte[] arg2)
      Performs bitwise XOR operation on two byte arrays.
      Parameters:
      arg1 - the first byte array
      arg2 - the second byte array
      Returns:
      the result of the XOR operation as a new byte array
      Throws:
      NullPointerException - if either arg1 or arg2 is null
      IllegalArgumentException - if arg1 and arg2 have different lengths