Hello,
сб, 11 мая 2019 г. в 11:26, Niels Möller nisse@lysator.liu.se:
Dmitry Eremin-Solenikov dbaryshkov@gmail.com writes:
Signed-off-by: Dmitry Eremin-Solenikov dbaryshkov@gmail.com
ecc-mod-arith.c | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c index f2e47f6747c1..571680a98dc3 100644 --- a/ecc-mod-arith.c +++ b/ecc-mod-arith.c @@ -73,10 +73,12 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, assert (b <= 0xffffffff); hi = mpn_mul_1 (rp, ap, m->size, b); hi = mpn_addmul_1 (rp, m->B, m->size, hi);
- assert (hi <= 1);
- hi = cnd_add_n (hi, rp, m->B, m->size);
- /* Sufficient if b < B^size / p */
- assert (hi == 0);
- do {
- if (hi > 1) /* This is necessary for some of GOST curves */
hi = mpn_addmul_1 (rp, m->B, m->size, hi);- else
hi = cnd_add_n (hi, rp, m->B, m->size);- } while (hi != 0);
}
Is it the condition b < B^size / p that is not valid for the GOST curves? What are the problematic values of b and p?
I did not try debugging maths part of this issue. Basically you can apply first two patches and then observe asserts failing when running ecc-benchmark example. Problematic module looks like 80000.......something. Bmodp then looks like 7fffffff.....something.
Any help at this point is appreciated.
To keep the ecc code side-channel silent, there must be no conditional jumps depending on hi (except for asserts, since they always branch the same way in a non-crashing program). The adjustmenst can only do unconditional calls to functions like mpn_add_mul_1 and cnd_add_1.
Yes, thus I've tried adding a loop which should nearly always terminate with just single compare after cnd_add_1.