чт, 31 окт. 2019 г. в 17:00, Simo Sorce simo@redhat.com:
On Thu, 2019-10-31 at 15:07 +0300, Dmitry Eremin-Solenikov wrote:
Hello,
I've noticed the following typical code sequence:
ecc_modp_mul(ecc, t, x, y); cy = mpn_sub_n(dest, t, ecc->p.m, ecc->p.size); cnd_copy(cy, dest, t, ecc->p.size);
What is the benefit of this piece of code over the following one?
ecc_modp_mul(ecc, t, x, y); memcpy(dest, t, ecc->p.size * sizeof(mp_limb_t));
Does mpn_sun_n/cnd_copy add any form of side channel attach protection?
cnd_copy provides side-channel protection when you want to make the copy conditional.
In this case the copy is conditional to the carry being returned from the subtraction, your code does not look equivalent.
After ecc_modp_mul() call value of `t` should be already lower than `ecc->p.m`. So subtract will always return a carry.