Niels Möller <ni...@lysator.liu.se> writes: > It's preferable to use the mpn_powm_sec. When using mpz_t, I see no > reasonable to avoid leakage of the normalized size (or number of > all-zero limbs at the most significant end).
One possibly unreasonable approach for consideration: 1. Document that the mpz_t result from mpz_powm_sec always has an alloc size >= n, where n is the limb size of the modulo input, and that the limb array is zero padded up to n. 2. Ensure that the implementation complies with (1) (probably easy, if array is written by a call to mpn_sec_powm). 3. Do the normalization, i.e., assignment of the size field, by side-channel silent logic iterating over all n limbs. However, any application taking advantage of (1) (and thus avoiding calling any other mpz functions on the result) could maybe just as well use mpn_sec_powm directly? Regards, /Niels -- Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs