ni...@lysator.liu.se (Niels Möller) writes: After some discussion with Torbjörn, I intend to change mpn_sec_powm to take the exponent size argument in bits, rather than limbs (because the current code may leak high bit of the exponent, which can cause serious problems for some applications, e.g., dsa signatures). But first, I'd like to fix a more minor issue. We should perhaps point out in the documentation of this function that callers should not trim the exponent limb area or the bit count arguemnt to in a data dependent fashion.
It might also be interesting to note that there's only a single gmp-mparam.h file where POWM_SEC_TABLE starts with 1: x86_64/bobcat. There are a larger number of gmp-mparam.h files where it starts with 2, which would shrink to 1 if the code is fixed to emit nbits - 1. All this might not be terribly important, but there is a conditional for eb < windowsize (before the loop, i.e., for the initial value of eb), not exercised by the testsuite, but needed because of this tuneup peculiarity (see https://gmplib.org/devel/lcov/shell/tmp/lcov/gmp/mpn/sec_powm.c.gcov.html). And I'd like to eliminate that test. [snip] I didn't read your analysis properly now, but let me add that the POWM_SEC_TABLE measuring never became robust; two consecutive measurements didn't seem to give very similar data. This might be due to a tuneup bug you now fixed, or it might be an effect of inherent smoothness of the cutoff points. Torbjörn Please encrypt, key id 0xC8601622 _______________________________________________ gmp-devel mailing list gmp-devel@gmplib.org https://gmplib.org/mailman/listinfo/gmp-devel