Hello,
сб, 11 мая 2019 г. в 11:26, Niels Möller <ni...@lysator.liu.se>:
>
> Dmitry Eremin-Solenikov <dbarysh...@gmail.com> writes:
>
> > Signed-off-by: Dmitry Eremin-Solenikov <dbarysh...@gmail.com>
> > ---
> > ecc-mod-arith.c | 30 ++++++++++++++++++------------
> > 1 file changed, 18 insertions(+), 12 deletions(-)
> >
> > diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c
> > index f2e47f6747c1..571680a98dc3 100644
> > --- a/ecc-mod-arith.c
> > +++ b/ecc-mod-arith.c
> > @@ -73,10 +73,12 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t
> > *rp,
> > assert (b <= 0xffffffff);
> > hi = mpn_mul_1 (rp, ap, m->size, b);
> > hi = mpn_addmul_1 (rp, m->B, m->size, hi);
> > - assert (hi <= 1);
> > - hi = cnd_add_n (hi, rp, m->B, m->size);
> > - /* Sufficient if b < B^size / p */
> > - assert (hi == 0);
> > + do {
> > + if (hi > 1) /* This is necessary for some of GOST curves */
> > + hi = mpn_addmul_1 (rp, m->B, m->size, hi);
> > + else
> > + hi = cnd_add_n (hi, rp, m->B, m->size);
> > + } while (hi != 0);
> > }
>
> Is it the condition b < B^size / p that is not valid for the GOST
> curves? What are the problematic values of b and p?
I did not try debugging maths part of this issue.
Basically you can apply first two patches and then observe asserts failing
when running ecc-benchmark example. Problematic module looks like
80000.......something. Bmodp then looks like 7fffffff.....something.
Any help at this point is appreciated.
> To keep the ecc code side-channel silent, there must be no conditional
> jumps depending on hi (except for asserts, since they always branch the
> same way in a non-crashing program). The adjustmenst can only do
> unconditional calls to functions like mpn_add_mul_1 and cnd_add_1.
Yes, thus I've tried adding a loop which should nearly always terminate with
just single compare after cnd_add_1.
--
With best wishes
Dmitry
_______________________________________________
nettle-bugs mailing list
nettle-bugs@lists.lysator.liu.se
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
