Hi ,
I agree with Bruce: we should default to a constant time behavior so
definitely the code must use #ifndef instead of #ifdef since the patch
makes the scalar a fixed bit length value.
I think the paper authors got confused when they wrote the code.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 5/27/2011 4:10 PM, Bruce Stephens wrote:
"Dr. Stephen Henson"<st...@openssl.org> writes:
[...]
+#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
+ /* We do not want timing information to leak the length of k,
+ * so we compute G*k using an equivalent scalar of fixed
+ * bit-length. */
+
+ if (!BN_add(k, k, order)) goto err;
+ if (BN_num_bits(k)<= BN_num_bits(order))
+ if (!BN_add(k, k, order)) goto err;
+#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
+
Almost certainly my misunderstanding, but isn't the sense of this wrong?
That is, surely the new code should be added if we want the CONSTTIME
behaviour (i.e., if NO_CONSTTIME is not defined), and we'd want that by
default so it should be #ifndef rather than #ifdef?
(I agree it's #ifdef in the eprint too, which increases the likelyhood
that I'm just misunderstanding something.)
[...]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
