Re: [CVS] OpenSSL: openssl/ CHANGES openssl/crypto/ecdsa/ ecs_ossl.c

Fri, 27 May 2011 18:11:52 -0700

FWIW: This isn't like RSA blinding where the impact was significant.
The performance impact of this is negligible, it may as well be unconditional.


Peter


-----owner-openssl-...@openssl.org wrote: -----

To: openssl-dev@openssl.org
From: Mounir IDRASSI <mounir.idra...@idrix.net>
Sent by: owner-openssl-...@openssl.org
Date: 05/28/2011 12:49AM
Subject: Re: [CVS] OpenSSL: openssl/ CHANGES openssl/crypto/ecdsa/ ecs_ossl.c

Hi ,

I agree with Bruce: we should default to a constant time behavior so
definitely the code must use #ifndef instead of #ifdef since the patch
makes the scalar a fixed bit length value.
I think the paper authors got confused when they wrote the code.

Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr

On 5/27/2011 4:10 PM, Bruce Stephens wrote:
> "Dr. Stephen Henson"<st...@openssl.org>  writes:
>
> [...]
>
>>    +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
>>    +          /* We do not want timing information to leak the length of k,
>>    +          * so we compute G*k using an equivalent scalar of fixed
>>    +          * bit-length. */
>>    +
>>    +          if (!BN_add(k, k, order)) goto err;
>>    +          if (BN_num_bits(k)<= BN_num_bits(order))
>>    +               if (!BN_add(k, k, order)) goto err;
>>    +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
>>    +
> Almost certainly my misunderstanding, but isn't the sense of this wrong?
>
> That is, surely the new code should be added if we want the CONSTTIME
> behaviour (i.e., if NO_CONSTTIME is not defined), and we'd want that by
> default so it should be #ifndef rather than #ifdef?
>
> (I agree it's #ifdef in the eprint too, which increases the likelyhood
> that I'm just misunderstanding something.)
>
> [...]
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org


______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org

Reply via email to