FWIW: This isn't like RSA blinding where the impact was significant.
The performance impact of this is negligible, it may as well be unconditional.
Peter
The performance impact of this is negligible, it may as well be unconditional.
Peter
To: openssl-dev@openssl.org
From: Mounir IDRASSI <mounir.idra...@idrix.net>
Sent by: owner-openssl-...@openssl.org
Date: 05/28/2011 12:49AM
Subject: Re: [CVS] OpenSSL: openssl/ CHANGES openssl/crypto/ecdsa/ ecs_ossl.c
Hi ,
I agree with Bruce: we should default to a constant time behavior so
definitely the code must use #ifndef instead of #ifdef since the patch
makes the scalar a fixed bit length value.
I think the paper authors got confused when they wrote the code.
Cheers,
--
Mounir IDRASSI
IDRIX
http://www.idrix.fr
On 5/27/2011 4:10 PM, Bruce Stephens wrote:
> "Dr. Stephen Henson"<st...@openssl.org> writes:
>
> [...]
>
>> +#ifdef ECDSA_POINT_MUL_NO_CONSTTIME
>> + /* We do not want timing information to leak the length of k,
>> + * so we compute G*k using an equivalent scalar of fixed
>> + * bit-length. */
>> +
>> + if (!BN_add(k, k, order)) goto err;
>> + if (BN_num_bits(k)<= BN_num_bits(order))
>> + if (!BN_add(k, k, order)) goto err;
>> +#endif /* def(ECDSA_POINT_MUL_NO_CONSTTIME) */
>> +
> Almost certainly my misunderstanding, but isn't the sense of this wrong?
>
> That is, surely the new code should be added if we want the CONSTTIME
> behaviour (i.e., if NO_CONSTTIME is not defined), and we'd want that by
> default so it should be #ifndef rather than #ifdef?
>
> (I agree it's #ifdef in the eprint too, which increases the likelyhood
> that I'm just misunderstanding something.)
>
> [...]
>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List openssl-dev@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org