[PATCH] mpi_swap_conditional
Ian Goldberg
ian at cypherpunks.ca
Thu Jun 19 20:08:32 CEST 2014
On Thu, Jun 19, 2014 at 02:52:59PM +0900, NIIBE Yutaka wrote:
> Hello,
>
> For implementing Curve25519 to be constant-time, I need a function
> which swaps values conditionally, in constant-time. If SW=1 it swaps,
> it doesn't if not, both cases are executed in same timings.
So the values of a and b are public, but only the value of SW is
private? Isn't that a pretty unusual case? The timing of the code
below definitely depends on the values (in particular the relative
sizes) of a and b, so if a and b are non-public, this is not a
constant-time routine, right?
> + if (b->alloced < a->nlimbs)
> + {
> + mpi_resize (b, a->nlimbs);
> + nlimbs = a->nlimbs;
> + }
> + else if (a->alloced < b->nlimbs)
> + {
> + mpi_resize (a, b->nlimbs);
> + nlimbs = b->nlimbs;
> + }
> + else if (b->nlimbs < a->nlimbs)
> + {
> + mpi_resize (b, a->nlimbs);
> + nlimbs = b->nlimbs = a->nlimbs;
> + }
> + else if (a->nlimbs < b->nlimbs)
> + {
> + mpi_resize (a, b->nlimbs);
> + nlimbs = a->nlimbs = b->nlimbs;
> + }
- Ian
More information about the Gcrypt-devel
mailing list