[git] GCRYPT - branch, master, updated. libgcrypt-1.6.0-289-g88e1358

by NIIBE Yutaka cvs at cvs.gnupg.org
Wed Nov 25 04:48:27 CET 2015 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "The GNU crypto library".

The branch, master has been updated
       via  88e1358962e902ff1cbec8d53ba3eee46407851a (commit)
       via  f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f (commit)
       via  8ad682c412047d3b9196950709dbd7bd14ac8732 (commit)
       via  295b1c3540752af4fc5e6f41480e6db215222fba (commit)
       via  b6015176df6bfae107ac82f9baa29ef2c175c9f9 (commit)
      from  940dc8adc034a6c6c38742f6bfd7d837a532d537 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 88e1358962e902ff1cbec8d53ba3eee46407851a
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 12:46:19 2015 +0900

    ecc: Constant-time multiplication for Weierstrass curve.
    
    * mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
    method for Weierstrass curve when SCALAR is secure.

diff --git a/mpi/ec.c b/mpi/ec.c
index 9394d89..4d59a7e 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1236,16 +1236,27 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
   unsigned int i, loops;
   mpi_point_struct p1, p2, p1inv;
 
-  if (ctx->model == MPI_EC_EDWARDS)
+  if (ctx->model == MPI_EC_EDWARDS
+      || (ctx->model == MPI_EC_WEIERSTRASS
+          && mpi_is_secure (scalar)))
     {
       /* Simple left to right binary method.  GECC Algorithm 3.27 */
       unsigned int nbits;
       int j;
 
       nbits = mpi_get_nbits (scalar);
-      mpi_set_ui (result->x, 0);
-      mpi_set_ui (result->y, 1);
-      mpi_set_ui (result->z, 1);
+      if (ctx->model == MPI_EC_WEIERSTRASS)
+        {
+          mpi_set_ui (result->x, 1);
+          mpi_set_ui (result->y, 1);
+          mpi_set_ui (result->z, 0);
+        }
+      else
+        {
+          mpi_set_ui (result->x, 0);
+          mpi_set_ui (result->y, 1);
+          mpi_set_ui (result->z, 1);
+        }
 
       if (mpi_is_secure (scalar))
         {

commit f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 12:13:04 2015 +0900

    mpi: fix gcry_mpi_swap_cond.
    
    * mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.

diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c
index d3264c7..99402b8 100644
--- a/mpi/mpiutil.c
+++ b/mpi/mpiutil.c
@@ -582,11 +582,15 @@ void
 _gcry_mpi_swap_cond (gcry_mpi_t a, gcry_mpi_t b, unsigned long swap)
 {
   mpi_size_t i;
-  mpi_size_t nlimbs = a->alloced;
+  mpi_size_t nlimbs;
   mpi_limb_t mask = ((mpi_limb_t)0) - swap;
   mpi_limb_t x;
 
-  if (a->alloced != b->alloced)
+  if (a->alloced > b->alloced)
+    nlimbs = b->alloced;
+  else
+    nlimbs = a->alloced;
+  if (a->nlimbs > nlimbs || b->nlimbs > nlimbs)
     log_bug ("mpi_swap_cond: different sizes\n");
 
   for (i = 0; i < nlimbs; i++)

commit 8ad682c412047d3b9196950709dbd7bd14ac8732
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 10:52:57 2015 +0900

    mpi: Fix mpi_set_cond and mpi_swap_cond .
    
    * mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
    the operator of !!, but assume SET/SWAP is 0 or 1.
    
    --
    
    If the code for !! would include a branch, it spoils the purpose of
    mpi_set_cond/mpi_swap_cond at all.  It's better to make sure the use
    of this function to be called with 0 or 1 for SET/SWAP.  Note that it
    conforms when SET/SWAP is the result of conditional expression of
    mpi_test_bit.
    
    Reported-by: Taylor R Campbell.

diff --git a/mpi/mpiutil.c b/mpi/mpiutil.c
index 71b3f1c..d3264c7 100644
--- a/mpi/mpiutil.c
+++ b/mpi/mpiutil.c
@@ -483,12 +483,17 @@ _gcry_mpi_set (gcry_mpi_t w, gcry_mpi_t u)
   return w;
 }
 
+/****************
+ * Set the value of W by the one of U, when SET is 1.
+ * Leave the value when SET is 0.
+ * This implementation should be constant-time regardless of SET.
+ */
 gcry_mpi_t
 _gcry_mpi_set_cond (gcry_mpi_t w, const gcry_mpi_t u, unsigned long set)
 {
   mpi_size_t i;
   mpi_size_t nlimbs = u->alloced;
-  mpi_limb_t mask = ((mpi_limb_t)0) - !!set;
+  mpi_limb_t mask = ((mpi_limb_t)0) - set;
   mpi_limb_t x;
 
   if (w->alloced != u->alloced)
@@ -568,12 +573,17 @@ _gcry_mpi_swap (gcry_mpi_t a, gcry_mpi_t b)
 }
 
 
+/****************
+ * Swap the value of A and B, when SWAP is 1.
+ * Leave the value when SWAP is 0.
+ * This implementation should be constant-time regardless of SWAP.
+ */
 void
 _gcry_mpi_swap_cond (gcry_mpi_t a, gcry_mpi_t b, unsigned long swap)
 {
   mpi_size_t i;
   mpi_size_t nlimbs = a->alloced;
-  mpi_limb_t mask = ((mpi_limb_t)0) - !!swap;
+  mpi_limb_t mask = ((mpi_limb_t)0) - swap;
   mpi_limb_t x;
 
   if (a->alloced != b->alloced)

commit 295b1c3540752af4fc5e6f41480e6db215222fba
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 10:42:47 2015 +0900

    ecc: multiplication of Edwards curve to be constant-time.
    
    * mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.
    
    --
    
    Reported-by: Taylor R Campbell.

diff --git a/mpi/ec.c b/mpi/ec.c
index 1644942..9394d89 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1254,12 +1254,13 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
           mpi_point_struct tmppnt;
 
           point_init (&tmppnt);
+          point_resize (result, ctx);
+          point_resize (&tmppnt, ctx);
           for (j=nbits-1; j >= 0; j--)
             {
               _gcry_mpi_ec_dup_point (result, result, ctx);
               _gcry_mpi_ec_add_points (&tmppnt, result, point, ctx);
-              if (mpi_test_bit (scalar, j))
-                point_set (result, &tmppnt);
+              point_swap_cond (result, &tmppnt, mpi_test_bit (scalar, j), ctx);
             }
           point_free (&tmppnt);
         }

commit b6015176df6bfae107ac82f9baa29ef2c175c9f9
Author: NIIBE Yutaka <gniibe at fsij.org>
Date:   Wed Nov 25 10:19:39 2015 +0900

    ecc: Add point_resize and point_swap_cond.
    
    * mpi/ec.c (point_resize, point_swap_cond): New.
    (_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.
    
    --
    
    Thanks to Taylor R Campbell who suggests.

diff --git a/mpi/ec.c b/mpi/ec.c
index 7266f2a..1644942 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -139,6 +139,34 @@ point_set (mpi_point_t d, mpi_point_t s)
 }
 
 
+static void
+point_resize (mpi_point_t p, mpi_ec_t ctx)
+{
+  /*
+   * For now, we allocate enough limbs for our EC computation of ec_*.
+   * Once we will improve ec_* to be constant size (and constant
+   * time), NLIMBS can be ctx->p->nlimbs.
+   */
+  size_t nlimbs = 2*ctx->p->nlimbs+1;
+
+  mpi_resize (p->x, nlimbs);
+  if (ctx->model != MPI_EC_MONTGOMERY)
+    mpi_resize (p->y, nlimbs);
+  mpi_resize (p->z, nlimbs);
+}
+
+
+static void
+point_swap_cond (mpi_point_t d, mpi_point_t s, unsigned long swap,
+                 mpi_ec_t ctx)
+{
+  mpi_swap_cond (d->x, s->x, swap);
+  if (ctx->model != MPI_EC_MONTGOMERY)
+    mpi_swap_cond (d->y, s->y, swap);
+  mpi_swap_cond (d->z, s->z, swap);
+}
+
+
 /* Set the projective coordinates from POINT into X, Y, and Z.  If a
    coordinate is not required, X, Y, or Z may be passed as NULL.  */
 void
@@ -1253,7 +1281,6 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
       mpi_point_struct p1_, p2_;
       mpi_point_t q1, q2, prd, sum;
       unsigned long sw;
-      size_t nlimbs;
 
       /* Compute scalar point multiplication with Montgomery Ladder.
          Note that we don't use Y-coordinate in the points at all.
@@ -1269,15 +1296,10 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
       p2.x  = mpi_copy (point->x);
       mpi_set_ui (p2.z, 1);
 
-      nlimbs = 2*(nbits+BITS_PER_MPI_LIMB-1)/BITS_PER_MPI_LIMB+1;
-      mpi_resize (p1.x, nlimbs);
-      mpi_resize (p1.z, nlimbs);
-      mpi_resize (p2.x, nlimbs);
-      mpi_resize (p2.z, nlimbs);
-      mpi_resize (p1_.x, nlimbs);
-      mpi_resize (p1_.z, nlimbs);
-      mpi_resize (p2_.x, nlimbs);
-      mpi_resize (p2_.z, nlimbs);
+      point_resize (&p1, ctx);
+      point_resize (&p2, ctx);
+      point_resize (&p1_, ctx);
+      point_resize (&p2_, ctx);
 
       q1 = &p1;
       q2 = &p2;
@@ -1289,19 +1311,16 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
           mpi_point_t t;
 
           sw = mpi_test_bit (scalar, j);
-          mpi_swap_cond (q1->x, q2->x, sw);
-          mpi_swap_cond (q1->z, q2->z, sw);
+          point_swap_cond (q1, q2, sw, ctx);
           montgomery_ladder (prd, sum, q1, q2, point->x, ctx);
-          mpi_swap_cond (prd->x, sum->x, sw);
-          mpi_swap_cond (prd->z, sum->z, sw);
+          point_swap_cond (prd, sum, sw, ctx);
           t = q1;  q1 = prd;  prd = t;
           t = q2;  q2 = sum;  sum = t;
         }
 
       mpi_clear (result->y);
       sw = (nbits & 1);
-      mpi_swap_cond (p1.x, p1_.x, sw);
-      mpi_swap_cond (p1.z, p1_.z, sw);
+      point_swap_cond (&p1, &p1_, sw, ctx);
 
       if (p1.z->nlimbs == 0)
         {

-----------------------------------------------------------------------

Summary of changes:
 mpi/ec.c      | 75 +++++++++++++++++++++++++++++++++++++++++------------------
 mpi/mpiutil.c | 22 ++++++++++++++----
 2 files changed, 71 insertions(+), 26 deletions(-)


hooks/post-receive
-- 
The GNU crypto library
http://git.gnupg.org


_______________________________________________
Gnupg-commits mailing list
Gnupg-commits at gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-commits

More information about the Gcrypt-devel mailing list