multiple timing side channels
NIIBE Yutaka
gniibe at fsij.org
Thu Nov 26 02:12:05 CET 2015
Hello,
Please have a look at the development version.
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git
I committed five changes. I'll keep considering changes for ec_*
implementation.
commit 88e1358962e902ff1cbec8d53ba3eee46407851a
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Nov 25 12:46:19 2015 +0900
ecc: Constant-time multiplication for Weierstrass curve.
* mpi/ec.c (_gcry_mpi_ec_mul_point): Use simple left-to-right binary
method for Weierstrass curve when SCALAR is secure.
commit f88adee3e1f3e2de7d63f92f90bfb3078afd3b4f
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Nov 25 12:13:04 2015 +0900
mpi: fix gcry_mpi_swap_cond.
* mpi/mpiutil.c (_gcry_mpi_swap_cond): Relax the condition.
commit 8ad682c412047d3b9196950709dbd7bd14ac8732
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Nov 25 10:52:57 2015 +0900
mpi: Fix mpi_set_cond and mpi_swap_cond .
* mpi/mpiutil.c (_gcry_mpi_set_cond, _gcry_mpi_swap_cond): Don't use
the operator of !!, but assume SET/SWAP is 0 or 1.
--
If the code for !! would include a branch, it spoils the purpose of
mpi_set_cond/mpi_swap_cond at all. It's better to make sure the use
of this function to be called with 0 or 1 for SET/SWAP. Note that it
conforms when SET/SWAP is the result of conditional expression of
mpi_test_bit.
Reported-by: Taylor R Campbell.
commit 295b1c3540752af4fc5e6f41480e6db215222fba
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Nov 25 10:42:47 2015 +0900
ecc: multiplication of Edwards curve to be constant-time.
* mpi/ec.c (_gcry_mpi_ec_mul_point): Use point_swap_cond.
--
Reported-by: Taylor R Campbell.
commit b6015176df6bfae107ac82f9baa29ef2c175c9f9
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Wed Nov 25 10:19:39 2015 +0900
ecc: Add point_resize and point_swap_cond.
* mpi/ec.c (point_resize, point_swap_cond): New.
(_gcry_mpi_ec_mul_point): Use point_resize and point_swap_cond.
--
Thanks to Taylor R Campbell who suggests.
--
More information about the Gcrypt-devel
mailing list