[PATCH] MPI helper of addition one limb, Least Leak Intended
Jussi Kivilinna
jussi.kivilinna at iki.fi
Tue Feb 18 09:48:01 CET 2025
Hello,
On 2025-02-17 07:26, NIIBE Yutaka via Gcrypt-devel wrote:
> Hello, Jussi,
>
> Jussi Kivilinna <jussi.kivilinna at iki.fi> wrote:
>> I think this function could use 'add_ssaaaa' macro to handle addition
>> with
>> carry.
>>
>> Something like this (completely untested):
>>
>> cy = s2_limb;
>> while ( s1_size )
>> {
>> x = *s1_ptr;
>> add_ssaaaa(cy, x, 0, cy, 0, x);
>> *s1_ptr++ = x;
>> s1_size--;
>> }
>> return cy;
>
> Good. I'm going to push this to master for _gcry_mpih_add_1_lli
> function.
>
> Further, I'm goint to push the chnage for _gcry_mpih_add_lli
> function as:
Is LLI variant really needed? This looks the same as the
_gcry_mpih_add_n.
The assembly versions of this (for select architectures) should all be
constant time.
Well, looking at some of those implementations, they look overly complex
and we carry assembly implementations for now old/obsolete
architectures.
I think we should remove obsolete ones in favor of just using the
generic
version. I'd just keep assembly for following architectures:
- amd64
- i386
- aarch64
- arm
- generic
We could then validate that these really have constant time (or LLI)
implementations.
-Jussi
>
> mpi_limb_t
> _gcry_mpih_add_lli (mpi_ptr_t wp, mpi_ptr_t up, mpi_ptr_t vp,
> mpi_size_t usize)
> {
> mpi_size_t i;
> mpi_limb_t cy;
>
> cy = 0;
> for (i = 0; i < usize; i++)
> {
> mpi_limb_t u = up[i];
> mpi_limb_t v = vp[i];
> mpi_limb_t w;
>
> add_ssaaaa (cy, w, 0, u, 0, cy);
> add_ssaaaa (cy, w, cy, w, 0, v);
> wp[i] = w;
> }
>
> return cy;
> }
More information about the Gcrypt-devel
mailing list