[PATCH] MPI helper of multiplication, Least Leak Intended

NIIBE Yutaka gniibe at fsij.org
Fri Jan 31 07:25:39 CET 2025 

Hello,

This month, I created the ticket for improvement of modular
exponentiation implementation with a branch named gniibe/t7490:

	https://dev.gnupg.org/T7490

It somehow works for me now.

I'd like to merge the branch manually in steps.

Here is a first patch for MPI multiplication.  The purpose is to have
constant-time property.

But, for these kinds of internal intermediate routines, I felt that
naming "constant-time" sounds too much.  Honestly speaking, it's
"Least Leak Intended", and I couldn't declare it constant-time.

So, I use the suffix of _lli.  It's basecase multiplication, no Karatsuba.

diff --git a/mpi/mpi-internal.h b/mpi/mpi-internal.h
index 935bf3e1..f04f1dbd 100644
--- a/mpi/mpi-internal.h
+++ b/mpi/mpi-internal.h
@@ -230,6 +230,8 @@ void _gcry_mpih_mul_n( mpi_ptr_t prodp, mpi_ptr_t up, mpi_ptr_t vp,
 						   mpi_size_t size);
 mpi_limb_t _gcry_mpih_mul( mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t usize,
 					 mpi_ptr_t vp, mpi_size_t vsize);
+mpi_limb_t _gcry_mpih_mul_lli(mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t usize,
+                              mpi_ptr_t vp, mpi_size_t vsize);
 void _gcry_mpih_sqr_n_basecase( mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t size );
 void _gcry_mpih_sqr_n( mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t size,
 						mpi_ptr_t tspace);
diff --git a/mpi/mpih-mul.c b/mpi/mpih-mul.c
index 6c51533f..1e6bfcb2 100644
--- a/mpi/mpih-mul.c
+++ b/mpi/mpih-mul.c
@@ -527,3 +527,32 @@ _gcry_mpih_mul( mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t usize,
     _gcry_mpih_release_karatsuba_ctx( &ctx );
     return *prod_endp;
 }
+
+
+/* Do same calculation as _gcry_mpih_mul does, but Least Leak Intended.  */
+mpi_limb_t
+_gcry_mpih_mul_lli( mpi_ptr_t prodp, mpi_ptr_t up, mpi_size_t usize,
+                    mpi_ptr_t vp, mpi_size_t vsize )
+{
+    mpi_limb_t cy;
+    mpi_size_t i;
+    mpi_limb_t v_limb;
+
+    if( !vsize )
+        return 0;
+
+    v_limb = vp[0];
+    cy = _gcry_mpih_mul_1( prodp, up, usize, v_limb );
+
+    prodp[usize] = cy;
+    prodp++;
+
+    for( i = 1; i < vsize; i++ ) {
+        v_limb = vp[i];
+        cy = _gcry_mpih_addmul_1(prodp, up, usize, v_limb);
+        prodp[usize] = cy;
+        prodp++;
+    }
+
+    return cy;
+}
--

More information about the Gcrypt-devel mailing list