This is an automated email from the ASF dual-hosted git repository. sandreoli pushed a commit to branch issue51 in repository https://gitbox.apache.org/repos/asf/incubator-milagro-crypto-c.git
commit 63785bbc86ec20e78c193618e086b66366abf03c Author: samuele-andreoli <[email protected]> AuthorDate: Wed Nov 27 14:43:21 2019 +0000 use side channel resistant functions when necessary --- include/ff.h.in | 22 ++++++++-------- src/ff.c.in | 81 ++++++++++++++++++++++++++++++--------------------------- src/paillier.c | 7 +++-- 3 files changed, 56 insertions(+), 54 deletions(-) diff --git a/include/ff.h.in b/include/ff.h.in index a3fc4c8..dd48cc3 100644 --- a/include/ff.h.in +++ b/include/ff.h.in @@ -245,6 +245,17 @@ extern void FF_WWW_skpow(BIG_XXX *r,BIG_XXX *x,BIG_XXX * e,BIG_XXX *m,int n); @param n size of FF in BIGs */ extern void FF_WWW_skspow(BIG_XXX *r,BIG_XXX *x,BIG_XXX e,BIG_XXX *m,int n); +/** @brief Calculate r=x^e.y^f mod m for big e and f, side channel resistant + * + @param r FF instance, on exit = x^e.y^f mod m + @param x FF instance + @param e FF exponent + @param y FF instance + @param f FF exponent + @param m FF modulus + @param n size of FF in BIGs + */ +extern void FF_WWW_skpow2(BIG_XXX r[],BIG_XXX x[], BIG_XXX e[], BIG_XXX y[], BIG_XXX f[], BIG_XXX m[], int n); /** @brief Calculate r=x^e mod m * For very short integer exponent @@ -292,16 +303,5 @@ extern int FF_WWW_prime(BIG_XXX *x,csprng *R,int n); @param n size of FF in BIGs */ extern void FF_WWW_pow2(BIG_XXX *r,BIG_XXX *x,BIG_XXX e,BIG_XXX *y,BIG_XXX f,BIG_XXX *m,int n); -/** @brief Calculate r=x^e.y^f mod m for big e and f - * - @param r FF instance, on exit = x^e.y^f mod m - @param x FF instance - @param e FF exponent - @param y FF instance - @param f FF exponent - @param m FF modulus - @param n size of FF in BIGs - */ -extern void FF_WWW_bpow2(BIG_XXX *r,BIG_XXX *x,BIG_XXX *e,BIG_XXX *y,BIG_XXX *f,BIG_XXX *m,int n); #endif diff --git a/src/ff.c.in b/src/ff.c.in index 1d495bf..31347c7 100644 --- a/src/ff.c.in +++ b/src/ff.c.in @@ -536,7 +536,7 @@ void FF_WWW_invmodp(BIG_XXX r[],BIG_XXX a[],BIG_XXX p[],int n) FF_WWW_copy(x1,one,n); FF_WWW_zero(x2,n); -// reduce n in here as well! + // reduce n in here as well! while (FF_WWW_comp(u,one,n)!=0 && FF_WWW_comp(v,one,n)!=0) { while (FF_WWW_parity(u)==0) @@ -824,6 +824,47 @@ void FF_WWW_skspow(BIG_XXX r[],BIG_XXX x[],BIG_XXX e,BIG_XXX p[],int n) FF_WWW_redc(r,p,ND,n); } +/* r=x^e*y^f mod p - side channel resistant */ +void FF_WWW_skpow2(BIG_XXX r[],BIG_XXX x[], BIG_XXX e[], BIG_XXX y[], BIG_XXX f[], BIG_XXX p[], int n) { + int i,eb,fb; +#ifndef C99 + BIG_XXX xn[FFLEN_WWW],yn[FFLEN_WWW],xy[FFLEN_WWW],w[FFLEN_WWW],ND[FFLEN_WWW]; +#else + BIG_XXX xn[n],yn[n],xy[n],w[n],ND[n]; +#endif + + FF_WWW_invmod2m(ND,p,n); + + FF_WWW_copy(xn,x,n); + FF_WWW_copy(yn,y,n); + FF_WWW_nres(xn,p,n); + FF_WWW_nres(yn,p,n); + FF_WWW_modmul(xy,xn,yn,p,ND,n); + FF_WWW_one(w,n); + FF_WWW_nres(w,p,n); + FF_WWW_one(r,n); + FF_WWW_nres(r,p,n); + + for (i=8*MODBYTES_XXX*n-1; i>=0; i--) + { + eb=BIG_XXX_bit(e[i/BIGBITS_XXX],i%BIGBITS_XXX); + fb=BIG_XXX_bit(f[i/BIGBITS_XXX],i%BIGBITS_XXX); + + FF_WWW_cswap(w, xn, eb & (eb ^ fb), n); + FF_WWW_cswap(w, yn, fb & (eb ^ fb), n); + FF_WWW_cswap(w, xy, eb & fb, n); + + FF_WWW_modsqr(r,r,p,ND,n); + FF_WWW_modmul(r,w,r,p,ND,n); + + FF_WWW_cswap(w, xn, eb & (eb ^ fb), n); + FF_WWW_cswap(w, yn, fb & (eb ^ fb), n); + FF_WWW_cswap(w, xy, eb & fb, n); + } + + FF_WWW_redc(r,p,ND,n); +} + /* raise to an integer power - right-to-left method */ void FF_WWW_power(BIG_XXX r[],BIG_XXX x[],int e,BIG_XXX p[],int n) { @@ -921,44 +962,6 @@ void FF_WWW_pow2(BIG_XXX r[],BIG_XXX x[],BIG_XXX e,BIG_XXX y[],BIG_XXX f,BIG_XXX FF_WWW_redc(r,p,ND,n); } -/* double exponentiation r=x^e.y^f mod p */ -void FF_WWW_bpow2(BIG_XXX r[],BIG_XXX x[],BIG_XXX e[],BIG_XXX y[],BIG_XXX f[],BIG_XXX p[],int n) -{ - int i,eb,fb; -#ifndef C99 - BIG_XXX xn[FFLEN_WWW],yn[FFLEN_WWW],xy[FFLEN_WWW],ND[FFLEN_WWW]; -#else - BIG_XXX xn[n],yn[n],xy[n],ND[n]; -#endif - - FF_WWW_invmod2m(ND,p,n); - - FF_WWW_copy(xn,x,n); - FF_WWW_copy(yn,y,n); - FF_WWW_nres(xn,p,n); - FF_WWW_nres(yn,p,n); - FF_WWW_modmul(xy,xn,yn,p,ND,n); - FF_WWW_one(r,n); - FF_WWW_nres(r,p,n); - - for (i=8*MODBYTES_XXX*(n-1); i>=0; i--) - { - eb=BIG_XXX_bit(e[i/BIGBITS_XXX],i%BIGBITS_XXX); - fb=BIG_XXX_bit(f[i/BIGBITS_XXX],i%BIGBITS_XXX); - FF_WWW_modsqr(r,r,p,ND,n); - if (eb==1) - { - if (fb==1) FF_WWW_modmul(r,r,xy,p,ND,n); - else FF_WWW_modmul(r,r,xn,p,ND,n); - } - else - { - if (fb==1) FF_WWW_modmul(r,r,yn,p,ND,n); - } - } - FF_WWW_redc(r,p,ND,n); -} - static sign32 igcd(sign32 x,sign32 y) { /* integer GCD, returns GCD of x and y */ diff --git a/src/paillier.c b/src/paillier.c index d607a99..ddf25be 100644 --- a/src/paillier.c +++ b/src/paillier.c @@ -215,7 +215,7 @@ int PAILLIER_ENCRYPT(csprng *RNG, octet* N, octet* G, octet* PT, octet* CT, octe } // ct = g^pt * r^n mod n2 - FF_4096_bpow2(ct, g, pt, r, n, n2, FFLEN_4096); + FF_4096_skpow2(ct, g, pt, r, n, n2, FFLEN_4096); // Output FF_4096_toOctet(CT, ct, FFLEN_4096); @@ -294,7 +294,7 @@ int PAILLIER_DECRYPT(octet* N, octet* L, octet* M, octet* CT, octet* PT) FF_4096_norm(n2, FFLEN_4096); // ct^l mod n^2 - 1 - FF_4096_pow(ctl,ct,l,n2,FFLEN_4096); + FF_4096_skpow(ctl,ct,l,n2,FFLEN_4096); FF_4096_dec(ctl,1,FFLEN_4096); #ifdef DEBUG @@ -433,7 +433,6 @@ int PAILLIER_MULT(octet* N, octet* CT1, octet* PT, octet* CT) // Ciphertext output. ct = ct1 ^ pt mod n^2 BIG_512_60 ct[FFLEN_4096]; - // Convert n from FF_2048 to FF_4096 FF_4096_fromOctet(n,N,HFLEN_4096); FF_4096_zero(pt, FFLEN_4096); @@ -446,7 +445,7 @@ int PAILLIER_MULT(octet* N, octet* CT1, octet* PT, octet* CT) FF_4096_norm(n2, FFLEN_4096); // ct1^pt mod n^2 - FF_4096_pow(ct,ct1,pt,n2,FFLEN_4096); + FF_4096_skpow(ct,ct1,pt,n2,FFLEN_4096); // output FF_4096_toOctet(CT, ct, FFLEN_4096);
