On 2/7/25 20:05, NIIBE Yutaka via Gcrypt-devel wrote:
NIIBE Yutaka<gni...@fsij.org> wrote:
I think that this implementation could be improved.
I should use ct_limb_gen_inv_mask function instead of directly use unary
minus operator.
Could it make more sense to write:
result &= ct_limb_gen_inv_mask (gt) & ct_limb_gen_inv_mask (lt);
result |= gt | -lt;
Assuming that ct_limb_gen_inv_mask returns all-bits-set if its argument
is zero and all-bits-clear otherwise, the first line clears result if a
previous value is to be overwritten and the second sets the new value.
I also still suggest considering an alternate encoding for the
comparison result. The Hamming distance between 0 and 1 is 1, but the
Hamming distance between 0 and -1 is the maximum on a 2's complement
machine, which means that any information leakage on the power rail will
be at its strongest when the comparison result is "less than".
A one-hot encoding would have a constant Hamming distance (of 2) between
any pair of valid values.
I remember reading a paper some years ago by an academic research group
that was able to recover private keys by observing noise on a laptop's
ground (a USB port shield connection, if I recall correctly).
-- Jacob
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
