Less Leaky ECDSA signature generation (in master)

NIIBE Yutaka via Gcrypt-devel Wed, 26 Mar 2025 17:08:26 -0700

Hello,

I'm working on the task of constant-time (EC)DSA signature generation:


        https://dev.gnupg.org/T7519

IIUC, possible important signal sources have been fixed for (EC)DSA
(for both branchs of 1.11 and master).

And I continue on ECC improvement in master.  For the first improvement,
I realized that runtime checks in ec_mod and its friends could be leaky,
because it depends on how small/big the value is.

Since it is (or can be) precondition for those routines in the code of
libgcrypt, it can be removed.  Since it could be leaky, it's good to be
removed.

Here is a change.
--

>From 958e22ccbbf84747163d0edd9ba26dd0d56cf052 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gni...@fsij.org>
Date: Thu, 27 Mar 2025 08:45:12 +0900
Subject: [PATCH] mpi:ec: Remove runtime check in ec_mod.

* mpi/ec-inline.h (mpi_nbits_more_than): Remove.
* mpi/ec-nist.c (_gcry_mpi_ec_nist192_mod): Remove
runtime check for the size of W.
(_gcry_mpi_ec_nist224_mod): Likewise.
(_gcry_mpi_ec_nist256_mod): Likewise.
(_gcry_mpi_ec_nist384_mod): Likewise.
(_gcry_mpi_ec_nist521_mod): Likewise.
(ec_secp256k1_mod): Likewise.

--

It is precondition for those routines.

Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
---
 mpi/ec-inline.h | 29 -----------------------------
 mpi/ec-nist.c   | 20 --------------------
 mpi/ec.c        |  4 ----
 3 files changed, 53 deletions(-)

diff --git a/mpi/ec-inline.h b/mpi/ec-inline.h
index 3a526246..662aa5c3 100644
--- a/mpi/ec-inline.h
+++ b/mpi/ec-inline.h
@@ -1203,33 +1203,4 @@ LIMB64_HILO(mpi_limb_t hi, mpi_limb_t lo)
 #endif
 
 
-/* Helper functions.  */
-
-static inline int
-mpi_nbits_more_than (gcry_mpi_t w, unsigned int nbits)
-{
-  unsigned int nbits_nlimbs;
-  mpi_limb_t wlimb;
-  unsigned int n;
-
-  nbits_nlimbs = (nbits + BITS_PER_MPI_LIMB - 1) / BITS_PER_MPI_LIMB;
-
-  /* Note: Assumes that 'w' is normalized. */
-
-  if (w->nlimbs > nbits_nlimbs)
-    return 1;
-  if (w->nlimbs < nbits_nlimbs)
-    return 0;
-  if ((nbits % BITS_PER_MPI_LIMB) == 0)
-    return 0;
-
-  wlimb = w->d[nbits_nlimbs - 1];
-  if (wlimb == 0)
-    log_bug ("mpi_nbits_more_than: input mpi not normalized\n");
-
-  count_leading_zeros (n, wlimb);
-
-  return (BITS_PER_MPI_LIMB - n) > (nbits % BITS_PER_MPI_LIMB);
-}
-
 #endif /* GCRY_EC_INLINE_H */
diff --git a/mpi/ec-nist.c b/mpi/ec-nist.c
index e03bd0e0..bf245b6c 100644
--- a/mpi/ec-nist.c
+++ b/mpi/ec-nist.c
@@ -96,10 +96,6 @@ _gcry_mpi_ec_nist192_mod (gcry_mpi_t w, mpi_ec_t ctx)
   mpi_limb_t s_is_negative;
   int carry;
 
-  MPN_NORMALIZE (w->d, w->nlimbs);
-  if (mpi_nbits_more_than (w, 2 * 192))
-    log_bug ("W must be less than m^2\n");
-
   RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2 * LIMBS_PER_LIMB64);
   RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
 
@@ -189,10 +185,6 @@ _gcry_mpi_ec_nist224_mod (gcry_mpi_t w, mpi_ec_t ctx)
   mpi_limb_t s_is_negative;
   int carry;
 
-  MPN_NORMALIZE (w->d, w->nlimbs);
-  if (mpi_nbits_more_than (w, 2 * 224))
-    log_bug ("W must be less than m^2\n");
-
   RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2 * LIMBS_PER_LIMB64);
   RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
   ctx->p->nlimbs = psize;
@@ -352,10 +344,6 @@ _gcry_mpi_ec_nist256_mod (gcry_mpi_t w, mpi_ec_t ctx)
   mpi_limb_t d_is_negative;
   int carry;
 
-  MPN_NORMALIZE (w->d, w->nlimbs);
-  if (mpi_nbits_more_than (w, 2 * 256))
-    log_bug ("W must be less than m^2\n");
-
   RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2 * LIMBS_PER_LIMB64);
   RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
   ctx->p->nlimbs = psize;
@@ -607,10 +595,6 @@ _gcry_mpi_ec_nist384_mod (gcry_mpi_t w, mpi_ec_t ctx)
   mpi_limb_t s_is_negative;
   int carry;
 
-  MPN_NORMALIZE (w->d, w->nlimbs);
-  if (mpi_nbits_more_than (w, 2 * 384))
-    log_bug ("W must be less than m^2\n");
-
   RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2 * LIMBS_PER_LIMB64);
   RESIZE_AND_CLEAR_IF_NEEDED (ctx->p, wsize * LIMBS_PER_LIMB64);
   ctx->p->nlimbs = psize;
@@ -799,10 +783,6 @@ _gcry_mpi_ec_nist521_mod (gcry_mpi_t w, mpi_ec_t ctx)
   mpi_limb_t cy;
   mpi_ptr_t wp;
 
-  MPN_NORMALIZE (w->d, w->nlimbs);
-  if (mpi_nbits_more_than (w, 2 * 521))
-    log_bug ("W must be less than m^2\n");
-
   RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2);
 
   wp = w->d;
diff --git a/mpi/ec.c b/mpi/ec.c
index dac734ee..f6a12210 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -577,10 +577,6 @@ ec_secp256k1_mod (gcry_mpi_t w, mpi_ec_t ctx)
   mpi_limb_t cy, borrow;
   mpi_ptr_t wp;
 
-  MPN_NORMALIZE (w->d, w->nlimbs);
-  if (w->nlimbs > 2 * 256 / BITS_PER_MPI_LIMB)
-    log_bug ("W must be less than m^2\n");
-
   RESIZE_AND_CLEAR_IF_NEEDED (w, wsize * 2);
 
   wp = w->d;
-- 
2.39.5

_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel

Less Leaky ECDSA signature generation (in master)

Reply via email to