On 5/13/25 23:35, NIIBE Yutaka via Gcrypt-devel wrote:
* src/mpi.h (_gcry_mpi_assign_limb_space): Add.
(_gcry_mpih_mod_lli, _gcry_mpih_mul_lli): Add.
* cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Take care
about least leak with k^(-1).
--
GnuPG-bug-id: 7519
Signed-off-by: NIIBE Yutaka <gni...@fsij.org>
---
cipher/ecc-ecdsa.c | 20 +++++++++++++++++++-
src/mpi.h | 7 +++++++
2 files changed, 26 insertions(+), 1 deletion(-)
I note from the diff context that the next step after the part you are
changing is to remove a blinding factor from the result. If the
calculation is performed blinded, why is least-leak important enough
here to justify the added code complexity?
Note that introducing an "mpi_mulm_lli" as an LLI drop-in replacement
for "mpi_mulm" would also address my concern. Also note that using
least-leak for the blinding/unblinding steps might be more important
than for any of the blinded steps in the middle.
-- Jacob
_______________________________________________
Gcrypt-devel mailing list
Gcrypt-devel@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
