Jacob Bachmeyer <jcb62...@gmail.com> wrote: > I note from the diff context that the next step after the part you are > changing is to remove a blinding factor from the result.
Could be. Currently, my focus is the leaks of K and K^(-1). Blinding here is for the private key (ec->d). > If the calculation is performed blinded, why is least-leak important > enough here to justify the added code complexity? The patch I sent is for K^(-1). (The code would be looked complex, but actually the execution code path is simpler than the one by mpi_mulm. We don't have mpi_mulm_lli or mpi_mul_lli yet.) -- _______________________________________________ Gcrypt-devel mailing list Gcrypt-devel@gnupg.org https://lists.gnupg.org/mailman/listinfo/gcrypt-devel
