Dmitry Eremin-Solenikov <[email protected]> writes: > Signed-off-by: Dmitry Eremin-Solenikov <[email protected]> > --- > ecc-mod-arith.c | 30 ++++++++++++++++++------------ > 1 file changed, 18 insertions(+), 12 deletions(-) > > diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c > index f2e47f6747c1..571680a98dc3 100644 > --- a/ecc-mod-arith.c > +++ b/ecc-mod-arith.c > @@ -73,10 +73,12 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t *rp, > assert (b <= 0xffffffff); > hi = mpn_mul_1 (rp, ap, m->size, b); > hi = mpn_addmul_1 (rp, m->B, m->size, hi); > - assert (hi <= 1); > - hi = cnd_add_n (hi, rp, m->B, m->size); > - /* Sufficient if b < B^size / p */ > - assert (hi == 0); > + do { > + if (hi > 1) /* This is necessary for some of GOST curves */ > + hi = mpn_addmul_1 (rp, m->B, m->size, hi); > + else > + hi = cnd_add_n (hi, rp, m->B, m->size); > + } while (hi != 0); > }
Is it the condition b < B^size / p that is not valid for the GOST curves? What are the problematic values of b and p? To keep the ecc code side-channel silent, there must be no conditional jumps depending on hi (except for asserts, since they always branch the same way in a non-crashing program). The adjustmenst can only do unconditional calls to functions like mpn_add_mul_1 and cnd_add_1. Regards, /Niels -- Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677. Internet email is subject to wholesale government surveillance. _______________________________________________ nettle-bugs mailing list [email protected] http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs
