Hello, сб, 11 мая 2019 г. в 11:26, Niels Möller <ni...@lysator.liu.se>: > > Dmitry Eremin-Solenikov <dbarysh...@gmail.com> writes: > > > Signed-off-by: Dmitry Eremin-Solenikov <dbarysh...@gmail.com> > > --- > > ecc-mod-arith.c | 30 ++++++++++++++++++------------ > > 1 file changed, 18 insertions(+), 12 deletions(-) > > > > diff --git a/ecc-mod-arith.c b/ecc-mod-arith.c > > index f2e47f6747c1..571680a98dc3 100644 > > --- a/ecc-mod-arith.c > > +++ b/ecc-mod-arith.c > > @@ -73,10 +73,12 @@ ecc_mod_mul_1 (const struct ecc_modulo *m, mp_limb_t > > *rp, > > assert (b <= 0xffffffff); > > hi = mpn_mul_1 (rp, ap, m->size, b); > > hi = mpn_addmul_1 (rp, m->B, m->size, hi); > > - assert (hi <= 1); > > - hi = cnd_add_n (hi, rp, m->B, m->size); > > - /* Sufficient if b < B^size / p */ > > - assert (hi == 0); > > + do { > > + if (hi > 1) /* This is necessary for some of GOST curves */ > > + hi = mpn_addmul_1 (rp, m->B, m->size, hi); > > + else > > + hi = cnd_add_n (hi, rp, m->B, m->size); > > + } while (hi != 0); > > } > > Is it the condition b < B^size / p that is not valid for the GOST > curves? What are the problematic values of b and p?
I did not try debugging maths part of this issue. Basically you can apply first two patches and then observe asserts failing when running ecc-benchmark example. Problematic module looks like 80000.......something. Bmodp then looks like 7fffffff.....something. Any help at this point is appreciated. > To keep the ecc code side-channel silent, there must be no conditional > jumps depending on hi (except for asserts, since they always branch the > same way in a non-crashing program). The adjustmenst can only do > unconditional calls to functions like mpn_add_mul_1 and cnd_add_1. Yes, thus I've tried adding a loop which should nearly always terminate with just single compare after cnd_add_1. -- With best wishes Dmitry _______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs