I'm working on a draft[0] and an implementation[1] of a protocol using elliptic curves. As part of this draft, we need to convert a byte array to a multiplier. This byte array is a private long-term key.
Specifically of concern is this comment: https://github.com/openssl/openssl/blob/master/crypto/ec/ecp_nistp521.c#L1947 In the case where the multiplier is converted from 66 random bytes to a P-521 multiplier, it is extremely likely that the multiplier will be greater than the order. Can we achieve constant time by calling BN_set_flags(multiplier, BN_FLG_CONSTTIME) followed by BN_mod(multiplier, group->order) before calling EC_POINT_mul()? If not, is there another way to do this? [0] - https://tools.ietf.org/html/draft-mccallum-kitten-krb-spake-preauth-00 [1] - https://github.com/greghudson/krb5/tree/spake -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev