Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix for select point from table in ec_nistp scalar_mul #1719

Merged
merged 1 commit into from
Jul 24, 2024
Merged

Fix for select point from table in ec_nistp scalar_mul #1719

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 22 additions & 11 deletions crypto/fipsmodule/ec/ec_nistp.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -360,16 +360,27 @@ static void generate_table(const ec_nistp_meth *ctx,
}
}

// Writes to xyz_out the idx-th point from table in constant-time.
static void select_point_from_table(const ec_nistp_meth *ctx,
ec_nistp_felem_limb *xyz_out,
const ec_nistp_felem_limb *table,
const size_t idx) {
size_t entry_size = 3 * ctx->felem_num_limbs * sizeof(ec_nistp_felem_limb);

constant_time_select_entry_from_table_8(
(uint8_t*)xyz_out, (uint8_t*)table,
// Writes to out the idx-th point from table in constant-time.
static inline void select_point_from_table(const ec_nistp_meth *ctx,
ec_nistp_felem_limb *out,
const ec_nistp_felem_limb *table,
const size_t idx,
const size_t projective) {
samuel40791765 marked this conversation as resolved.
Show resolved Hide resolved
// if projective != 0 then a point is (x, y, z), otherwise (x, y).
size_t point_num_coord = 2 + (projective != 0 ? 1 : 0);
size_t point_num_limbs = ctx->felem_num_limbs * point_num_coord;

// The ifdef branching below is temporary. Using only constant_..._table_8
// would be best for simplicity, but unfortunatelly, on x86 systems it is
// significantly slower than constant_..._table_w.
#if defined(EC_NISTP_USE_64BIT_LIMB) && defined(OPENSSL_64_BIT)
constant_time_select_entry_from_table_w(out, (crypto_word_t*) table, idx,
SCALAR_MUL_TABLE_NUM_POINTS, point_num_limbs);
#else
size_t entry_size = point_num_limbs * sizeof(ec_nistp_felem_limb);
constant_time_select_entry_from_table_8((uint8_t*)out, (uint8_t*)table,
idx, SCALAR_MUL_TABLE_NUM_POINTS, entry_size);
#endif
}

// Multiplication of an arbitrary point by a scalar, r = [scalar]P.
Expand Down Expand Up @@ -443,7 +454,7 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx,
// can't be negative).
int16_t idx = rwnaf[num_windows - 1];
idx >>= 1;
select_point_from_table(ctx, res, table, idx);
select_point_from_table(ctx, res, table, idx, 1);

// Step 2. Process the remaining digits of the scalar (s_{m-2} to s_0).
for (int i = num_windows - 2; i >= 0; i--) {
Expand All @@ -459,7 +470,7 @@ void ec_nistp_scalar_mul(const ec_nistp_meth *ctx,

// Step 4b. Select from table the point corresponding to abs(s_i).
idx = d >> 1;
select_point_from_table(ctx, tmp, table, idx);
select_point_from_table(ctx, tmp, table, idx, 1);

// Step 4c. Negate the point if s_i < 0.
ec_nistp_felem ftmp;
Expand Down
Loading