diff options
Diffstat (limited to 'src/lib/libcrypto/ec/ec2_mult.c')
| -rw-r--r-- | src/lib/libcrypto/ec/ec2_mult.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/src/lib/libcrypto/ec/ec2_mult.c b/src/lib/libcrypto/ec/ec2_mult.c index 26f4a783fc..1c575dc47a 100644 --- a/src/lib/libcrypto/ec/ec2_mult.c +++ b/src/lib/libcrypto/ec/ec2_mult.c | |||
| @@ -208,11 +208,15 @@ static int gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIG | |||
| 208 | return ret; | 208 | return ret; |
| 209 | } | 209 | } |
| 210 | 210 | ||
| 211 | |||
| 211 | /* Computes scalar*point and stores the result in r. | 212 | /* Computes scalar*point and stores the result in r. |
| 212 | * point can not equal r. | 213 | * point can not equal r. |
| 213 | * Uses algorithm 2P of | 214 | * Uses a modified algorithm 2P of |
| 214 | * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over | 215 | * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over |
| 215 | * GF(2^m) without precomputation" (CHES '99, LNCS 1717). | 216 | * GF(2^m) without precomputation" (CHES '99, LNCS 1717). |
| 217 | * | ||
| 218 | * To protect against side-channel attack the function uses constant time swap, | ||
| 219 | * avoiding conditional branches. | ||
| 216 | */ | 220 | */ |
| 217 | static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, | 221 | static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, |
| 218 | const EC_POINT *point, BN_CTX *ctx) | 222 | const EC_POINT *point, BN_CTX *ctx) |
| @@ -246,6 +250,11 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, | |||
| 246 | x2 = &r->X; | 250 | x2 = &r->X; |
| 247 | z2 = &r->Y; | 251 | z2 = &r->Y; |
| 248 | 252 | ||
| 253 | bn_wexpand(x1, group->field.top); | ||
| 254 | bn_wexpand(z1, group->field.top); | ||
| 255 | bn_wexpand(x2, group->field.top); | ||
| 256 | bn_wexpand(z2, group->field.top); | ||
| 257 | |||
| 249 | if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ | 258 | if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) goto err; /* x1 = x */ |
| 250 | if (!BN_one(z1)) goto err; /* z1 = 1 */ | 259 | if (!BN_one(z1)) goto err; /* z1 = 1 */ |
| 251 | if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ | 260 | if (!group->meth->field_sqr(group, z2, x1, ctx)) goto err; /* z2 = x1^2 = x^2 */ |
| @@ -270,16 +279,12 @@ static int ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, | |||
| 270 | word = scalar->d[i]; | 279 | word = scalar->d[i]; |
| 271 | while (mask) | 280 | while (mask) |
| 272 | { | 281 | { |
| 273 | if (word & mask) | 282 | BN_consttime_swap(word & mask, x1, x2, group->field.top); |
| 274 | { | 283 | BN_consttime_swap(word & mask, z1, z2, group->field.top); |
| 275 | if (!gf2m_Madd(group, &point->X, x1, z1, x2, z2, ctx)) goto err; | 284 | if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; |
| 276 | if (!gf2m_Mdouble(group, x2, z2, ctx)) goto err; | 285 | if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; |
| 277 | } | 286 | BN_consttime_swap(word & mask, x1, x2, group->field.top); |
| 278 | else | 287 | BN_consttime_swap(word & mask, z1, z2, group->field.top); |
| 279 | { | ||
| 280 | if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; | ||
| 281 | if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; | ||
| 282 | } | ||
| 283 | mask >>= 1; | 288 | mask >>= 1; |
| 284 | } | 289 | } |
| 285 | mask = BN_TBIT; | 290 | mask = BN_TBIT; |