Converge on a single side channel silent ec mp alg: randomized

Montgomery ladder with order.bits()/2 bit scalar blinding and point randomization
author: Never <[email protected]> 2017-02-22 17:50:46 +0100
committer: Never <[email protected]> 2017-02-22 17:50:46 +0100
commit: 2771f65b33b819e19f1483df991ac0a7ead20081 (patch)
tree: 8d2652d9d316e85a92b95aa16890020a5459219c
parent: b521e251b2786fa8a06a1d7de10072769b7d685d (diff)
2 files changed, 7 insertions, 60 deletions
diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in
index de2b5c8b5..1c389fe02 100644
--- a/src/build-data/buildh.in
+++ b/src/build-data/buildh.in
@@ -80,21 +80,14 @@
 #define BOTAN_USE_VOLATILE_MEMSET_FOR_ZERO 1
 
 /*
-* If enabled the ECC implementation will use Montgomery ladder
-* instead of a fixed window implementation.
+* If enabled the ECC implementation will use scalar blinding with order.bits()/2
+* bit long masks.
 */
-#define BOTAN_POINTGFP_BLINDED_MULTIPLY_USE_MONTGOMERY_LADDER 0
-
-/*
-* Set number of bits used to generate mask for blinding the scalar of
-* a point multiplication. Set to zero to disable this side-channel
-* countermeasure.
-*/
-#define BOTAN_POINTGFP_SCALAR_BLINDING_BITS 20
+#define BOTAN_POINTGFP_USE_SCALAR_BLINDING 1
 
 /*
 * Set number of bits used to generate mask for blinding the
-* representation of an ECC point. Set to zero to diable this
+* representation of an ECC point. Set to zero to disable this
 * side-channel countermeasure.
 */
 #define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 80
@@ -104,7 +97,7 @@
 * its inverse, of a form appropriate to the algorithm being blinded), and
 * then choosing new blinding operands by successive squaring of both
 * values. This is much faster than computing a new starting point but
-* introduces some possible coorelation
+* introduces some possible corelation
 *
 * To avoid possible leakage problems in long-running processes, the blinder
 * periodically reinitializes the sequence. This value specifies how often
diff --git a/src/lib/math/ec_gfp/point_gfp.cpp b/src/lib/math/ec_gfp/point_gfp.cpp
index bb446566e..5283b7352 100644
--- a/src/lib/math/ec_gfp/point_gfp.cpp
+++ b/src/lib/math/ec_gfp/point_gfp.cpp
@@ -314,8 +314,6 @@ Blinded_Point_Multiply::Blinded_Point_Multiply(const PointGFp& base, const BigIn
 
    const CurveGFp& curve = base.get_curve();
 
-#if BOTAN_POINTGFP_BLINDED_MULTIPLY_USE_MONTGOMERY_LADDER
-
    const PointGFp inv = -base;
 
    m_U.resize(6*m_h + 3);
@@ -332,17 +330,6 @@ Blinded_Point_Multiply::Blinded_Point_Multiply(const PointGFp& base, const BigIn
       m_U[3*m_h+1-i] = m_U[3*m_h+2-i];
       m_U[3*m_h+1-i].add(inv, m_ws);
       }
-#else
-   m_U.resize(1 << m_h);
-   m_U[0] = PointGFp::zero_of(curve);
-   m_U[1] = base;
-
-   for(size_t i = 2; i < m_U.size(); ++i)
-      {
-      m_U[i] = m_U[i-1];
-      m_U[i].add(base, m_ws);
-      }
-#endif
    }
 
 PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar_in,
@@ -351,9 +338,9 @@ PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar_in,
    if(scalar_in.is_negative())
       throw Invalid_Argument("Blinded_Point_Multiply scalar must be positive");
 
-#if BOTAN_POINTGFP_SCALAR_BLINDING_BITS > 0
+#if BOTAN_POINTGFP_USE_SCALAR_BLINDING
    // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
-   const BigInt mask(rng, BOTAN_POINTGFP_SCALAR_BLINDING_BITS, false);
+   const BigInt mask(rng, (m_order.bits()+1)/2, false);
    const BigInt scalar = scalar_in + m_order * mask;
 #else
    const BigInt& scalar = scalar_in;
@@ -365,7 +352,6 @@ PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar_in,
    for(size_t i = 0; i != m_U.size(); ++i)
       m_U[i].randomize_repr(rng);
 
-#if BOTAN_POINTGFP_BLINDED_MULTIPLY_USE_MONTGOMERY_LADDER
    PointGFp R = m_U.at(3*m_h + 2); // base point
    int32_t alpha = 0;
 
@@ -395,38 +381,6 @@ PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar_in,
    const int32_t k0 = scalar.get_bit(0);
    R.add(m_U[3*m_h + 1 - alpha - (k0 ^ 1)], m_ws);
 
-#else
-
-   // N-bit windowing exponentiation:
-
-   size_t windows = round_up(scalar_bits, m_h) / m_h;
-
-   PointGFp R = m_U[0];
-
-   if(windows > 0)
-      {
-      windows--;
-      const uint32_t nibble = scalar.get_substring(windows*m_h, m_h);
-      R.add(m_U[nibble], m_ws);
-
-      /*
-      Randomize after adding the first nibble as before the addition R
-      is zero, and we cannot effectively randomize the point
-      representation of the zero point.
-      */
-      R.randomize_repr(rng);
-
-      while(windows)
-         {
-         for(size_t i = 0; i != m_h; ++i)
-            R.mult2(m_ws);
-
-         const uint32_t inner_nibble = scalar.get_substring((windows-1)*m_h, m_h);
-         R.add(m_U[inner_nibble], m_ws);
-         windows--;
-         }
-      }
-#endif
 
    //BOTAN_ASSERT(R.on_the_curve(), "Output is on the curve");
author	Never <[email protected]>	2017-02-22 17:50:46 +0100
committer	Never <[email protected]>	2017-02-22 17:50:46 +0100
commit	2771f65b33b819e19f1483df991ac0a7ead20081 (patch)
tree	8d2652d9d316e85a92b95aa16890020a5459219c
parent	b521e251b2786fa8a06a1d7de10072769b7d685d (diff)