diff options
author | Jack Lloyd <[email protected]> | 2018-03-25 16:00:21 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-03-25 16:01:12 -0400 |
commit | 61fd8717d3f966b9e4831be4c6509d7e7eca8829 (patch) | |
tree | 26c2a6cb39eca3140f7543a520da9a3e87e30743 | |
parent | a2b2f94d3190bee6e296718cd1d39f6425b77ab0 (diff) |
Handle some corner cases in ECC mult
For blinded_base_point_multiply_x if result is point at inifinity
(eg due to k == group_order) return 0 instead of throwing.
For base point multiply, reduce k mod order before masking otherwise
the combination of k + mask might exceed our precomputed table.
-rw-r--r-- | src/lib/pubkey/ec_group/ec_group.cpp | 8 | ||||
-rw-r--r-- | src/lib/pubkey/ec_group/point_mul.cpp | 9 | ||||
-rw-r--r-- | src/lib/pubkey/ec_group/point_mul.h | 7 |
3 files changed, 19 insertions, 5 deletions
diff --git a/src/lib/pubkey/ec_group/ec_group.cpp b/src/lib/pubkey/ec_group/ec_group.cpp index 45aef6c2f..1fb762e4b 100644 --- a/src/lib/pubkey/ec_group/ec_group.cpp +++ b/src/lib/pubkey/ec_group/ec_group.cpp @@ -39,7 +39,7 @@ class EC_Group_Data final m_order(order), m_cofactor(cofactor), m_mod_order(order), - m_base_mult(m_base_point), + m_base_mult(m_base_point, m_mod_order), m_oid(oid), m_p_bits(p.bits()), m_order_bits(order.bits()), @@ -502,7 +502,11 @@ BigInt EC_Group::blinded_base_point_multiply_x(const BigInt& k, RandomNumberGenerator& rng, std::vector<BigInt>& ws) const { - return data().blinded_base_point_multiply(k, rng, ws).get_affine_x(); + const PointGFp pt = data().blinded_base_point_multiply(k, rng, ws); + + if(pt.is_zero()) + return 0; + return pt.get_affine_x(); } BigInt EC_Group::random_scalar(RandomNumberGenerator& rng) const diff --git a/src/lib/pubkey/ec_group/point_mul.cpp b/src/lib/pubkey/ec_group/point_mul.cpp index d42a5d5e8..d052b837c 100644 --- a/src/lib/pubkey/ec_group/point_mul.cpp +++ b/src/lib/pubkey/ec_group/point_mul.cpp @@ -6,6 +6,7 @@ #include <botan/internal/point_mul.h> #include <botan/rng.h> +#include <botan/reducer.h> #include <botan/internal/rounding.h> namespace Botan { @@ -38,8 +39,10 @@ PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar, return m_point_mul->mul(scalar, rng, m_order, m_ws); } -PointGFp_Base_Point_Precompute::PointGFp_Base_Point_Precompute(const PointGFp& base) : +PointGFp_Base_Point_Precompute::PointGFp_Base_Point_Precompute(const PointGFp& base, + const Modular_Reducer& mod_order) : m_base_point(base), + m_mod_order(mod_order), m_p_words(base.get_curve().get_p().size()), m_T_size(base.get_curve().get_p().bits() + PointGFp_SCALAR_BLINDING_BITS + 1) { @@ -97,7 +100,9 @@ PointGFp PointGFp_Base_Point_Precompute::mul(const BigInt& k, // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure) const BigInt mask(rng, PointGFp_SCALAR_BLINDING_BITS, false); - const BigInt scalar = k + group_order * mask; + + // Instead of reducing k mod group order should we alter the mask size?? + const BigInt scalar = m_mod_order.reduce(k) + group_order * mask; size_t windows = round_up(scalar.bits(), 2) / 2; diff --git a/src/lib/pubkey/ec_group/point_mul.h b/src/lib/pubkey/ec_group/point_mul.h index 64672d9a4..cfce05d5c 100644 --- a/src/lib/pubkey/ec_group/point_mul.h +++ b/src/lib/pubkey/ec_group/point_mul.h @@ -11,12 +11,15 @@ namespace Botan { +class Modular_Reducer; + static const size_t PointGFp_SCALAR_BLINDING_BITS = 80; class PointGFp_Base_Point_Precompute { public: - PointGFp_Base_Point_Precompute(const PointGFp& base_point); + PointGFp_Base_Point_Precompute(const PointGFp& base_point, + const Modular_Reducer& mod_order); PointGFp mul(const BigInt& k, RandomNumberGenerator& rng, @@ -24,6 +27,8 @@ class PointGFp_Base_Point_Precompute std::vector<BigInt>& ws) const; private: const PointGFp& m_base_point; + const Modular_Reducer& m_mod_order; + const size_t m_p_words; const size_t m_T_size; |