Document leak of exponent size

author: Jack Lloyd <[email protected]> 2018-06-14 21:49:38 -0400
committer: Jack Lloyd <[email protected]> 2018-06-14 21:49:38 -0400
commit: 9e1e4c69536dea537385f0181192b04d10f6243d (patch)
tree: 3ece78b038afff573a34b41d27d993c940f4c60f /doc/manual/side_channels.rst
parent: 30107ae9ad3b077294659179c4df84daa26bf602 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst
index 8cb5b1188..b7d868cbf 100644
--- a/doc/manual/side_channels.rst
+++ b/doc/manual/side_channels.rst
@@ -109,8 +109,10 @@ Modular Exponentiation
 ------------------------
 
 Modular exponentiation uses a fixed window algorithm with Montgomery
-representation. A side channel silent table lookup is used to access the
-precomputed powers. See monty_exp.cpp
+representation. A side channel silent table lookup is used to access
+the precomputed powers. Currently the bit length of the exponent is
+leaked (with a granularity based on the window size, typically 4 bits)
+due to the number of loop iterations. See monty_exp.cpp
 
 Karatsuba multiplication algorithm avoids any conditional branches; in
 cases where different operations must be performed it instead uses masked
author	Jack Lloyd <[email protected]>	2018-06-14 21:49:38 -0400
committer	Jack Lloyd <[email protected]>	2018-06-14 21:49:38 -0400
commit	9e1e4c69536dea537385f0181192b04d10f6243d (patch)
tree	3ece78b038afff573a34b41d27d993c940f4c60f /doc/manual/side_channels.rst
parent	30107ae9ad3b077294659179c4df84daa26bf602 (diff)