diff options
author | Jack Lloyd <[email protected]> | 2018-06-20 19:34:45 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-06-20 19:34:45 -0400 |
commit | cae2d0f3b80483b4d1318afade42a466b63f33e0 (patch) | |
tree | 0b3cb302f340cbfcb163817dddd54f530a2d6ab2 /doc/manual/side_channels.rst | |
parent | 4288e3be60ed1af49f9295252a7ca086b1d7ef4a (diff) |
Use masked table lookups for variable point scalar mult
Diffstat (limited to 'doc/manual/side_channels.rst')
-rw-r--r-- | doc/manual/side_channels.rst | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst index 2c485a96d..459b21396 100644 --- a/doc/manual/side_channels.rst +++ b/doc/manual/side_channels.rst @@ -174,12 +174,12 @@ point doublings and point additions. The elements of the table are accessed by masked lookups, so as not to leak information about bits of the scalar via a cache side channel. -The variable point multiplication algorithm uses a simple fixed-window -exponentiation algorithm. Since this is normally invoked using untrusted points -(eg in ECDH key exchange) it randomizes all inputs to prevent attacks which are -based on chosen input points. However currently the table access is not constant -time, and leaks by a cache based side channel. The assumption is that scalar -blinding prevents this from being exploitable. +The variable point multiplication algorithm uses a fixed-window algorithm. Since +this is normally invoked using untrusted points (eg during ECDH key exchange) it +randomizes all inputs to prevent attacks which are based on chosen input +points. The table of precomputed multiples is accessed using a masked lookup +which should not leak information about the secret scalar to an attacker who can +mount a cache-based side channel attack. See point_gfp.cpp and point_mul.cpp |