aboutsummaryrefslogtreecommitdiffstats
path: root/doc/manual/side_channels.rst
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-06-20 19:34:45 -0400
committerJack Lloyd <[email protected]>2018-06-20 19:34:45 -0400
commitcae2d0f3b80483b4d1318afade42a466b63f33e0 (patch)
tree0b3cb302f340cbfcb163817dddd54f530a2d6ab2 /doc/manual/side_channels.rst
parent4288e3be60ed1af49f9295252a7ca086b1d7ef4a (diff)
Use masked table lookups for variable point scalar mult
Diffstat (limited to 'doc/manual/side_channels.rst')
-rw-r--r--doc/manual/side_channels.rst12
1 files changed, 6 insertions, 6 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst
index 2c485a96d..459b21396 100644
--- a/doc/manual/side_channels.rst
+++ b/doc/manual/side_channels.rst
@@ -174,12 +174,12 @@ point doublings and point additions. The elements of the table are accessed
by masked lookups, so as not to leak information about bits of the scalar
via a cache side channel.
-The variable point multiplication algorithm uses a simple fixed-window
-exponentiation algorithm. Since this is normally invoked using untrusted points
-(eg in ECDH key exchange) it randomizes all inputs to prevent attacks which are
-based on chosen input points. However currently the table access is not constant
-time, and leaks by a cache based side channel. The assumption is that scalar
-blinding prevents this from being exploitable.
+The variable point multiplication algorithm uses a fixed-window algorithm. Since
+this is normally invoked using untrusted points (eg during ECDH key exchange) it
+randomizes all inputs to prevent attacks which are based on chosen input
+points. The table of precomputed multiples is accessed using a masked lookup
+which should not leak information about the secret scalar to an attacker who can
+mount a cache-based side channel attack.
See point_gfp.cpp and point_mul.cpp