Use masked table lookups for variable point scalar mult

author: Jack Lloyd <[email protected]> 2018-06-20 19:34:45 -0400
committer: Jack Lloyd <[email protected]> 2018-06-20 19:34:45 -0400
commit: cae2d0f3b80483b4d1318afade42a466b63f33e0 (patch)
tree: 0b3cb302f340cbfcb163817dddd54f530a2d6ab2 /doc
parent: 4288e3be60ed1af49f9295252a7ca086b1d7ef4a (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/doc/manual/side_channels.rst b/doc/manual/side_channels.rst
index 2c485a96d..459b21396 100644
--- a/doc/manual/side_channels.rst
+++ b/doc/manual/side_channels.rst
@@ -174,12 +174,12 @@ point doublings and point additions. The elements of the table are accessed
 by masked lookups, so as not to leak information about bits of the scalar
 via a cache side channel.
 
-The variable point multiplication algorithm uses a simple fixed-window
-exponentiation algorithm. Since this is normally invoked using untrusted points
-(eg in ECDH key exchange) it randomizes all inputs to prevent attacks which are
-based on chosen input points. However currently the table access is not constant
-time, and leaks by a cache based side channel. The assumption is that scalar
-blinding prevents this from being exploitable.
+The variable point multiplication algorithm uses a fixed-window algorithm. Since
+this is normally invoked using untrusted points (eg during ECDH key exchange) it
+randomizes all inputs to prevent attacks which are based on chosen input
+points. The table of precomputed multiples is accessed using a masked lookup
+which should not leak information about the secret scalar to an attacker who can
+mount a cache-based side channel attack.
 
 See point_gfp.cpp and point_mul.cpp
author	Jack Lloyd <[email protected]>	2018-06-20 19:34:45 -0400
committer	Jack Lloyd <[email protected]>	2018-06-20 19:34:45 -0400
commit	cae2d0f3b80483b4d1318afade42a466b63f33e0 (patch)
tree	0b3cb302f340cbfcb163817dddd54f530a2d6ab2 /doc
parent	4288e3be60ed1af49f9295252a7ca086b1d7ef4a (diff)