Side channel commentary

author: lloyd <[email protected]> 2015-01-08 13:25:48 +0000
committer: lloyd <[email protected]> 2015-01-08 13:25:48 +0000
commit: 046da982c11170f2d37f9b3acd803a56fe325abd (patch)
tree: f98648a5e871401714e931e3ccc2f93dc3b6a321 /src/lib/math/mp/mp_monty.cpp
parent: 8e92f925bcf6039f405f841219fdf3ff020cabf9 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/src/lib/math/mp/mp_monty.cpp b/src/lib/math/mp/mp_monty.cpp
index 095457dbe..331153f06 100644
--- a/src/lib/math/mp/mp_monty.cpp
+++ b/src/lib/math/mp/mp_monty.cpp
@@ -56,12 +56,27 @@ void bigint_monty_redc(word z[],
          }
       }
 
+   /*
+   * The result might need to be reduced mod p. To avoid a timing
+   * channel, always perform the subtraction. If in the compution
+   * of x - p a borrow is required then x was already < p.
+   *
+   * x - p starts at ws[0] and is p_size+1 bytes long
+   * x starts at ws[p_size+1] and is also p_size+1 bytes log
+   * (that's the copy_mem)
+   *
+   * Select which address to copy from indexing off of the final
+   * borrow.
+   */
+
    word borrow = 0;
    for(size_t i = 0; i != p_size; ++i)
       ws[i] = word_sub(z[p_size + i], p[i], &borrow);
 
    ws[p_size] = word_sub(z[p_size+p_size], 0, &borrow);
 
+   BOTAN_ASSERT(borrow == 0 || borrow == 1, "Expected borrow");
+
    copy_mem(ws + p_size + 1, z + p_size, p_size + 1);
 
    copy_mem(z, ws + borrow*(p_size+1), p_size + 1);
author	lloyd <[email protected]>	2015-01-08 13:25:48 +0000
committer	lloyd <[email protected]>	2015-01-08 13:25:48 +0000
commit	046da982c11170f2d37f9b3acd803a56fe325abd (patch)
tree	f98648a5e871401714e931e3ccc2f93dc3b6a321 /src/lib/math/mp/mp_monty.cpp
parent	8e92f925bcf6039f405f841219fdf3ff020cabf9 (diff)