diff options
| author | Jack Lloyd <[email protected]> | 2018-06-20 15:58:35 -0400 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-06-20 15:58:35 -0400 |
| commit | 0ca8c2005661fd7a4041ac7a800a9e326a576dfe (patch) | |
| tree | 66e283efcffaf8712ed30cd1cc0ef5dcc103e17a /src/lib/pubkey/ec_group | |
| parent | 1d0eb1afd390b3b7e2719f6d80e9964a618a26b8 (diff) | |
Remove build time toggle for ECC coordinate masking
This is not a decision we should leave to end users.
And always use a random mask equal in size to the underlying field.
It was never quite clear if 80 bits was sufficient or not. But
taking a random field element is clearly the best possible situation,
and has very little additional cost.
Diffstat (limited to 'src/lib/pubkey/ec_group')
| -rw-r--r-- | src/lib/pubkey/ec_group/point_gfp.cpp | 25 | ||||
| -rw-r--r-- | src/lib/pubkey/ec_group/point_mul.cpp | 7 |
2 files changed, 16 insertions, 16 deletions
diff --git a/src/lib/pubkey/ec_group/point_gfp.cpp b/src/lib/pubkey/ec_group/point_gfp.cpp index b1c921a51..206c8e749 100644 --- a/src/lib/pubkey/ec_group/point_gfp.cpp +++ b/src/lib/pubkey/ec_group/point_gfp.cpp @@ -47,20 +47,21 @@ void PointGFp::randomize_repr(RandomNumberGenerator& rng) void PointGFp::randomize_repr(RandomNumberGenerator& rng, secure_vector<word>& ws) { - if(BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS > 1) - { - BigInt mask; - while(mask.is_zero()) - mask.randomize(rng, BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS, false); + const BigInt mask = BigInt::random_integer(rng, 2, m_curve.get_p()); - //m_curve.to_rep(mask, ws); - const BigInt mask2 = m_curve.sqr_to_tmp(mask, ws); - const BigInt mask3 = m_curve.mul_to_tmp(mask2, mask, ws); + /* + * No reason to convert this to Montgomery representation first, + * just pretend the random mask was chosen as Redc(mask) and the + * random mask we generated above is in the Montgomery + * representation. + * //m_curve.to_rep(mask, ws); + */ + const BigInt mask2 = m_curve.sqr_to_tmp(mask, ws); + const BigInt mask3 = m_curve.mul_to_tmp(mask2, mask, ws); - m_coord_x = m_curve.mul_to_tmp(m_coord_x, mask2, ws); - m_coord_y = m_curve.mul_to_tmp(m_coord_y, mask3, ws); - m_coord_z = m_curve.mul_to_tmp(m_coord_z, mask, ws); - } + m_coord_x = m_curve.mul_to_tmp(m_coord_x, mask2, ws); + m_coord_y = m_curve.mul_to_tmp(m_coord_y, mask3, ws); + m_coord_z = m_curve.mul_to_tmp(m_coord_z, mask, ws); } namespace { diff --git a/src/lib/pubkey/ec_group/point_mul.cpp b/src/lib/pubkey/ec_group/point_mul.cpp index f393c2ea4..df51037a5 100644 --- a/src/lib/pubkey/ec_group/point_mul.cpp +++ b/src/lib/pubkey/ec_group/point_mul.cpp @@ -179,9 +179,6 @@ PointGFp_Var_Point_Precompute::PointGFp_Var_Point_Precompute(const PointGFp& poi void PointGFp_Var_Point_Precompute::randomize_repr(RandomNumberGenerator& rng, std::vector<BigInt>& ws_bn) { - if(BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS <= 1) - return; - if(ws_bn.size() < 7) ws_bn.resize(7); @@ -195,10 +192,12 @@ void PointGFp_Var_Point_Precompute::randomize_repr(RandomNumberGenerator& rng, const CurveGFp& curve = m_U[0].get_curve(); + const size_t p_bits = curve.get_p().bits(); + // Skipping zero point since it can't be randomized for(size_t i = 1; i != m_U.size(); ++i) { - mask.randomize(rng, BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS, false); + mask.randomize(rng, p_bits - 1, false); // Easy way of ensuring mask != 0 mask.set_bit(0); |