Handle some corner cases in ECC mult

For blinded_base_point_multiply_x if result is point at inifinity
(eg due to k == group_order) return 0 instead of throwing.

For base point multiply, reduce k mod order before masking otherwise
the combination of k + mask might exceed our precomputed table.

3 files changed, 19 insertions, 5 deletions

diff --git a/src/lib/pubkey/ec_group/ec_group.cpp b/src/lib/pubkey/ec_group/ec_group.cpp
index 45aef6c2f..1fb762e4b 100644
--- a/src/lib/pubkey/ec_group/ec_group.cpp
+++ b/src/lib/pubkey/ec_group/ec_group.cpp
@@ -39,7 +39,7 @@ class EC_Group_Data final
          m_order(order),
          m_cofactor(cofactor),
          m_mod_order(order),
-         m_base_mult(m_base_point),
+         m_base_mult(m_base_point, m_mod_order),
          m_oid(oid),
          m_p_bits(p.bits()),
          m_order_bits(order.bits()),
@@ -502,7 +502,11 @@ BigInt EC_Group::blinded_base_point_multiply_x(const BigInt& k,
                                                RandomNumberGenerator& rng,
                                                std::vector<BigInt>& ws) const
    {
-   return data().blinded_base_point_multiply(k, rng, ws).get_affine_x();
+   const PointGFp pt = data().blinded_base_point_multiply(k, rng, ws);
+
+   if(pt.is_zero())
+      return 0;
+   return pt.get_affine_x();
    }
 
 BigInt EC_Group::random_scalar(RandomNumberGenerator& rng) const
diff --git a/src/lib/pubkey/ec_group/point_mul.cpp b/src/lib/pubkey/ec_group/point_mul.cpp
index d42a5d5e8..d052b837c 100644
--- a/src/lib/pubkey/ec_group/point_mul.cpp
+++ b/src/lib/pubkey/ec_group/point_mul.cpp
@@ -6,6 +6,7 @@
 
 #include <botan/internal/point_mul.h>
 #include <botan/rng.h>
+#include <botan/reducer.h>
 #include <botan/internal/rounding.h>
 
 namespace Botan {
@@ -38,8 +39,10 @@ PointGFp Blinded_Point_Multiply::blinded_multiply(const BigInt& scalar,
    return m_point_mul->mul(scalar, rng, m_order, m_ws);
    }
 
-PointGFp_Base_Point_Precompute::PointGFp_Base_Point_Precompute(const PointGFp& base) :
+PointGFp_Base_Point_Precompute::PointGFp_Base_Point_Precompute(const PointGFp& base,
+                                                               const Modular_Reducer& mod_order) :
    m_base_point(base),
+   m_mod_order(mod_order),
    m_p_words(base.get_curve().get_p().size()),
    m_T_size(base.get_curve().get_p().bits() + PointGFp_SCALAR_BLINDING_BITS + 1)
    {
@@ -97,7 +100,9 @@ PointGFp PointGFp_Base_Point_Precompute::mul(const BigInt& k,
 
    // Choose a small mask m and use k' = k + m*order (Coron's 1st countermeasure)
    const BigInt mask(rng, PointGFp_SCALAR_BLINDING_BITS, false);
-   const BigInt scalar = k + group_order * mask;
+
+   // Instead of reducing k mod group order should we alter the mask size??
+   const BigInt scalar = m_mod_order.reduce(k) + group_order * mask;
 
    size_t windows = round_up(scalar.bits(), 2) / 2;
 
diff --git a/src/lib/pubkey/ec_group/point_mul.h b/src/lib/pubkey/ec_group/point_mul.h
index 64672d9a4..cfce05d5c 100644
--- a/src/lib/pubkey/ec_group/point_mul.h
+++ b/src/lib/pubkey/ec_group/point_mul.h
@@ -11,12 +11,15 @@
 
 namespace Botan {
 
+class Modular_Reducer;
+
 static const size_t PointGFp_SCALAR_BLINDING_BITS = 80;
 
 class PointGFp_Base_Point_Precompute
    {
    public:
-      PointGFp_Base_Point_Precompute(const PointGFp& base_point);
+      PointGFp_Base_Point_Precompute(const PointGFp& base_point,
+                                     const Modular_Reducer& mod_order);
 
       PointGFp mul(const BigInt& k,
                    RandomNumberGenerator& rng,
@@ -24,6 +27,8 @@ class PointGFp_Base_Point_Precompute
                    std::vector<BigInt>& ws) const;
    private:
       const PointGFp& m_base_point;
+      const Modular_Reducer& m_mod_order;
+
       const size_t m_p_words;
       const size_t m_T_size;