diff options
| -rw-r--r-- | checks/ec_tests.cpp | 27 | ||||
| -rw-r--r-- | checks/gfpmath.cpp | 49 | ||||
| -rw-r--r-- | src/math/gfpmath/point_gfp.cpp | 62 | ||||
| -rw-r--r-- | src/math/gfpmath/point_gfp.h | 20 | ||||
| -rw-r--r-- | src/pubkey/ecc_key/ecc_key.cpp | 10 | ||||
| -rw-r--r-- | src/pubkey/ecdsa/ecdsa.cpp | 5 | ||||
| -rw-r--r-- | src/pubkey/ecdsa/ecdsa_op.cpp | 3 | ||||
| -rw-r--r-- | src/pubkey/eckaeg/eckaeg_op.cpp | 5 | ||||
| -rw-r--r-- | src/pubkey/gost_3410/gost_3410.cpp | 9 |
9 files changed, 15 insertions, 175 deletions
diff --git a/checks/ec_tests.cpp b/checks/ec_tests.cpp index 871425d20..cf63cc529 100644 --- a/checks/ec_tests.cpp +++ b/checks/ec_tests.cpp @@ -1032,26 +1032,6 @@ void test_point_swap(RandomNumberGenerator& rng) * This test verifies that the side channel attack resistant multiplication function * yields the same result as the normal (insecure) multiplication via operator*= */ -void test_mult_sec() - { - std::cout << "." << std::flush; - - EC_Domain_Params dom_pars(get_EC_Dom_Pars_by_oid("1.3.132.0.8")); - PointGFp a(dom_pars.get_base_point()); - BigInt scal("123413545342234"); - PointGFp b = a * scal; - PointGFp c(a); - c.mult_this_secure(scal, dom_pars.get_order(), dom_pars.get_order()-1); - PointGFp d(a); - d.mult_this_secure(scal, BigInt(0), dom_pars.get_order()-1); - CHECK(b == c); - CHECK(c == d); - } - -/** -* This test verifies that the side channel attack resistant multiplication function -* yields the same result as the normal (insecure) multiplication via operator*= -*/ void test_mult_sec_mass(RandomNumberGenerator& rng) { @@ -1064,11 +1044,9 @@ void test_mult_sec_mass(RandomNumberGenerator& rng) BigInt scal(BigInt(rng, 40)); PointGFp b = a * scal; PointGFp c(a); - c.mult_this_secure(scal, dom_pars.get_order()*dom_pars.get_cofactor(), dom_pars.get_order()-1); - //PointGFp d(a); - //d.mult_this_secure(scal, BigInt(0), dom_pars.get_order()-1); + + c *= scal; CHECK(b == c); - //CHECK(c == d); } } @@ -1192,7 +1170,6 @@ void do_ec_tests(RandomNumberGenerator& rng) test_gfp_curve_precomp_mres(); //test_point_worksp(); test_point_swap(rng); - test_mult_sec(); test_mult_sec_mass(rng); test_curve_cp_ctor(); test_ec_key_cp_and_assignment(rng); diff --git a/checks/gfpmath.cpp b/checks/gfpmath.cpp index 57c40bffb..439b9be9b 100644 --- a/checks/gfpmath.cpp +++ b/checks/gfpmath.cpp @@ -563,55 +563,6 @@ bool test_bi_bit_access() return pass; } -#if 0 -bool test_sec_mod_mul() - { - //cout << "starting test_sec_mod_mul" << endl; - - bool pass = true; - - //mod_mul_secure(BigInt const& a, BigInt const& b, BigInt const& m) - - BigInt m("5334243285367"); - BigInt a("3333333333333"); - BigInt b("4444444444444"); - for(int i = 0; i<10; i++) - { - std::cout << '.' << std::flush; - BigInt c1 = a * b; - c1 %= m; - BigInt c2 = mod_mul_secure(a, b, m); - CHECK_MESSAGE(c1 == c2, "should be " << c1 << ", was " << c2); - } - //cout << "ending test_sec_mod_mul" << endl; - return pass; - } -#endif - -#if 0 -bool test_sec_bi_mul() - { - //mod_mul_secure(BigInt const& a, BigInt const& b, BigInt const& m) - - bool pass = true; - - BigInt m("5334243285367"); - BigInt a("3333333333333"); - BigInt b("4444444444444"); - for(int i = 0; i<10; i++) - { - std::cout << '.' << std::flush; - BigInt c1 = a * b; - //c1 %= m; - BigInt c2(a); - c2.mult_this_secure(b, m); - CHECK_MESSAGE(c1 == c2, "should be " << c1 << ", was " << c2); - } - - return pass; - } -#endif - } u32bit do_gfpmath_tests(Botan::RandomNumberGenerator& rng) diff --git a/src/math/gfpmath/point_gfp.cpp b/src/math/gfpmath/point_gfp.cpp index 4b2de7913..f1d38f5fd 100644 --- a/src/math/gfpmath/point_gfp.cpp +++ b/src/math/gfpmath/point_gfp.cpp @@ -140,60 +140,6 @@ PointGFp& PointGFp::operator-=(const PointGFp& rhs) return *this; } -PointGFp& PointGFp::mult_this_secure(const BigInt& scalar, - const BigInt& /*point_order*/, - const BigInt& /*max_secr*/) - { - // NOTE: FS: so far this is code duplication of op*=. - // we have to see how we deal with this. - // fact is that we will probably modify this function - // while evaluating the countermeasures - // whereas we probably will not start modifying the - // function operator*=. - // however, in the end both should be merged. - - // use montgomery mult. in this operation - this->turn_on_sp_red_mul(); - - PointGFp H(mC); - - PointGFp P(*this); - BigInt m(scalar); - - if(m < BigInt(0)) - { - m = -m; - P.negate(); - } - if(P.is_zero() || (m == BigInt(0))) - { - *this = H; - return *this; - } - if(m == BigInt(1)) - return *this; - - int mul_bits = m.bits(); - - for(int i = mul_bits - 1; i >= 0; i--) - { - H.mult2_in_place(); - - if(m.get_bit(i)) - H += P; - } - - if(!H.is_zero()) // cannot convert if H == O - *this = H.get_z_to_one(); - else - *this = H; - - mX.turn_off_sp_red_mul(); - mY.turn_off_sp_red_mul(); - mZ.turn_off_sp_red_mul(); - return *this; - } - PointGFp& PointGFp::operator*=(const BigInt& scalar) { // use montgomery mult. in this operation @@ -497,14 +443,6 @@ PointGFp operator*(const PointGFp& point, const BigInt& scalar) return result *= scalar; } -PointGFp mult_point_secure(const PointGFp& point, const BigInt& scalar, - const BigInt& point_order, const BigInt& max_secret) - { - PointGFp result(point); - result.mult_this_secure(scalar, point_order, max_secret); - return result; - } - // encoding and decoding SecureVector<byte> EC2OSP(const PointGFp& point, byte format) { diff --git a/src/math/gfpmath/point_gfp.h b/src/math/gfpmath/point_gfp.h index 276635f56..08de259af 100644 --- a/src/math/gfpmath/point_gfp.h +++ b/src/math/gfpmath/point_gfp.h @@ -96,22 +96,6 @@ class BOTAN_DLL PointGFp PointGFp& operator*=(const BigInt& scalar); /** - * the equivalent to operator*= with countermeasures against - * sidechannel attacks, using the randomized exponent - * and add-and-double-always - * countermeasures (suitable for ECDSA and ECKAEG) - * @param scalar the scalar to multiply the point with - * @param point_order a multiple of the order of the point - *(= n * k in the general case; k is the cofactor) - * @param max_secr the maximal size of the scalar - * (will usually be n-1 ) - * @result resulting PointGFp - */ - PointGFp& mult_this_secure(const BigInt& scalar, - const BigInt& point_order, - const BigInt& max_secr); - - /** * Negate internal value(*this *= -1 ) * @return *this */ @@ -225,10 +209,6 @@ PointGFp BOTAN_DLL operator-(const PointGFp& lhs); PointGFp BOTAN_DLL operator*(const BigInt& scalar, const PointGFp& point); PointGFp BOTAN_DLL operator*(const PointGFp& point, const BigInt& scalar); -PointGFp BOTAN_DLL mult_point_secure(const PointGFp& point, - const BigInt& scalar, - const BigInt& point_order, - const BigInt& max_secret); PointGFp BOTAN_DLL mult2(const PointGFp& point); diff --git a/src/pubkey/ecc_key/ecc_key.cpp b/src/pubkey/ecc_key/ecc_key.cpp index b7f58eecc..6ed1fd9c6 100644 --- a/src/pubkey/ecc_key/ecc_key.cpp +++ b/src/pubkey/ecc_key/ecc_key.cpp @@ -163,15 +163,11 @@ void EC_PrivateKey::generate_private_key(RandomNumberGenerator& rng) throw Invalid_State("cannot generate private key when domain parameters are not set"); } - BigInt tmp_private_value(0); - tmp_private_value = BigInt::random_integer(rng, 1, mp_dom_pars->get_order()); + m_private_value = BigInt::random_integer(rng, 1, mp_dom_pars->get_order()); + mp_public_point = std::auto_ptr<PointGFp>( new PointGFp (mp_dom_pars->get_base_point())); - mp_public_point->mult_this_secure(tmp_private_value, - mp_dom_pars->get_order(), - mp_dom_pars->get_order()-1); - //assert(mp_public_point.get() != 0); - tmp_private_value.swap(m_private_value); + *mp_public_point *= m_private_value; } /** diff --git a/src/pubkey/ecdsa/ecdsa.cpp b/src/pubkey/ecdsa/ecdsa.cpp index 6116f7b13..120efe99d 100644 --- a/src/pubkey/ecdsa/ecdsa.cpp +++ b/src/pubkey/ecdsa/ecdsa.cpp @@ -41,9 +41,8 @@ ECDSA_PrivateKey::ECDSA_PrivateKey(const EC_Domain_Params& domain, m_private_value = x; mp_public_point = std::auto_ptr<PointGFp>(new PointGFp (mp_dom_pars->get_base_point())); - mp_public_point->mult_this_secure(m_private_value, - mp_dom_pars->get_order(), - mp_dom_pars->get_order()-1); + + *mp_public_point *= m_private_value; try { diff --git a/src/pubkey/ecdsa/ecdsa_op.cpp b/src/pubkey/ecdsa/ecdsa_op.cpp index 7bbeded73..d37809962 100644 --- a/src/pubkey/ecdsa/ecdsa_op.cpp +++ b/src/pubkey/ecdsa/ecdsa_op.cpp @@ -62,8 +62,7 @@ SecureVector<byte> Default_ECDSA_Op::sign(const byte msg[], u32bit msg_len, BigInt e(msg, msg_len); - PointGFp k_times_P(dom_pars.get_base_point()); - k_times_P.mult_this_secure(k, n, n-1); + PointGFp k_times_P = dom_pars.get_base_point() * k; k_times_P.check_invariants(); BigInt r = k_times_P.get_affine_x().get_value() % n; diff --git a/src/pubkey/eckaeg/eckaeg_op.cpp b/src/pubkey/eckaeg/eckaeg_op.cpp index 0cb5c3d55..1af5cb165 100644 --- a/src/pubkey/eckaeg/eckaeg_op.cpp +++ b/src/pubkey/eckaeg/eckaeg_op.cpp @@ -27,8 +27,9 @@ SecureVector<byte> Default_ECKAEG_Op::agree(const PointGFp& i) const BigInt l(inverse_mod(cofactor,n)); // l=h^-1 mod n PointGFp Q(cofactor*i); // q = h*Pb PointGFp S(Q); - BigInt group_order = m_dom_pars.get_cofactor() * n; - S.mult_this_secure((m_priv_key*l)%n, group_order, n-1); + + S *= (m_priv_key * l) % n; + S.check_invariants(); return FE2OSP(S.get_affine_x()); // fe2os(xs) } diff --git a/src/pubkey/gost_3410/gost_3410.cpp b/src/pubkey/gost_3410/gost_3410.cpp index c2ddabe63..43e8a9c7b 100644 --- a/src/pubkey/gost_3410/gost_3410.cpp +++ b/src/pubkey/gost_3410/gost_3410.cpp @@ -39,9 +39,8 @@ GOST_3410_PrivateKey::GOST_3410_PrivateKey(const EC_Domain_Params& domain, m_private_value = x; mp_public_point = std::auto_ptr<PointGFp>(new PointGFp (mp_dom_pars->get_base_point())); - mp_public_point->mult_this_secure(m_private_value, - mp_dom_pars->get_order(), - mp_dom_pars->get_order()-1); + + *mp_public_point *= m_private_value; try { @@ -332,9 +331,9 @@ GOST_3410_PrivateKey::sign(const byte msg[], if(e == 0) e = 1; - PointGFp k_times_P(mp_dom_pars->get_base_point()); - k_times_P.mult_this_secure(k, n, n-1); + PointGFp k_times_P = mp_dom_pars->get_base_point() * k; k_times_P.check_invariants(); + BigInt r = k_times_P.get_affine_x().get_value() % n; if(r == 0) |