From 3181dfa7abfe7b623d8823e078f04a374775e978 Mon Sep 17 00:00:00 2001
From: Jack Lloyd <lloyd@randombit.net>
Date: Thu, 15 Oct 2015 10:07:36 -0400
Subject: Periodically reinitialize the blinding sequence instead of always
 deriving it by squaring the previous value.

---
 src/build-data/buildh.in | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

(limited to 'src/build-data')

diff --git a/src/build-data/buildh.in b/src/build-data/buildh.in
index eaf4181b5..31069f0ae 100644
--- a/src/build-data/buildh.in
+++ b/src/build-data/buildh.in
@@ -71,9 +71,20 @@
 * representation of an ECC point. Set to zero to diable this
 * side-channel countermeasure.
 */
-#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 64
+#define BOTAN_POINTGFP_RANDOMIZE_BLINDING_BITS 80
 
-#define BOTAN_CURVE_GFP_USE_MONTGOMERY_LADDER 0
+/*
+* Normally blinding is performed by choosing a random starting point (plus
+* its inverse, of a form appropriate to the algorithm being blinded), and
+* then choosing new blinding operands by successive squaring of both
+* values. This is much faster than computing a new starting point but
+* introduces some possible coorelation
+*
+* To avoid possible leakage problems in long-running processes, the blinder
+* periodically reinitializes the sequence. This value specifies how often
+* a new sequence should be started.
+*/
+#define BOTAN_BLINDING_REINIT_INTERVAL 32
 
 /* PK key consistency checking toggles */
 #define BOTAN_PUBLIC_KEY_STRONG_CHECKS_ON_LOAD 1
-- 
cgit v1.2.3