From f29d725c6fc2cf301a8acd7daa03c9ccadccba9e Mon Sep 17 00:00:00 2001 From: Jack Lloyd Date: Mon, 24 Dec 2018 12:45:43 -0500 Subject: Avoid size-based bypass of the comparison in Barrett reduction. As it would leak if an input was > p^2, or just close to it in size. --- src/lib/math/numbertheory/reducer.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/lib/math') diff --git a/src/lib/math/numbertheory/reducer.cpp b/src/lib/math/numbertheory/reducer.cpp index 5094ae420..c37a1daeb 100644 --- a/src/lib/math/numbertheory/reducer.cpp +++ b/src/lib/math/numbertheory/reducer.cpp @@ -76,7 +76,7 @@ void Modular_Reducer::reduce(BigInt& t1, const BigInt& x, secure_vector& w const size_t x_sw = x.sig_words(); - if(x_sw >= (2*m_mod_words - 1) && x.cmp(m_modulus_2, false) >= 0) + if(x.cmp(m_modulus_2, false) >= 0) { // too big, fall back to slow boat division t1 = ct_modulo(x, m_modulus); -- cgit v1.2.3