[PATCH] MPI helper of comparison, Least Leak Intended

[Jacob Bachmeyer]

On 2/7/25 20:05, NIIBE Yutaka via Gcrypt-devel wrote:
> NIIBE Yutaka<gniibe at fsij.org> wrote:
>> I think that this implementation could be improved.
> I should use ct_limb_gen_inv_mask function instead of directly use unary
> minus operator.

Could it make more sense to write:

result &= ct_limb_gen_inv_mask (gt) & ct_limb_gen_inv_mask (lt);
result |= gt | -lt;

Assuming that ct_limb_gen_inv_mask returns all-bits-set if its argument 
is zero and all-bits-clear otherwise, the first line clears result if a 
previous value is to be overwritten and the second sets the new value.

I also still suggest considering an alternate encoding for the 
comparison result.  The Hamming distance between 0 and 1 is 1, but the 
Hamming distance between 0 and -1 is the maximum on a 2's complement 
machine, which means that any information leakage on the power rail will 
be at its strongest when the comparison result is "less than".

A one-hot encoding would have a constant Hamming distance (of 2) between 
any pair of valid values.

I remember reading a paper some years ago by an academic research group 
that was able to recover private keys by observing noise on a laptop's 
ground (a USB port shield connection, if I recall correctly).


-- Jacob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gcrypt-devel/attachments/20250208/830e420e/attachment.html>