[PATCH 0/8] More on: Less Leaky ECDSA signature generation (in master)
NIIBE Yutaka
gniibe at fsij.org
Thu Mar 27 06:19:03 CET 2025
Hello,
Here are my changes for https://dev.gnupg.org/T7519
(after applying 0001-mpi-ec-Remove-runtime-check-in-ec_mod.patch)
Because libgcrypt exposes lower level API like gcry_mpi_ec_add,
gcry_mpi_ec_dup, and gcry_mpi_ec_mul, we need to be conservative to
keep exposed behaviors. I introduce new internal flag of
GCRYECC_FLAG_LEAST_LEAK to select less-leaky ec_* routines for
constant-time computation.
NIIBE Yutaka (8):
mpi:ec: Use ec_addm for ec_mul2.
mpi:ec: Keep A untouched in ec_get_a_is_pminus3.
mpi:ec: Refactor _gcry_mpi_ec_mul_point
cipher:ecc: Introduce GCRYECC_FLAG_LEAST_LEAK.
mpi:ec: Resize when GCRYECC_FLAG_LEAST_LEAK.
mpi:ec: Use affine coordinate for mpi_ec_mul_point_lli.
mpi:ec: Don't normalize the MPIs when GCRYECC_FLAG_LEAST_LEAK.
mpi:ec: Introduce ec_*_lli for Weierstrass curves to be less leaky.
cipher/ecc.c | 8 +-
mpi/ec-nist.c | 16 +-
mpi/ec.c | 739 ++++++++++++++++++++++++++++++++++++++------------
src/cipher.h | 5 +
4 files changed, 582 insertions(+), 186 deletions(-)
--
2.47.2
More information about the Gcrypt-devel
mailing list