[PATCH] mpi:ec: Least leak with k^(-1) for ECDSA.
Jacob Bachmeyer
jcb62281 at gmail.com
Thu May 15 07:29:38 CEST 2025
On 5/13/25 23:35, NIIBE Yutaka via Gcrypt-devel wrote:
> * src/mpi.h (_gcry_mpi_assign_limb_space): Add.
> (_gcry_mpih_mod_lli, _gcry_mpih_mul_lli): Add.
> * cipher/ecc-ecdsa.c (_gcry_ecc_ecdsa_sign): Take care
> about least leak with k^(-1).
>
> --
>
> GnuPG-bug-id: 7519
> Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
> ---
> cipher/ecc-ecdsa.c | 20 +++++++++++++++++++-
> src/mpi.h | 7 +++++++
> 2 files changed, 26 insertions(+), 1 deletion(-)
I note from the diff context that the next step after the part you are
changing is to remove a blinding factor from the result. If the
calculation is performed blinded, why is least-leak important enough
here to justify the added code complexity?
Note that introducing an "mpi_mulm_lli" as an LLI drop-in replacement
for "mpi_mulm" would also address my concern. Also note that using
least-leak for the blinding/unblinding steps might be more important
than for any of the blinded steps in the middle.
-- Jacob
More information about the Gcrypt-devel
mailing list