[PATCH] mpi:ec: Least leak with k^(-1) for ECDSA.

[NIIBE Yutaka]

Jacob Bachmeyer <jcb62281 at gmail.com> wrote:
> I note from the diff context that the next step after the part you are 
> changing is to remove a blinding factor from the result.

Could be.  Currently, my focus is the leaks of K and K^(-1).  Blinding
here is for the private key (ec->d).

> If the calculation is performed blinded, why is least-leak important
> enough here to justify the added code complexity?

The patch I sent is for K^(-1).  (The code would be looked complex, but
actually the execution code path is simpler than the one by mpi_mulm.
We don't have mpi_mulm_lli or mpi_mul_lli yet.)
--