1 From ba4d612892bf6e3aae9cca7edce2a6d6b43e3e22 Mon Sep 17 00:00:00 2001
2 From: Sean Parkinson <sean@wolfssl.com>
3 Date: Wed, 17 Jul 2019 08:26:02 +1000
4 Subject: [PATCH] Improve nonce use in ECC mulmod
6 (cherry picked from commit 483f6a5acd9808b405306661c121aa6407464dc2)
8 --- a/wolfcrypt/src/ecc.c
9 +++ b/wolfcrypt/src/ecc.c
10 @@ -2039,7 +2039,7 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_poin
12 int first = 1, bitbuf = 0, bitcpy = 0, j;
18 ecc_point *tG, *M[M_POINTS];
19 @@ -2253,7 +2253,9 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_poin
23 - digidx = get_digit_count(k) - 1;
24 + digidx = get_digit_count(modulus) - 1;
25 + /* The order MAY be 1 bit longer than the modulus. */
26 + digidx += (modulus->dp[digidx] >> (DIGIT_BIT-1));
30 @@ -2272,25 +2274,53 @@ int wc_ecc_mulmod_ex(mp_int* k, ecc_poin
31 i = (buf >> (DIGIT_BIT - 1)) & 1;
34 - if (mode == 0 && i == 0) {
37 /* timing resistant - dummy operations */
39 - err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus,
40 + err = ecc_projective_add_point(M[1], M[2], M[2], a, modulus,
42 +#ifdef WC_NO_CACHE_RESISTANT
44 - err = ecc_projective_dbl_point(M[1], M[2], a, modulus, mp);
49 - if (mode == 0 && i == 1) {
51 - /* timing resistant - dummy operations */
53 - err = ecc_projective_add_point(M[0], M[1], M[2], a, modulus,
56 - err = ecc_projective_dbl_point(M[1], M[2], a, modulus, mp);
57 + err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
59 + /* instead of using M[i] for double, which leaks key bit to cache
60 + * monitor, use M[2] as temp, make sure address calc is constant,
61 + * keep M[0] and M[1] in cache */
63 + err = mp_copy((mp_int*)
64 + ( ((wolfssl_word)M[0]->x & wc_off_on_addr[i^1]) +
65 + ((wolfssl_word)M[1]->x & wc_off_on_addr[i])),
68 + err = mp_copy((mp_int*)
69 + ( ((wolfssl_word)M[0]->y & wc_off_on_addr[i^1]) +
70 + ((wolfssl_word)M[1]->y & wc_off_on_addr[i])),
73 + err = mp_copy((mp_int*)
74 + ( ((wolfssl_word)M[0]->z & wc_off_on_addr[i^1]) +
75 + ((wolfssl_word)M[1]->z & wc_off_on_addr[i])),
78 + err = ecc_projective_dbl_point(M[2], M[3], a, modulus, mp);
79 + /* copy M[2] back to M[i] */
81 + err = mp_copy(M[2]->x,
83 + ( ((wolfssl_word)M[0]->x & wc_off_on_addr[i^1]) +
84 + ((wolfssl_word)M[1]->x & wc_off_on_addr[i])) );
86 + err = mp_copy(M[2]->y,
88 + ( ((wolfssl_word)M[0]->y & wc_off_on_addr[i^1]) +
89 + ((wolfssl_word)M[1]->y & wc_off_on_addr[i])) );
91 + err = mp_copy(M[2]->z,
93 + ( ((wolfssl_word)M[0]->z & wc_off_on_addr[i^1]) +
94 + ((wolfssl_word)M[1]->z & wc_off_on_addr[i])) );