lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge pull request #8053 from gilles-peskine-arm/mpi_exp_mod-remove_initial_copy

Browse Source 
mbedtls_mpi_exp_mod: remove spurious copy of the output variable
This commit is contained in:
Tom Cosgrove
2023-08-21 15:50:28 +00:00
committed by GitHub
parent 796bc2b8f9 e6cb45e68e
commit 31b2d7414d
1 changed files with 8 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
library/bignum.c
View File

@ -1826,8 +1826,9 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
* and squarings. Firstly, when multiplying by an element of the window * and squarings. Firstly, when multiplying by an element of the window
* W[i], we do a constant-trace table lookup to obfuscate i. This leaves * W[i], we do a constant-trace table lookup to obfuscate i. This leaves
* squarings as having a different memory access patterns from other * squarings as having a different memory access patterns from other
* multiplications. So secondly, we put the accumulator X in the table as * multiplications. So secondly, we put the accumulator in the table as
* well, and also do a constant-trace table lookup to multiply by X. * well, and also do a constant-trace table lookup to multiply by the
* accumulator which is W[x_index].
* *
* This way, all multiplications take the form of a lookup-and-multiply. * This way, all multiplications take the form of a lookup-and-multiply.
* The number of lookup-and-multiply operations inside each iteration of * The number of lookup-and-multiply operations inside each iteration of
@ -1840,19 +1841,16 @@ int mbedtls_mpi_exp_mod(mbedtls_mpi *X, const mbedtls_mpi *A,
* observe both memory accesses and branches. However, branch prediction * observe both memory accesses and branches. However, branch prediction
* exploitation typically requires many traces of execution over the same * exploitation typically requires many traces of execution over the same
* data, which is defeated by randomized blinding. * data, which is defeated by randomized blinding.
*
* To achieve this, we make a copy of X and we use the table entry in each
* calculation from this point on.
*/ */
const size_t x_index = 0; const size_t x_index = 0;
mbedtls_mpi_init(&W[x_index]); mbedtls_mpi_init(&W[x_index]);
mbedtls_mpi_copy(&W[x_index], X);
j = N->n + 1; j = N->n + 1;
/* All W[i] and X must have at least N->n limbs for the mpi_montmul() /* All W[i] including the accumulator must have at least N->n limbs for
* and mpi_montred() calls later. Here we ensure that W[1] and X are * the mpi_montmul() and mpi_montred() calls later. Here we ensure that
* large enough, and later we'll grow other W[i] to the same length. * W[1] and the accumulator W[x_index] are large enough. later we'll grow
* They must not be shrunk midway through this function! * other W[i] to the same length. They must not be shrunk midway through
* this function!
*/ */
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[x_index], j));
MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j)); MBEDTLS_MPI_CHK(mbedtls_mpi_grow(&W[1], j));