yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 21:35:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Do point inversion without leaking information

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2013-11-21 17:47:12 +01:00
parent 71c2c21601
commit 01fca5e882
1 changed files with 31 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
library/ecp.c
View File

@ -982,6 +982,31 @@ cleanup:
return( ret ); return( ret );
} }
/*
* Conditional point inversion: Q -> -Q = (Q.X, -Q.Y, Q.Z) without leak.
* "inv" must be 0 (don't invert) or 1 (invert) or the result will be invalid
*/
static int ecp_safe_invert( const ecp_group *grp,
ecp_point *Q,
unsigned char inv )
{
int ret;
unsigned char nonzero;
mpi mQY;
mpi_init( &mQY );
/* Use the fact that -Q.Y mod P = P - Q.Y unless Q.Y == 0 */
MPI_CHK( mpi_sub_mpi( &mQY, &grp->P, &Q->Y ) );
nonzero = mpi_cmp_int( &Q->Y, 0 ) != 0;
MPI_CHK( mpi_safe_cond_assign( &Q->Y, &mQY, inv & nonzero ) );
cleanup:
mpi_free( &mQY );
return( ret );
}
/* /*
* Point doubling R = 2 P, Jacobian coordinates * Point doubling R = 2 P, Jacobian coordinates
* *
@ -1068,6 +1093,7 @@ static int ecp_add_mixed( const ecp_group *grp, ecp_point *R,
/* /*
* Trivial cases: P == 0 or Q == 0 * Trivial cases: P == 0 or Q == 0
* (Check Q first, so that we know Q != 0 when we compute -Q.) * (Check Q first, so that we know Q != 0 when we compute -Q.)
* This will never happen during ecp_mul() so we don't mind the branches.
*/ */
if( mpi_cmp_int( &Q->Z, 0 ) == 0 ) if( mpi_cmp_int( &Q->Z, 0 ) == 0 )
return( ecp_copy( R, P ) ); return( ecp_copy( R, P ) );
@ -1103,6 +1129,7 @@ static int ecp_add_mixed( const ecp_group *grp, ecp_point *R,
/* /*
* For subtraction, -Q.Y should have been used instead of Q.Y, * For subtraction, -Q.Y should have been used instead of Q.Y,
* so we replace T2 by -T2, which is P - T2 mod P * so we replace T2 by -T2, which is P - T2 mod P
* (Again, not used by ecp_mul(), so not worry about the branch.)
*/ */
if( sign < 0 ) if( sign < 0 )
{ {
@ -1113,6 +1140,7 @@ static int ecp_add_mixed( const ecp_group *grp, ecp_point *R,
MPI_CHK( mpi_sub_mpi( &T1, &T1, &P->X ) ); MOD_SUB( T1 ); MPI_CHK( mpi_sub_mpi( &T1, &T1, &P->X ) ); MOD_SUB( T1 );
MPI_CHK( mpi_sub_mpi( &T2, &T2, &P->Y ) ); MOD_SUB( T2 ); MPI_CHK( mpi_sub_mpi( &T2, &T2, &P->Y ) ); MOD_SUB( T2 );
/* TODO: make sure it never happens during ecp_mul() */
if( mpi_cmp_int( &T1, 0 ) == 0 ) if( mpi_cmp_int( &T1, 0 ) == 0 )
{ {
if( mpi_cmp_int( &T2, 0 ) == 0 ) if( mpi_cmp_int( &T2, 0 ) == 0 )
@ -1353,8 +1381,7 @@ static int ecp_precompute_comb( const ecp_group *grp,
* Post-precessing: reclaim some memory by * Post-precessing: reclaim some memory by
* - not storing Z (always 1) * - not storing Z (always 1)
* - shrinking other coordinates * - shrinking other coordinates
* However keep the same number of limbs as P, which will be useful in * Keep the same number of limbs as P to avoid re-growing on next use.
* ecp_select_comb()
*/ */
for( i = 0; i < ( 1U << (w-1) ); i++ ) for( i = 0; i < ( 1U << (w-1) ); i++ )
{ {
@ -1381,13 +1408,8 @@ static int ecp_select_comb( const ecp_group *grp, ecp_point *R,
/* Restore the Z coordinate */ /* Restore the Z coordinate */
MPI_CHK( mpi_lset( &R->Z, 1 ) ); MPI_CHK( mpi_lset( &R->Z, 1 ) );
/* /* Safely invert result if i is "negative" */
* -R = (R.X, -R.Y, R.Z), and MPI_CHK( ecp_safe_invert( grp, R, i >> 7 ) );
* -R.Y mod P = P - R.Y unless R.Y == 0
*/
if( ( i & 0x80 ) != 0 )
if( mpi_cmp_int( &R->Y, 0 ) != 0 )
MPI_CHK( mpi_sub_mpi( &R->Y, &grp->P, &R->Y ) );
cleanup: cleanup:
return( ret ); return( ret );