diff options
| author | Billy Brumley <bbrumley@gmail.com> | 2018-07-19 11:16:07 +0300 |
|---|---|---|
| committer | Andy Polyakov <appro@openssl.org> | 2018-07-26 19:41:16 +0200 |
| commit | 9d91530d2d7da1447b7be8631b269599023430e7 (patch) | |
| tree | cf21727c4f3a8e8bac4f53388dd3eeb555e9d2f4 /CHANGES | |
| parent | 793f19e47c69558e39c702da75c27e0509baf379 (diff) | |
EC GFp ladder
This commit leverages the Montgomery ladder scaffold introduced in #6690
(alongside a specialized Lopez-Dahab ladder for binary curves) to
provide a specialized differential addition-and-double implementation to
speedup prime curves, while keeping all the features of
`ec_scalar_mul_ladder` against SCA attacks.
The arithmetic in ladder_pre, ladder_step and ladder_post is auto
generated with tooling, from the following formulae:
- `ladder_pre`: Formula 3 for doubling from Izu-Takagi "A fast parallel
elliptic curve multiplication resistant against side channel attacks",
as described at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#doubling-dbl-2002-it-2
- `ladder_step`: differential addition-and-doubling Eq. (8) and (10)
from Izu-Takagi "A fast parallel elliptic curve multiplication
resistant against side channel attacks", as described at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-3
- `ladder_post`: y-coordinate recovery using Eq. (8) from Brier-Joye
"Weierstrass Elliptic Curves and Side-Channel Attacks", modified to
work in projective coordinates.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6772)
Diffstat (limited to 'CHANGES')
| -rw-r--r-- | CHANGES | 11 |
1 files changed, 10 insertions, 1 deletions
@@ -9,6 +9,15 @@ Changes between 1.1.0h and 1.1.1 [xx XXX xxxx] + *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder + step for prime curves. The new implementation is based on formulae from + differential addition-and-doubling in homogeneous projective coordinates + from Izu-Takagi "A fast parallel elliptic curve multiplication resistant + against side channel attacks" and Brier-Joye "Weierstrass Elliptic Curves + and Side-Channel Attacks" Eq. (8) for y-coordinate recovery, modified + to work in projective coordinates. + [Billy Bob Brumley, Nicola Tuveri] + *) Change generating and checking of primes so that the error rate of not being prime depends on the intended use based on the size of the input. For larger primes this will result in more rounds of Miller-Rabin. @@ -30,7 +39,7 @@ [Andy Polyakov] *) Use the new ec_scalar_mul_ladder scaffold to implement a specialized ladder - step for binary curves. The new implementation is based on formulas from + step for binary curves. The new implementation is based on formulae from differential addition-and-doubling in mixed Lopez-Dahab projective coordinates, modified to independently blind the operands. [Billy Bob Brumley, Sohaib ul Hassan, Nicola Tuveri] |