diff options
author | Billy Brumley <bbrumley@gmail.com> | 2019-02-02 10:53:29 +0200 |
---|---|---|
committer | Nicola Tuveri <nic.tuv@gmail.com> | 2019-02-17 21:02:36 +0200 |
commit | e0033efc30b0f00476bba8f0fa5512be5dc8a3f1 (patch) | |
tree | f7c0b994162419bf3040d4608d0f28397941772a /crypto/ec/ecp_nistz256.c | |
parent | db42bb440e76399b89fc8ae04644441a2a5f6821 (diff) |
SCA hardening for mod. field inversion in EC_GROUP
This commit adds a dedicated function in `EC_METHOD` to access a modular
field inversion implementation suitable for the specifics of the
implemented curve, featuring SCA countermeasures.
The new pointer is defined as:
`int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
and computes the multiplicative inverse of `a` in the underlying field,
storing the result in `r`.
Three implementations are included, each including specific SCA
countermeasures:
- `ec_GFp_simple_field_inv()`, featuring SCA hardening through
blinding.
- `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
Little Theorem (FLT) inversion.
- `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
already features SCA hardening through blinding.
From a security point of view, this also helps addressing a leakage
previously affecting conversions from projective to affine coordinates.
This commit also adds a new error reason code (i.e.,
`EC_R_CANNOT_INVERT`) to improve consistency between the three
implementations as all of them could fail for the same reason but
through different code paths resulting in inconsistent error stack
states.
Co-authored-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8254)
Diffstat (limited to 'crypto/ec/ecp_nistz256.c')
-rw-r--r-- | crypto/ec/ecp_nistz256.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/crypto/ec/ecp_nistz256.c b/crypto/ec/ecp_nistz256.c index 82affd6e6a..c0772ca2fe 100644 --- a/crypto/ec/ecp_nistz256.c +++ b/crypto/ec/ecp_nistz256.c @@ -1677,6 +1677,7 @@ const EC_METHOD *EC_GFp_nistz256_method(void) ec_GFp_mont_field_mul, ec_GFp_mont_field_sqr, 0, /* field_div */ + ec_GFp_mont_field_inv, ec_GFp_mont_field_encode, ec_GFp_mont_field_decode, ec_GFp_mont_field_set_to_one, |