diff options
author | Nicola Tuveri <nic.tuv@gmail.com> | 2018-07-08 00:50:49 +0300 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-07-16 10:17:40 +0100 |
commit | 3712436071c04ed831594cf47073788417d1506b (patch) | |
tree | bb96632e2e9112e5a2519508fa669bf077f5a41f /crypto/ec/ecp_smpl.c | |
parent | 51f3021d974f32539a2727908018664963695b5d (diff) |
EC point multiplication: add `ladder` scaffold
for specialized Montgomery ladder implementations
PR #6009 and #6070 replaced the default EC point multiplication path for
prime and binary curves with a unified Montgomery ladder implementation
with various timing attack defenses (for the common paths when a secret
scalar is feed to the point multiplication).
The newly introduced default implementation directly used
EC_POINT_add/dbl in the main loop.
The scaffolding introduced by this commit allows EC_METHODs to define a
specialized `ladder_step` function to improve performances by taking
advantage of efficient formulas for differential addition-and-doubling
and different coordinate systems.
- `ladder_pre` is executed before the main loop of the ladder: by
default it copies the input point P into S, and doubles it into R.
Specialized implementations could, e.g., use this hook to transition
to different coordinate systems before copying and doubling;
- `ladder_step` is the core of the Montgomery ladder loop: by default it
computes `S := R+S; R := 2R;`, but specific implementations could,
e.g., implement a more efficient formula for differential
addition-and-doubling;
- `ladder_post` is executed after the Montgomery ladder loop: by default
it's a noop, but specialized implementations could, e.g., use this
hook to transition back from the coordinate system used for optimizing
the differential addition-and-doubling or recover the y coordinate of
the result point.
This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`,
as it better corresponds to what this function does: nothing can be
truly said about the constant-timeness of the overall execution of this
function, given that the underlying operations are not necessarily
constant-time themselves.
What this implementation ensures is that the same fixed sequence of
operations is executed for each scalar multiplication (for a given
EC_GROUP), with no dependency on the value of the input scalar.
Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com>
Co-authored-by: Billy Brumley <bbrumley@gmail.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
Diffstat (limited to 'crypto/ec/ecp_smpl.c')
-rw-r--r-- | crypto/ec/ecp_smpl.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index e0e4996cfd..768922aa11 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -64,7 +64,10 @@ const EC_METHOD *EC_GFp_simple_method(void) 0, /* keyfinish */ ecdh_simple_compute_key, 0, /* field_inverse_mod_ord */ - ec_GFp_simple_blind_coordinates + ec_GFp_simple_blind_coordinates, + 0, /* ladder_pre */ + 0, /* ladder_step */ + 0 /* ladder_post */ }; return &ret; @@ -1418,4 +1421,3 @@ int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX_end(ctx); return ret; } - |