• Vitaly Chikunov's avatar
    crypto: ecc - regularize scalar for scalar multiplication · 3da2c1df
    Vitaly Chikunov authored
    ecc_point_mult is supposed to be used with a regularized scalar,
    otherwise, it's possible to deduce the position of the top bit of the
    scalar with timing attack. This is important when the scalar is a
    private key.
    
    ecc_point_mult is already using a regular algorithm (i.e. having an
    operation flow independent of the input scalar) but regularization step
    is not implemented.
    
    Arrange scalar to always have fixed top bit by adding a multiple of the
    curve order (n).
    
    References:
    The constant time regularization step is based on micro-ecc by Kenneth
    MacKay and also referenced in the literature (Bernstein, D. J., & Lange,
    T. (2017). Montgomery curves and the Montgomery ladder. (Cryptology
    ePrint Archive; Vol. 2017/293). s.l.: IACR. Chapter 4.6.2.)
    Signed-off-by: default avatarVitaly Chikunov <vt@altlinux.org>
    Cc: kernel-hardening@lists.openwall.com
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    3da2c1df
ecc.c 27.6 KB