Side-channel leakage in the mpz_powm_sec interface

Niels Möller nisse at
Fri Aug 25 08:11:55 CEST 2023

Niels Möller <nisse at> writes:

> It's preferable to use the mpn_powm_sec. When using mpz_t, I see no
> reasonable to avoid leakage of the normalized size (or number of
> all-zero limbs at the most significant end).

One possibly unreasonable approach for consideration: 

1. Document that the mpz_t result from mpz_powm_sec always has an alloc
   size >= n, where n is the limb size of the modulo input, and that the
   limb array is zero padded up to n.

2. Ensure that the implementation complies with (1) (probably easy, if
   array is written by a call to mpn_sec_powm).

3. Do the normalization, i.e., assignment of the size field, by
   side-channel silent logic iterating over all n limbs.

However, any application taking advantage of (1) (and thus avoiding
calling any other mpz functions on the result) could maybe just as well
use mpn_sec_powm directly?


Niels Möller. PGP key CB4962D070D77D7FCB8BA36271D8F1FF368C6677.
Internet email is subject to wholesale government surveillance.

More information about the gmp-bugs mailing list