Better tabselect
Niels Möller
nisse at lysator.liu.se
Wed Apr 10 22:09:54 CEST 2013
Torbjorn Granlund <tg at gmplib.org> writes:
> The multitude and pattern of mask computations make side channel leakage
> worse if the mask computation is made stupidly. I don't trust compilers
> here, since they might use a conditional move or other leaky method.
One possible variant,
LIMB_HIGHBIT_TO_MASK ( ~((i-k) | (k-i)))
BTW, a comment on LIMB_HIGHBIT_TO_MASK, which I have intended to write
for some time. Current definition uses a condition when arithmetic shift
is unavailable,
#define LIMB_HIGHBIT_TO_MASK(n) \
(((mp_limb_signed_t) -1 >> 1) < 0 \
? (mp_limb_signed_t) (n) >> (GMP_LIMB_BITS - 1) \
: (n) & GMP_LIMB_HIGHBIT ? MP_LIMB_T_MAX : CNST_LIMB(0))
I'd suggest changing the else part to a shift + negation,
: - ((n) >> (GMP_LIMB_BITS - 1))
But I don't know if there's still any C implementation which lack
arithmetic shift, so I don't know how to test that change.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
More information about the gmp-devel
mailing list