Side-channel silent modular inverse
Niels Möller
nisse at lysator.liu.se
Fri Dec 27 20:51:50 UTC 2013
Torbjorn Granlund <tg at gmplib.org> writes:
> Compute T = 2 x A using mpn_add_n or mpn_lshift.
> Use mpn_cnd_sub_n with A, T as arguments.
Should work (except if T is computed mod B^n, one doesn't get the
correct carry out, but that isn't needed here). But it's a bit awkward,
and this is a performacne critical function; some 30% of the time to
create a side-channel silent ecdsa signature is spent doing the modular
inversion.
Regards,
/Niels
--
Niels Möller. PGP-encrypted email is preferred. Keyid C0B98E26.
Internet email is subject to wholesale government surveillance.
More information about the gmp-devel
mailing list