mpn_sec_powm
Torbjorn Granlund
tg at gmplib.org
Mon Feb 10 07:20:56 UTC 2014
nisse at lysator.liu.se (Niels Möller) writes:
After some discussion with Torbjörn, I intend to change mpn_sec_powm to
take the exponent size argument in bits, rather than limbs (because the
current code may leak high bit of the exponent, which can cause serious
problems for some applications, e.g., dsa signatures). But first, I'd
like to fix a more minor issue.
We should perhaps point out in the documentation of this function that
callers should not trim the exponent limb area or the bit count arguemnt
to in a data dependent fashion.
It might also be interesting to note that there's only a single
gmp-mparam.h file where POWM_SEC_TABLE starts with 1: x86_64/bobcat.
There are a larger number of gmp-mparam.h files where it starts with 2,
which would shrink to 1 if the code is fixed to emit nbits - 1.
All this might not be terribly important, but there is a conditional for
eb < windowsize (before the loop, i.e., for the initial value of eb), not
exercised by the testsuite, but needed because of this tuneup
peculiarity (see
https://gmplib.org/devel/lcov/shell/tmp/lcov/gmp/mpn/sec_powm.c.gcov.html).
And I'd like to eliminate that test.
[snip]
I didn't read your analysis properly now, but let me add that the
POWM_SEC_TABLE measuring never became robust; two consecutive
measurements didn't seem to give very similar data. This might be due
to a tuneup bug you now fixed, or it might be an effect of inherent
smoothness of the cutoff points.
Torbjörn
Please encrypt, key id 0xC8601622
More information about the gmp-devel
mailing list