Torbjorn Granlund tg at
Mon Feb 10 07:20:56 UTC 2014

nisse at (Niels Möller) writes:

  After some discussion with Torbjörn, I intend to change mpn_sec_powm to
  take the exponent size argument in bits, rather than limbs (because the
  current code may leak high bit of the exponent, which can cause serious
  problems for some applications, e.g., dsa signatures). But first, I'd
  like to fix a more minor issue.
We should perhaps point out in the documentation of this function that
callers should not trim the exponent limb area or the bit count arguemnt
to in a data dependent fashion.

  It might also be interesting to note that there's only a single
  gmp-mparam.h file where POWM_SEC_TABLE starts with 1: x86_64/bobcat.
  There are a larger number of gmp-mparam.h files where it starts with 2,
  which would shrink to 1 if the code is fixed to emit nbits - 1.
  All this might not be terribly important, but there is a conditional for
  eb < windowsize (before the loop, i.e., for the initial value of eb), not
  exercised by the testsuite, but needed because of this tuneup
  peculiarity (see
  And I'd like to eliminate that test.

I didn't read your analysis properly now, but let me add that the
POWM_SEC_TABLE measuring never became robust; two consecutive
measurements didn't seem to give very similar data.  This might be due
to a tuneup bug you now fixed, or it might be an effect of inherent
smoothness of the cutoff points.

Please encrypt, key id 0xC8601622

More information about the gmp-devel mailing list