Niels Möller nisse at
Sun Nov 25 20:45:40 UTC 2018

tg at (Torbjörn Granlund) writes:

> Which is fine in itself. We do NOT try to hide the number of bits in
> operands.

We certainly don't hide passed in limb counts. But most functions don't
leak any bits of the top limb. Maybe it's reasonable that division
functions (which are also special by requiring non-zero top limb) are an
exception. E.g., in the case of a private RSA factor, leaking bit size
is unlikely to be a problem.

> That use of mpn_invert_limb_table is a serious oversight.  One needs to
> start with a single-bit value instead.  (I'm sure we could do some
> simple logical operation on the low bits and get at least two bits.)

And there's also a similar table lookup in binvert_limb, used by


Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.

More information about the gmp-devel mailing list