nisse at lysator.liu.se
Sun Nov 25 20:45:40 UTC 2018
tg at gmplib.org (Torbjörn Granlund) writes:
> Which is fine in itself. We do NOT try to hide the number of bits in
We certainly don't hide passed in limb counts. But most functions don't
leak any bits of the top limb. Maybe it's reasonable that division
functions (which are also special by requiring non-zero top limb) are an
exception. E.g., in the case of a private RSA factor, leaking bit size
is unlikely to be a problem.
> That use of mpn_invert_limb_table is a serious oversight. One needs to
> start with a single-bit value instead. (I'm sure we could do some
> simple logical operation on the low bits and get at least two bits.)
And there's also a similar table lookup in binvert_limb, used by
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
More information about the gmp-devel