mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 21:13:38 +08:00
3712436071
for specialized Montgomery ladder implementations PR #6009 and #6070 replaced the default EC point multiplication path for prime and binary curves with a unified Montgomery ladder implementation with various timing attack defenses (for the common paths when a secret scalar is feed to the point multiplication). The newly introduced default implementation directly used EC_POINT_add/dbl in the main loop. The scaffolding introduced by this commit allows EC_METHODs to define a specialized `ladder_step` function to improve performances by taking advantage of efficient formulas for differential addition-and-doubling and different coordinate systems. - `ladder_pre` is executed before the main loop of the ladder: by default it copies the input point P into S, and doubles it into R. Specialized implementations could, e.g., use this hook to transition to different coordinate systems before copying and doubling; - `ladder_step` is the core of the Montgomery ladder loop: by default it computes `S := R+S; R := 2R;`, but specific implementations could, e.g., implement a more efficient formula for differential addition-and-doubling; - `ladder_post` is executed after the Montgomery ladder loop: by default it's a noop, but specialized implementations could, e.g., use this hook to transition back from the coordinate system used for optimizing the differential addition-and-doubling or recover the y coordinate of the result point. This commit also renames `ec_mul_consttime` to `ec_scalar_mul_ladder`, as it better corresponds to what this function does: nothing can be truly said about the constant-timeness of the overall execution of this function, given that the underlying operations are not necessarily constant-time themselves. What this implementation ensures is that the same fixed sequence of operations is executed for each scalar multiplication (for a given EC_GROUP), with no dependency on the value of the input scalar. Co-authored-by: Sohaib ul Hassan <soh.19.hassan@gmail.com> Co-authored-by: Billy Brumley <bbrumley@gmail.com> Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6690) |
||
|---|---|---|
| .. | ||
| asm | ||
| curve448 | ||
| build.info | ||
| curve25519.c | ||
| ec2_oct.c | ||
| ec2_smpl.c | ||
| ec_ameth.c | ||
| ec_asn1.c | ||
| ec_check.c | ||
| ec_curve.c | ||
| ec_cvt.c | ||
| ec_err.c | ||
| ec_key.c | ||
| ec_kmeth.c | ||
| ec_lcl.h | ||
| ec_lib.c | ||
| ec_mult.c | ||
| ec_oct.c | ||
| ec_pmeth.c | ||
| ec_print.c | ||
| ecdh_kdf.c | ||
| ecdh_ossl.c | ||
| ecdsa_ossl.c | ||
| ecdsa_sign.c | ||
| ecdsa_vrf.c | ||
| eck_prn.c | ||
| ecp_mont.c | ||
| ecp_nist.c | ||
| ecp_nistp224.c | ||
| ecp_nistp256.c | ||
| ecp_nistp521.c | ||
| ecp_nistputil.c | ||
| ecp_nistz256_table.c | ||
| ecp_nistz256.c | ||
| ecp_oct.c | ||
| ecp_smpl.c | ||
| ecx_meth.c | ||