[crypto/25519] Propagate the masking in x25519#30087
Conversation
siemen11
requested review from
alees24,
andrea-caforio and
nasahlpa
and removed request for
a team and
alees24
siemen11
force-pushed
the
x25519_masking_connection
branch
6 times, most recently
from
a288411 to
b61454e
Compare
| bn.wsrr w22, URND | ||
| bn.rshi w22, w31, w22 >> 128 | ||
|
|
||
| /* Clear the lowest 3 bits of k so k*L is a multiple of 8. |
There was a problem hiding this comment.
I would suggest to instead NOT clamp k, instead shift k left by 3
or i guess practically simply only shift right by 125 and keep the clamping equals the same outcome of 128b random from 130:3
There was a problem hiding this comment.
Thank you Johann! Small sidenote that this increases the loop ext_scmul_sca from 382 iterations to 385
siemen11
force-pushed
the
x25519_masking_connection
branch
2 times, most recently
from
eac8454 to
ed0c1d9
Compare
siemen11
force-pushed
the
x25519_masking_connection
branch
5 times, most recently
from
dca945e to
2450520
Compare
johannheyszl
left a comment
johannheyszl
left a comment
There was a problem hiding this comment.
great! also particularly nice we reuse the a2b b2a from p256 (does not save flash code size since included in both binaries, but less code in repo)
|
I think the second commit might be redundant because its content is deleted in the last commit. |
siemen11
force-pushed
the
x25519_masking_connection
branch
from
2450520 to
d3be24a
Compare
Thank you @andrea-caforio! I squashed the commits now, plus the masking commit is now its own PR in #30167 |
| bn.xor w4, w4, w21 | ||
|
|
||
| /* [w2, w1] <= [w2, w1] ^ [w11, w10] = gamma ^ s1 = G */ | ||
| bn.xor w1, w1, w10 |
There was a problem hiding this comment.
should we add a dummy instruction in between?
There was a problem hiding this comment.
Yes, we overwrite w21 by w10 which is a transition from one share to another (though via glitching). Though, I switched the operands of bn.xor w1, w1, w10 instead
| bn.xor w2, w2, w11 | ||
|
|
||
| /* [w21, w20] <= [w21, w20] ^ [w2, w1] = s0 ^ G */ | ||
| bn.xor w20, w20, w1 |
There was a problem hiding this comment.
Here IIUC there is no direct overwrite as we go from w11 (s0) to w1 (gamma)
Get the arithmetic_to_boolean and boolean_to_arithmetic to be in their own files and resrtucture p256. This should have no impact on p256 itself. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
Propagate the masking of the keys in x25519 to the OTBN and use the masked scalar multiplication from ed25519. Change the sc_blind subroutine to blind with a clamped blinding factor (adding 3 bits to the size). Use the s2b and b2a from p256. Note that due to the sharing change (additive versus substraction) we switch the masking by adding a new mask B. Signed-off-by: Siemen Dhooghe <sdhooghe@google.com>
siemen11
force-pushed
the
x25519_masking_connection
branch
from
d3be24a to
581a639
Compare
There was a problem hiding this comment.
You know the fact that two "smallish" routines for A2B/B2A are sufficient to implement a masked X25519, questions the design decisions for P256/P384. Why is the masking there so insanely convoluted?
4 participants
Propagate the masking of the keys in x25519 to the OTBN and use the masked scalar multiplication from ed25519.
Note that we still need the clamping of the private key hence we need to unmask.