1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
|
diff --git a/cipher/dsa-common.c b/cipher/dsa-common.c
index 6f2c2f9..647639c 100644
--- a/cipher/dsa-common.c
+++ b/cipher/dsa-common.c
@@ -29,6 +29,30 @@
#include "pubkey-internal.h"
+/*
+ * Modify K, so that computation time difference can be small,
+ * by making K large enough.
+ *
+ * Originally, (EC)DSA computation requires k where 0 < k < q. Here,
+ * we add q (the order), to keep k in a range: q < k < 2*q (or,
+ * addming more q, to keep k in a range: 2*q < k < 3*q), so that
+ * timing difference of the EC multiply (or exponentiation) operation
+ * can be small. The result of (EC)DSA computation is same.
+ */
+void
+_gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits)
+{
+ gcry_mpi_t k1 = mpi_new (qbits+2);
+
+ mpi_resize (k, (qbits+2+BITS_PER_MPI_LIMB-1) / BITS_PER_MPI_LIMB);
+ k->nlimbs = k->alloced;
+ mpi_add (k, k, q);
+ mpi_add (k1, k, q);
+ mpi_set_cond (k, k1, !mpi_test_bit (k, qbits));
+
+ mpi_free (k1);
+}
+
/*
* Generate a random secret exponent K less than Q.
* Note that ECDSA uses this code also to generate D.
diff --git a/cipher/dsa.c b/cipher/dsa.c
index 22d8d78..24a5352 100644
--- a/cipher/dsa.c
+++ b/cipher/dsa.c
@@ -635,6 +635,8 @@ sign (gcry_mpi_t r, gcry_mpi_t s, gcry_mpi_t input, DSA_secret_key *skey,
k = _gcry_dsa_gen_k (skey->q, GCRY_STRONG_RANDOM);
}
+ _gcry_dsa_modify_k (k, skey->q, qbits);
+
/* r = (a^k mod p) mod q */
mpi_powm( r, skey->g, k, skey->p );
mpi_fdiv_r( r, r, skey->q );
diff --git a/cipher/ecc-ecdsa.c b/cipher/ecc-ecdsa.c
index 140e8c0..97966c3 100644
--- a/cipher/ecc-ecdsa.c
+++ b/cipher/ecc-ecdsa.c
@@ -114,6 +114,8 @@ _gcry_ecc_ecdsa_sign (gcry_mpi_t input, ECC_secret_key *skey,
else
k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ _gcry_dsa_modify_k (k, skey->E.n, qbits);
+
_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
{
diff --git a/cipher/ecc-gost.c b/cipher/ecc-gost.c
index a34fa08..0362a6c 100644
--- a/cipher/ecc-gost.c
+++ b/cipher/ecc-gost.c
@@ -94,6 +94,8 @@ _gcry_ecc_gost_sign (gcry_mpi_t input, ECC_secret_key *skey,
mpi_free (k);
k = _gcry_dsa_gen_k (skey->E.n, GCRY_STRONG_RANDOM);
+ _gcry_dsa_modify_k (k, skey->E.n, qbits);
+
_gcry_mpi_ec_mul_point (&I, k, &skey->E.G, ctx);
if (_gcry_mpi_ec_get_affine (x, NULL, &I, ctx))
{
diff --git a/cipher/pubkey-internal.h b/cipher/pubkey-internal.h
index b8167c7..d31e26f 100644
--- a/cipher/pubkey-internal.h
+++ b/cipher/pubkey-internal.h
@@ -84,6 +84,7 @@ _gcry_rsa_pss_verify (gcry_mpi_t value, gcry_mpi_t encoded,
/*-- dsa-common.c --*/
+void _gcry_dsa_modify_k (gcry_mpi_t k, gcry_mpi_t q, int qbits);
gcry_mpi_t _gcry_dsa_gen_k (gcry_mpi_t q, int security_level);
gpg_err_code_t _gcry_dsa_gen_rfc6979_k (gcry_mpi_t *r_k,
gcry_mpi_t dsa_q, gcry_mpi_t dsa_x,
diff --git a/mpi/ec.c b/mpi/ec.c
index 89077cd..adb0260 100644
--- a/mpi/ec.c
+++ b/mpi/ec.c
@@ -1309,7 +1309,11 @@ _gcry_mpi_ec_mul_point (mpi_point_t result,
unsigned int nbits;
int j;
- nbits = mpi_get_nbits (scalar);
+ if (mpi_cmp (scalar, ctx->p) >= 0)
+ nbits = mpi_get_nbits (scalar);
+ else
+ nbits = mpi_get_nbits (ctx->p);
+
if (ctx->model == MPI_EC_WEIERSTRASS)
{
mpi_set_ui (result->x, 1);
|
