From: Mark Wooding <mdw@distorted.org.uk>
Date: Wed, 28 Sep 2016 11:01:26 +0000 (+0100)
Subject: dh.c, rsa.c: use `mpz_powm_sec' for modexps.
X-Git-Tag: v0.4.1~1^2
X-Git-Url: https://git.distorted.org.uk/~mdw/secnet/commitdiff_plain/b6aae8b2364f24edc13c6cdf774bb8c8d282e02f?hp=b6aae8b2364f24edc13c6cdf774bb8c8d282e02f

dh.c, rsa.c: use `mpz_powm_sec' for modexps.

This makes an effort to run in constant time.  It's not perfect, but
it's a lot better than nothing.

  * It uses fixed windows from the exponent rather than the traditional
    sliding windows used by `mpz_powm'.  Sliding windows are more
    efficient on low Hamming-weight exponents, which is obviously bad if
    you were hoping for constant-time behaviour.

  * It uses a cache-oblivious algorithm to pick values out of its table
    of small multiples -- i.e., it scans the entire table and plucks out
    the entry it's looking for using bitmasking.  (This is tweakable
    with a macro `WANT_CACHE_SECURITY', but that's hardwired on.)

  * It uses a constant-time conditional subtract to finish up after a
    Montgomery reduction.

On the other hand there are some rough edges.

  * The initial reduction of the exponentiand is done with a non-
    constant-time algorithm.  It /could/ be done a fancy way, using
    Montgomery reduction, but they've not done this yet.

  * I've not looked at the Secnet code to see whether there are other
    timing leaks.

The call in `rsa_sig_check' is safe to leave as the faster `mpz_powm',
since it's verifying a signature which could, in principle, be done by
anyone using only public information.

Signed-off-by: Mark Wooding <mdw@distorted.org.uk>
---