Skip to content

Commit

Permalink
bigint: Use LeakyWindow when building table of multiples.
Browse files Browse the repository at this point in the history
When building the table, the indexes into the table are publically
known. It's only when reading from the table that the indexes are
secret. Make this clearer, as a step towards making `Limb` an
opaque type.
  • Loading branch information
briansmith committed Dec 7, 2024
1 parent d3bbfcf commit 5f3dbbf
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 9 deletions.
22 changes: 15 additions & 7 deletions src/arithmetic/bigint.rs
Original file line number Diff line number Diff line change
Expand Up @@ -507,7 +507,7 @@ pub fn elem_exp_consttime<M>(
// awkwardness here stems from trying to use the assembly code like OpenSSL
// does.

use crate::limb::Window;
use crate::limb::{LeakyWindow, Window};

const WINDOW_BITS: usize = 5;
const TABLE_ENTRIES: usize = 1 << WINDOW_BITS;
Expand All @@ -524,9 +524,9 @@ pub fn elem_exp_consttime<M>(
table.split_at_mut(TABLE_ENTRIES * num_limbs)
};

fn scatter(table: &mut [Limb], acc: &[Limb], i: Window, num_limbs: usize) {
fn scatter(table: &mut [Limb], acc: &[Limb], i: LeakyWindow, num_limbs: usize) {
prefixed_extern! {
fn bn_scatter5(a: *const Limb, a_len: c::size_t, table: *mut Limb, i: Window);
fn bn_scatter5(a: *const Limb, a_len: c::size_t, table: *mut Limb, i: LeakyWindow);
}
unsafe { bn_scatter5(acc.as_ptr(), num_limbs, table.as_mut_ptr(), i) }
}
Expand Down Expand Up @@ -628,14 +628,14 @@ pub fn elem_exp_consttime<M>(
acc: &mut [Limb],
m_cached: &[Limb],
n0: &N0,
mut i: Window,
mut i: LeakyWindow,
num_limbs: usize,
cpu_features: cpu::Features,
) {
loop {
scatter(table, acc, i, num_limbs);
i *= 2;
if i >= (TABLE_ENTRIES as Window) {
if i >= TABLE_ENTRIES as LeakyWindow {
break;
}
limbs_mont_square(acc, m_cached, n0, cpu_features);
Expand All @@ -655,8 +655,16 @@ pub fn elem_exp_consttime<M>(
scatter_powers_of_2(table, acc, m_cached, n0, 1, num_limbs, cpu_features);
// Fill in entries 3, 6, 12, 24; 5, 10, 20, 30; 7, 14, 28; 9, 18; 11, 22; 13, 26; 15, 30;
// 17; 19; 21; 23; 25; 27; 29; 31.
for i in (3..(TABLE_ENTRIES as Window)).step_by(2) {
limbs_mul_mont_gather5_amm(table, acc, base_cached, m_cached, n0, i - 1, num_limbs);
for i in (3..(TABLE_ENTRIES as LeakyWindow)).step_by(2) {
limbs_mul_mont_gather5_amm(
table,
acc,
base_cached,
m_cached,
n0,
Window::from(i - 1), // Not secret
num_limbs,
);
scatter_powers_of_2(table, acc, m_cached, n0, i, num_limbs, cpu_features);
}

Expand Down
7 changes: 5 additions & 2 deletions src/limb.rs
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,10 @@ pub fn unstripped_be_bytes(limbs: &[Limb]) -> impl ExactSizeIterator<Item = u8>
}

#[cfg(feature = "alloc")]
pub type Window = Limb;
pub type Window = constant_time::Word;

#[cfg(feature = "alloc")]
pub type LeakyWindow = constant_time::LeakyWord;

/// Processes `limbs` as a sequence of 5-bit windows, folding the windows from
/// most significant to least significant and returning the accumulated result.
Expand Down Expand Up @@ -263,7 +266,7 @@ pub fn fold_5_bit_windows<R, I: FnOnce(Window) -> R, F: Fn(R, Window) -> R>(
init(leading_partial_window)
};

let mut low_limb = 0;
let mut low_limb = Limb::from(0 as LeakyWindow);
limbs
.iter()
.rev()
Expand Down

0 comments on commit 5f3dbbf

Please sign in to comment.