Skip to content
  • Billy Brumley's avatar
    SCA hardening for mod. field inversion in EC_GROUP · 48e82c8e
    Billy Brumley authored
    
    
    This commit adds a dedicated function in `EC_METHOD` to access a modular
    field inversion implementation suitable for the specifics of the
    implemented curve, featuring SCA countermeasures.
    
    The new pointer is defined as:
    `int (*field_inv)(const EC_GROUP*, BIGNUM *r, const BIGNUM *a, BN_CTX*)`
    and computes the multiplicative inverse of `a` in the underlying field,
    storing the result in `r`.
    
    Three implementations are included, each including specific SCA
    countermeasures:
      - `ec_GFp_simple_field_inv()`, featuring SCA hardening through
        blinding.
      - `ec_GFp_mont_field_inv()`, featuring SCA hardening through Fermat's
        Little Theorem (FLT) inversion.
      - `ec_GF2m_simple_field_inv()`, that uses `BN_GF2m_mod_inv()` which
        already features SCA hardening through blinding.
    
    From a security point of view, this also helps addressing a leakage
    previously affecting conversions from projective to affine coordinates.
    
    This commit also adds a new error reason code (i.e.,
    `EC_R_CANNOT_INVERT`) to improve consistency between the three
    implementations as all of them could fail for the same reason but
    through different code paths resulting in inconsistent error stack
    states.
    
    Co-authored-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
    
    (cherry picked from commit e0033efc30b0f00476bba8f0fa5512be5dc8a3f1)
    
    Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
    Reviewed-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
    (Merged from https://github.com/openssl/openssl/pull/8262)
    48e82c8e
To find the state of this project's repository at the time of any of these versions, check out the tags.