Skip to content
  • Sohaib ul Hassan's avatar
    Implement coordinate blinding for EC_POINT · f667820c
    Sohaib ul Hassan authored
    This commit implements coordinate blinding, i.e., it randomizes the
    representative of an elliptic curve point in its equivalence class, for
    prime curves implemented through EC_GFp_simple_method,
    EC_GFp_mont_method, and EC_GFp_nist_method.
    
    This commit is derived from the patch
    https://marc.info/?l=openssl-dev&m=131194808413635
    
     by Billy Brumley.
    
    Coordinate blinding is a generally useful side-channel countermeasure
    and is (mostly) free. The function itself takes a few field
    multiplicationss, but is usually only necessary at the beginning of a
    scalar multiplication (as implemented in the patch). When used this way,
    it makes the values that variables take (i.e., field elements in an
    algorithm state) unpredictable.
    
    For instance, this mitigates chosen EC point side-channel attacks for
    settings such as ECDH and EC private key decryption, for the
    aforementioned curves.
    
    For EC_METHODs using different coordinate representations this commit
    does nothing, but the corresponding coordinate blinding function can be
    easily added in the future to extend these changes to such curves.
    
    Co-authored-by: default avatarNicola Tuveri <nic.tuv@gmail.com>
    Co-authored-by: default avatarBilly Brumley <bbrumley@gmail.com>
    
    Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
    Reviewed-by: default avatarMatt Caswell <matt@openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6501)
    f667820c
To find the state of this project's repository at the time of any of these versions, check out the tags.