mpi_exp_mod: load the output variable to the table

This is done in preparation for constant time loading that will be added
in a later commit.

Signed-off-by: Janos Follath <janos.follath@arm.com>
This commit is contained in:
Janos Follath 2022-10-04 13:27:40 +01:00
parent 72fa1c23ed
commit 8e7d6a0386

View file

@ -1974,7 +1974,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
size_t i, j, nblimbs; size_t i, j, nblimbs;
size_t bufsize, nbits; size_t bufsize, nbits;
mbedtls_mpi_uint ei, mm, state; mbedtls_mpi_uint ei, mm, state;
mbedtls_mpi RR, T, W[ 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos; mbedtls_mpi RR, T, W[ ( 1 << MBEDTLS_MPI_WINDOW_SIZE ) + 1 ], WW, Apos;
int neg; int neg;
MPI_VALIDATE_RET( X != NULL ); MPI_VALIDATE_RET( X != NULL );
@ -2021,6 +2021,14 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[1], j ) );
MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &T, j * 2 ) );
/*
* Append the output variable to the end of the table for constant time
* lookup. From this point on we need to use the table entry in each
* calculation, this makes it safe to use simple assignment.
*/
const size_t x_index = sizeof( W ) / sizeof( W[0] ) - 1;
W[x_index] = *X;
/* /*
* Compensate for negative A (and correct at the end) * Compensate for negative A (and correct at the end)
*/ */
@ -2066,10 +2074,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
mpi_montmul( &W[1], &RR, N, mm, &T ); mpi_montmul( &W[1], &RR, N, mm, &T );
/* /*
* X = R^2 * R^-1 mod N = R mod N * W[x_index] = R^2 * R^-1 mod N = R mod N
*/ */
MBEDTLS_MPI_CHK( mbedtls_mpi_copy( X, &RR ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) );
mpi_montred( X, N, mm, &T ); mpi_montred( &W[x_index], N, mm, &T );
if( wsize > 1 ) if( wsize > 1 )
{ {
@ -2127,9 +2135,9 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
if( ei == 0 && state == 1 ) if( ei == 0 && state == 1 )
{ {
/* /*
* out of window, square X * out of window, square W[x_index]
*/ */
mpi_montmul( X, X, N, mm, &T ); mpi_montmul( &W[x_index], &W[x_index], N, mm, &T );
continue; continue;
} }
@ -2144,16 +2152,16 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
if( nbits == wsize ) if( nbits == wsize )
{ {
/* /*
* X = X^wsize R^-1 mod N * W[x_index] = W[x_index]^wsize R^-1 mod N
*/ */
for( i = 0; i < wsize; i++ ) for( i = 0; i < wsize; i++ )
mpi_montmul( X, X, N, mm, &T ); mpi_montmul( &W[x_index], &W[x_index], N, mm, &T );
/* /*
* X = X * W[wbits] R^-1 mod N * W[x_index] = W[x_index] * W[wbits] R^-1 mod N
*/ */
MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) ); MBEDTLS_MPI_CHK( mpi_select( &WW, W, (size_t) 1 << wsize, wbits ) );
mpi_montmul( X, &WW, N, mm, &T ); mpi_montmul( &W[x_index], &WW, N, mm, &T );
state--; state--;
nbits = 0; nbits = 0;
@ -2166,25 +2174,30 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
*/ */
for( i = 0; i < nbits; i++ ) for( i = 0; i < nbits; i++ )
{ {
mpi_montmul( X, X, N, mm, &T ); mpi_montmul( &W[x_index], &W[x_index], N, mm, &T );
wbits <<= 1; wbits <<= 1;
if( ( wbits & ( one << wsize ) ) != 0 ) if( ( wbits & ( one << wsize ) ) != 0 )
mpi_montmul( X, &W[1], N, mm, &T ); mpi_montmul( &W[x_index], &W[1], N, mm, &T );
} }
/* /*
* X = A^E * R * R^-1 mod N = A^E mod N * W[x_index] = A^E * R * R^-1 mod N = A^E mod N
*/ */
mpi_montred( X, N, mm, &T ); mpi_montred( &W[x_index], N, mm, &T );
if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 ) if( neg && E->n != 0 && ( E->p[0] & 1 ) != 0 )
{ {
X->s = -1; W[x_index].s = -1;
MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( X, N, X ) ); MBEDTLS_MPI_CHK( mbedtls_mpi_add_mpi( &W[x_index], N, &W[x_index] ) );
} }
/*
* Load the result in the output variable.
*/
*X = W[x_index];
cleanup: cleanup:
for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ ) for( i = ( one << ( wsize - 1 ) ); i < ( one << wsize ); i++ )