From c8d66d50d06e3fb801e4b87b4fec5658b300c191 Mon Sep 17 00:00:00 2001
From: Janos Follath <janos.follath@arm.com>
Date: Tue, 22 Nov 2022 10:47:10 +0000
Subject: [PATCH] mpi_exp_mod: reduce the table size by one

The first half of the table is not used, let's reuse index 0 for the
result instead of appending it in the end.

Signed-off-by: Janos Follath <janos.follath@arm.com>
---
 library/bignum.c | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/library/bignum.c b/library/bignum.c
index 618da377f..993eb2aed 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1974,7 +1974,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
     size_t i, j, nblimbs;
     size_t bufsize, nbits;
     mbedtls_mpi_uint ei, mm, state;
-    mbedtls_mpi RR, T, W[ ( 1 << MBEDTLS_MPI_WINDOW_SIZE ) + 1 ], WW, Apos;
+    mbedtls_mpi RR, T, W[ (size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE ], WW, Apos;
     int neg;
 
     MPI_VALIDATE_RET( X != NULL );
@@ -2011,7 +2011,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
         window_bitsize = MBEDTLS_MPI_WINDOW_SIZE;
 #endif
 
-    const size_t w_table_used_size = ( (size_t) 1 << window_bitsize ) + 1;
+    const size_t w_table_used_size = (size_t) 1 << window_bitsize;
 
     /*
      * This function is not constant-trace: its memory accesses depend on the
@@ -2045,7 +2045,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
      * To achieve this, we make a copy of X and we use the table entry in each
      * calculation from this point on.
      */
-    const size_t x_index = w_table_used_size - 1;
+    const size_t x_index = 0;
     mbedtls_mpi_init( &W[x_index] );
     mbedtls_mpi_copy( &W[x_index], X );
 
@@ -2109,6 +2109,7 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
     MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[x_index], &RR ) );
     mpi_montred( &W[x_index], N, mm, &T );
 
+
     if( window_bitsize > 1 )
     {
         /*
@@ -2116,6 +2117,10 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
          *
          * The first bit of the sliding window is always 1 and therefore we
          * only need to store the second half of the table.
+         *
+         * (There are two special elements in the table: W[0] for the
+         * accumulator/result and W[1] for A in Montgomery form. Both of these
+         * are already set at this point.)
          */
         j = w_table_used_size / 2;
 
@@ -2127,10 +2132,8 @@ int mbedtls_mpi_exp_mod( mbedtls_mpi *X, const mbedtls_mpi *A,
 
         /*
          * W[i] = W[i - 1] * W[1]
-         * (The last element in the table is for the result X, so we don't need
-         * to calculate that.)
          */
-        for( i = j + 1; i < w_table_used_size - 1; i++ )
+        for( i = j + 1; i < w_table_used_size; i++ )
         {
             MBEDTLS_MPI_CHK( mbedtls_mpi_grow( &W[i], N->n + 1 ) );
             MBEDTLS_MPI_CHK( mbedtls_mpi_copy( &W[i], &W[i - 1] ) );
@@ -2250,6 +2253,7 @@ cleanup:
     for( i = w_table_used_size/2; i < w_table_used_size; i++ )
         mbedtls_mpi_free( &W[i] );
 
+    mbedtls_mpi_free( &W[0] );
     mbedtls_mpi_free( &W[1] );
     mbedtls_mpi_free( &T );
     mbedtls_mpi_free( &Apos );