From 41ab8cb6cb76dd7e8a94c8105b2ef12d1158fc3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 14 Nov 2019 11:59:09 +0100 Subject: [PATCH] Centralize everything to EccPoint_mult_safer() This will make easier to add future counter-measures in a single place. In practice this change means that: - compute_public_key() now uses projective coordinate randomisation, which it should as this is a protection against Template Attacks for example. - mult_safer() now checks that the result is not the point at infinity, which it can as the result is indeed never expected to be that --- tinycrypt/ecc.c | 26 +++++++------------------- 1 file changed, 7 insertions(+), 19 deletions(-) diff --git a/tinycrypt/ecc.c b/tinycrypt/ecc.c index 92906fd76..c69d42278 100644 --- a/tinycrypt/ecc.c +++ b/tinycrypt/ecc.c @@ -951,6 +951,12 @@ int EccPoint_mult_safer(uECC_word_t * result, const uECC_word_t * point, } EccPoint_mult(result, point, k2[!carry], initial_Z); + + if (EccPoint_isZero(result, curve)) { + r = 0; + goto clear_and_out; + } + r = 1; clear_and_out: @@ -966,25 +972,7 @@ uECC_word_t EccPoint_compute_public_key(uECC_word_t *result, uECC_word_t *private_key, uECC_Curve curve) { - - uECC_word_t tmp1[NUM_ECC_WORDS]; - uECC_word_t tmp2[NUM_ECC_WORDS]; - uECC_word_t *p2[2] = {tmp1, tmp2}; - uECC_word_t carry; - - if (curve != uECC_secp256r1()) - return 0; - - /* Regularize the bitcount for the private key so that attackers cannot - * use a side channel attack to learn the number of leading zeros. */ - carry = regularize_k(private_key, tmp1, tmp2); - - EccPoint_mult(result, curve->G, p2[!carry], 0); - - if (EccPoint_isZero(result, curve)) { - return 0; - } - return 1; + return EccPoint_mult_safer(result, curve->G, private_key, curve); } /* Converts an integer in uECC native format to big-endian bytes. */