[openssl-dev] Constant Time Conversion of Bytes to P521 Multiplier
Nathaniel McCallum
npmccallum at redhat.com
Mon Dec 12 21:24:43 UTC 2016
I'm working on a draft[0] and an implementation[1] of a protocol using
elliptic curves. As part of this draft, we need to convert a byte
array to a multiplier. This byte array is a private long-term key.
Specifically of concern is this comment:
https://github.com/openssl/openssl/blob/master/crypto/ec/ecp_nistp521.c#L1947
In the case where the multiplier is converted from 66 random bytes to
a P-521 multiplier, it is extremely likely that the multiplier will be
greater than the order. Can we achieve constant time by calling
BN_set_flags(multiplier, BN_FLG_CONSTTIME) followed by
BN_mod(multiplier, group->order) before calling EC_POINT_mul()? If
not, is there another way to do this?
[0] - https://tools.ietf.org/html/draft-mccallum-kitten-krb-spake-preauth-00
[1] - https://github.com/greghudson/krb5/tree/spake
More information about the openssl-dev
mailing list