Make ge25519_cmove_stride4b constant time #4428
Conversation
|
|
I also checked the binary of the core firmware ( |
onvej-sl
requested review from
mmilata
and removed request for
prusnak and
andrewkozlik
| const long mask_y = -flag; | ||
| const long mask_x = ~mask_y; | ||
|
|
||
| // x = flag ? y : x | ||
| x0 = (y0 & mask_y) | (x0 & mask_x); | ||
| x1 = (y1 & mask_y) | (x1 & mask_x); | ||
| x2 = (y2 & mask_y) | (x2 & mask_x); | ||
| x3 = (y3 & mask_y) | (x3 & mask_x); |
There was a problem hiding this comment.
Looking at this I feel a little uneasy about the bitwise operations on signed integers, but it's probably correct.
There was a problem hiding this comment.
That's a good point. I think we can use unsigned long instead of long.
|
Thanks for looking into this!
Doesn't it slow ed25519 signing/verification though? The "old" assembly listing had If the bitwise version is slower we can only use it for x86_64 and keep the old one for firmware. |
I did a benchmark on trezor T and the times seem to be the same before and after this pull request:
I am not sure how the |
There was a problem hiding this comment.
Feel free to rebase on main and merge, or I can do it once #4374 is merged.
But please fix style first:
crypto/ed25519-donna/ed25519-donna-impl-base.c:
400: Trailing whitespace
403: Trailing whitespace
425: Trailing whitespace
428: Trailing whitespace
7f359b1 to
5cc3849
Compare
This pull request builds on top of #4374, it fixes #4393. I don't know if we want to update the version of gcc once the issue is fixed, so I kept it the same as the version of gcc-arm-embedded. Which means you need to update gcc to version 14 to verify if this pull request indeed resolves the issue.