Non-constant time `cmov` in P256

Question

Non-constant time `cmov` in P256

Sc00bz opened this issue 3 years ago · 3 comments

You should use something like what curve25519_dalek uses:
https://doc.dalek.rs/subtle/trait.ConditionallySelectable.html#method.conditional_assign
https://github.com/novifinancial/opaque-ke/blob/d1dfee9a6545d7dfddc6dd94f985f31b3221c54e/src/group/p256.rs#L327-L333

Answer 1 · 2021-09-24T14:18:36.000Z

Do you have any suggestion on how to fix this? Because ConditionallySelectable isn't implemented for BigInt.

Answer 2 · 2021-09-27T00:23:30.000Z

Hmm well easiest conceptually is convert to arrays of 32 bytes, do bit select, and convert back. Oh wait I think because it's a bool it might compile to a branch. You might need to replace the bool stuff with an int of 0 or 1. Then you can use the int like selector = -b then do bit select ret_bytes[i] = x_bytes[i] ^ (selector & (x_bytes[i] ^ y_bytes[i])).

Side note I'm not sure how constant time big ints are. So even doing this might not be constant time, but it will be closer.

Answer 3 · 2021-09-27T08:12:15.000Z

Would you mind making a PR?