@@ -197,9 +197,32 @@ static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp25
197197 /* Gather the mask(block)-selected bits of d into bits. They're packed:
198198 * bits[tooth] = d[(block*COMB_TEETH + tooth)*COMB_SPACING + comb_off]. */
199199 uint32_t bits = 0 , sign , abs , index , tooth ;
200+ /* Instead of reading individual bits here to construct the bits variable,
201+ * build up the result by xoring rotated reads together. In every iteration,
202+ * one additional bit is made correct, starting at the bottom. The bits
203+ * above that contain junk. This reduces leakage by avoiding computations
204+ * on variables that can have only a low number of possible values (e.g.,
205+ * just two values when reading a single bit into a variable.) See:
206+ * https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-alam.pdf
207+ */
200208 for (tooth = 0 ; tooth < COMB_TEETH ; ++ tooth ) {
201- uint32_t bit = (recoded [bit_pos >> 5 ] >> (bit_pos & 0x1f )) & 1 ;
202- bits |= bit << tooth ;
209+ /* Construct bitdata s.t. the bottom bit is the bit we'd like to read.
210+ *
211+ * We could just set bitdata = recoded[bit_pos >> 5] >> (bit_pos & 0x1f)
212+ * but this would simply discard the bits that fall off at the bottom,
213+ * and thus, for example, bitdata could still have only two values if we
214+ * happen to shift by exactly 31 positions. We use a rotation instead,
215+ * which ensures that bitdata doesn't loose entropy. This relies on the
216+ * rotation being atomic, i.e., the compiler emitting an actual rot
217+ * instruction. */
218+ uint32_t bitdata = secp256k1_rotr32 (recoded [bit_pos >> 5 ], bit_pos & 0x1f );
219+
220+ /* Clear the bit at position tooth, but sssh, don't tell clang. */
221+ uint32_t volatile vmask = ~(1 << tooth );
222+ bits &= vmask ;
223+
224+ /* Write the bit into position tooth (and junk into higher bits). */
225+ bits ^= bitdata << tooth ;
203226 bit_pos += COMB_SPACING ;
204227 }
205228
0 commit comments