Skip to content

Commit 2390aa9

Browse files
randombitrandombit
committed
Embrace variable time behavior in vartime_divide
Historically this function made some attempts to be constant-time-ish (despite not being constant time at all), largely because it was the only implemented division algorithm. Now we have dedicated constant time division algorithms which are used for secret data; we can readily assume the inputs to vartime_divide are public.
1 parent cccc958 commit 2390aa9

File tree

1 file changed

+24
-16
lines changed

1 file changed

+24
-16
lines changed

src/lib/math/bigint/divide.cpp

+24-16
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ void sign_fixup(const BigInt& x, const BigInt& y, BigInt& q, BigInt& r) {
2727
}
2828
}
2929

30-
inline bool division_check(word q, word y2, word y1, word x3, word x2, word x1) {
30+
inline bool division_check_vartime(word q, word y2, word y1, word x3, word x2, word x1) {
3131
/*
3232
Compute (y3,y2,y1) = (y2,y1) * q
3333
and return true if (y3,y2,y1) > (x3,x2,x1)
@@ -37,10 +37,13 @@ inline bool division_check(word q, word y2, word y1, word x3, word x2, word x1)
3737
y1 = word_madd2(q, y1, &y3);
3838
y2 = word_madd2(q, y2, &y3);
3939

40-
const word x[3] = {x1, x2, x3};
41-
const word y[3] = {y1, y2, y3};
42-
43-
return bigint_ct_is_lt(x, 3, y, 3).as_bool();
40+
if(x3 != y3) {
41+
return (y3 > x3);
42+
}
43+
if(x2 != y2) {
44+
return (y2 > x2);
45+
}
46+
return (y1 > x1);
4447
}
4548

4649
} // namespace
@@ -245,8 +248,10 @@ void vartime_divide(const BigInt& x, const BigInt& y_arg, BigInt& q_out, BigInt&
245248
// Calculate shifts needed to normalize y with high bit set
246249
const size_t shifts = y.top_bits_free();
247250

248-
y <<= shifts;
249-
r <<= shifts;
251+
if(shifts > 0) {
252+
y <<= shifts;
253+
r <<= shifts;
254+
}
250255

251256
// we know y has not changed size, since we only shifted up to set high bit
252257
const size_t t = y_words - 1;
@@ -272,27 +277,30 @@ void vartime_divide(const BigInt& x, const BigInt& y_arg, BigInt& q_out, BigInt&
272277
const word x_j1 = r.word_at(j - 1);
273278
const word x_j2 = r.word_at(j - 2);
274279

275-
word qjt = bigint_divop_vartime(x_j0, x_j1, y_t0);
276-
277-
qjt = CT::Mask<word>::is_equal(x_j0, y_t0).select(WordInfo<word>::max, qjt);
280+
word qjt = (x_j0 == y_t0) ? WordInfo<word>::max : bigint_divop_vartime(x_j0, x_j1, y_t0);
278281

279282
// Per HAC 14.23, this operation is required at most twice
280-
qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
281-
qjt -= division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2);
282-
BOTAN_DEBUG_ASSERT(division_check(qjt, y_t0, y_t1, x_j0, x_j1, x_j2) == false);
283+
while(division_check_vartime(qjt, y_t0, y_t1, x_j0, x_j1, x_j2)) {
284+
qjt--;
285+
}
283286

284287
shifted_y >>= WordInfo<word>::bits;
285288
// Now shifted_y == y << (WordInfo<word>::bits * (j-t-1))
286289

287290
// TODO this sequence could be better
288291
r -= qjt * shifted_y;
289-
qjt -= r.is_negative();
290-
r += static_cast<word>(r.is_negative()) * shifted_y;
292+
if(r.is_negative()) {
293+
qjt--;
294+
r += shifted_y;
295+
BOTAN_DEBUG_ASSERT(r.is_positive());
296+
}
291297

292298
q_words[j - t - 1] = qjt;
293299
}
294300

295-
r >>= shifts;
301+
if(shifts > 0) {
302+
r >>= shifts;
303+
}
296304

297305
sign_fixup(x, y_arg, q, r);
298306

0 commit comments

Comments
 (0)