Please sign in to comment.
libmpa: Implement Montgomery ladder
The mpa_exp_mod() function implements a LtoR algorithm. The LtoR algorithm is sensitive to timing attacks since it leaks information about the exponent since it's doing a different amount of work in each loop when doing the modular exponentiation. It will always do a square in each loop, but it will also do an additional multiply when the exponent bit k=1. This patch implements the Montgomery ladder (and thereby replaces the old LtoR implementation), which always does the same amount of operations in each loop and thereby make it more robust to timing attacks. Fixes: OP-TEE-2016-0002 which was reported by Applus+ Laboratories. Signed-off-by: Joakim Bech <email@example.com> Acked-by: Jerome Forissier <firstname.lastname@example.org> Acked-by: Jens Wiklander <email@example.com> Acked-by: Etienne Carriere <firstname.lastname@example.org> Tested-by: Jerome Forissier <email@example.com> (HiKey, GP) Tested-by: Etienne Carriere <firstname.lastname@example.org> (b2260, GP)
- Loading branch information...