diff options
| author | Jeffrey Walton <noloader@gmail.com> | 2019-08-05 03:51:58 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-08-05 03:51:58 -0400 |
| commit | c9ef9420e762b91cc06463d349cf06e04c749b9d (patch) | |
| tree | 69a074fcf855a9f8b04d12b359904217e9ea618f /ecp.h | |
| parent | b3eb4c6a690d6dfb342856f2a66a71dcec8c429b (diff) | |
| download | cryptopp-git-c9ef9420e762b91cc06463d349cf06e04c749b9d.tar.gz | |
Fix ECP leakage in Add() and Double() (GH #869, PR #871)
This check-in provides the fix for leaks in ECP's Add() and Double(). The fixes were taken from Joost Renes, Craig Costello, and Lejla Batina's [Complete addition formulas for prime order elliptic curves](https://eprint.iacr.org/2015/1060.pdf).
The Pull Request includes two additional changes that were related to testing the primary fix. First, an `AuthenticatedKeyAgreementWithRolesValidate` interface was added. It allows us to test key agreement when roles are involved. Roles are "client", "server", "initiator", "recipient", etc.
Second, `SetGlobalSeed` was added to `test.cpp` to help with reproducible results. We had code in two different places that set the seed value for the random number generator. But it was sloppy and doing a poor job since results could not be reproduced under some circumstances.
Diffstat (limited to 'ecp.h')
| -rw-r--r-- | ecp.h | 36 |
1 files changed, 36 insertions, 0 deletions
@@ -106,6 +106,42 @@ public: bool operator==(const ECP &rhs) const
{return GetField() == rhs.GetField() && m_a == rhs.m_a && m_b == rhs.m_b;}
+protected:
+ /// \brief Addition and Double functions
+ /// \sa <A HREF="https://eprint.iacr.org/2015/1060.pdf">Complete
+ /// addition formulas for prime order elliptic curves</A>
+ class AdditionFunction
+ {
+ public:
+ explicit AdditionFunction(const ECP& ecp);
+ // Double(P)
+ Point operator()(const Point& P) const;
+ // Add(P, Q)
+ Point operator()(const Point& P, const Point& Q) const;
+
+ protected:
+ /// \brief Parameters and representation for Addition
+ /// \details Addition and Doubling will use different algorithms,
+ /// depending on the <tt>A</tt> coefficient and the representation
+ /// (Affine or Montgomery with precomputation).
+ enum Alpha {
+ /// \brief Coefficient A is 0
+ A_0=1,
+ /// \brief Coefficient A is -3
+ A_3=2,
+ /// \brief Coefficient A is arbitrary
+ A_Star=4,
+ /// \brief Representation is Montgomery
+ A_Montgomery=8
+ };
+
+ const ECP& m_ecp;
+ Alpha m_alpha;
+
+ private:
+ AdditionFunction(const AdditionFunction&);
+ };
+
private:
clonable_ptr<Field> m_fieldPtr;
FieldElement m_a, m_b;
|