Skip to content

[sw,cryptolib] Pad secret scalar with randomness instead of zeros #28251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 13 commits into
base: master
Choose a base branch
from
Open

[sw,cryptolib] Pad secret scalar with randomness instead of zeros #28251

wants to merge 13 commits into from

Conversation

h-filali
Copy link
Contributor

This commit pads the secret scalar with randomness instead of zeros
for the scalar point multiplication of p384.

This PR is based on #28210

@h-filali
[sw,cryptolib] Add new internal point multiplication with blinding
73c7193 
This commit adds a new internal point multiplication which
refreshes the blinding on the secret scalar and also extends the
number of blinding bits as a SCA countermeasure.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Add new internal mult test
141d7dd 
This commit adds a new test for the internal
multiplication, since the scalar_mult_test will be using
the blinded version of the internal multiplication and will
thus no longer test the basic internal multiplication which
is still needed for the sign algorithm.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Use the blinded version for point multiplications
f969e85 
This commit changes all point multiplications which use the secret
key scalar d to now use the new point multiplication with additional
blinding bits and blinding refreshing.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Move variables into a single memory file
4c57014 
The preceding commits overflow the memory. For this reason
this commit moves all the memory variables into a single file
to avoid this issue.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Move tests to hjson framework
5109695 
Most of the tests have to be moved to the hjson framework
since the variables have been moved to a single memory
file.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,crypto] Update instruction count checks
e9b67c8 
Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] P384 add remasking of secret key scalar for sign
880072e 
This commit adds remasking of the secret key scalar each time
the sign routine is executed. This is added as a countermeasure
against SCA.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Adapt instruction count checks
e3abd26 
Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,crypto] Follow OTBN style guide rules 6 and 7 related to bn.sel
a8ff8a9 
This commit changes all the instructions in the p384 library that
violate rules 6 and 7 related to bn.sel instructions.

The destination register should not match any of the source registers.

The two source registers can't be two shares of the same secret.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,crypto] Follow OTBN style guide rule 8 related to bn.mulqacc
aa36405 
This commit changes all the instructions in the p384 library that
violate rule 8 related to bn.mulqacc instructions.

After executing a mulqacc instruction on a secret the accumulation
register and the flags need to be cleared.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Follow OTBN style guide rule 5 and 9 related to bn.add…
b6e9088 
…/sub

This commit changes all the instructions in the p384 library that
violate rule 5 or 9 related to bn.mulqacc instructions.

After executing a bn.add or bn.sub instructions some sensitive state can
remain in the flags. For this reason we need to be careful with these
instructions and clear the flags in case they can contain sensitive
data.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Follow OTBN style guide rules 1-4 related to shares
2fc56b8 
This commit changes all the instructions in the p384 library that
violate rules 1-4 related to the handling of shares.

Shares of the same secret should not be:
- in different parts of the same reg
- accessed in consecutive instructions
- accessed in the same instruction
- over write each other

In some parts of the p384 library the shares are combined and some
of these rules are violated by necessity.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali
[sw,cryptolib] Pad secret scalar with randomness instead of zeros
048d22b 
This commit pads the secret scalar with randomness instead of zeros
for the scalar point multiplication of p384.

Signed-off-by: Hakim Filali <[email protected]>
@h-filali h-filali requested a review from a team as a code owner September 12, 2025 09:12
@h-filali h-filali requested review from engdoreis and removed request for a team September 12, 2025 09:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@engdoreis engdoreis Awaiting requested review from engdoreis engdoreis is a code owner automatically assigned from lowRISC/ot-c-cpp-reviewers

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@h-filali