Skip to content

[crypto] P256 scalar multiplication code-review for SCA hardening #27771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 7, 2025
Merged

[crypto] P256 scalar multiplication code-review for SCA hardening #27771

merged 1 commit into from
Aug 7, 2025

Conversation

johannheyszl
Copy link
Contributor

@johannheyszl johannheyszl commented Jul 30, 2025
edited
Loading

Avoid potential horizontal SCA issue in P256 scalar multiplication based on code review. Avoid that source and dest of one case in BN.SEL uses the same value by preseting with randomness.

Runtime overhead +3*320 instructions = very low.
Codesize overhead +3 instruction = very low.

[crypto] P256 scalar multiplication code-review for SCA hardening
7df9b56 
Avoid potential horizontal SCA issue in P256 scalar multiplication based on code review. Avoid that source and dest of one case in BN.SEL uses the same value by preseting with randomness. Re-order code to randomize destination of (first) BN.SEL before 1st use.

Typos and minor edits of comments in P256 scalar mult.

Signed-off-by: Johann Heyszl <[email protected]>
@johannheyszl johannheyszl force-pushed the fixSCAinP256exponentiationloop branch from 6978fad to 7df9b56 Compare July 30, 2025 20:31
@johannheyszl johannheyszl marked this pull request as ready for review August 6, 2025 12:12
h-filali
h-filali approved these changes Aug 6, 2025
View reviewed changes
Copy link
Contributor

@h-filali h-filali left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM!

I think the initialization of the registers with randomness in this PR is absolutely necessary. Otherwise, the transient leakage from overwriting regs with the same value vs a new value could potentially leak the value of the OR/XOR result.

andrea-caforio
andrea-caforio approved these changes Aug 7, 2025
View reviewed changes
Copy link
Contributor

@andrea-caforio andrea-caforio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks sound. Thank you @johannheyszl

andreaskurth
andreaskurth approved these changes Aug 7, 2025
View reviewed changes
Copy link
Contributor

@andreaskurth andreaskurth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @johannheyszl

@andreaskurth
Copy link
Contributor

Closing and re-opening to enable merge queue for this PR (which was created before MQs were enabled -- see Slack)

@andreaskurth andreaskurth reopened this Aug 7, 2025
@andreaskurth andreaskurth enabled auto-merge August 7, 2025 15:24
@andreaskurth andreaskurth added this pull request to the merge queue Aug 7, 2025
Merged via the queue into lowRISC:master with commit 17587fb Aug 7, 2025
69 of 79 checks passed
@h-filali h-filali added the CherryPick:earlgrey_1.0.0 This PR should be cherry-picked to earlgrey_1.0.0 label Oct 6, 2025
@lowrisc-ci
Copy link

lowrisc-ci bot commented Oct 6, 2025

Successfully created backport PR for earlgrey_1.0.0:

@lowrisc-ci lowrisc-ci bot mentioned this pull request Oct 6, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andreaskurth andreaskurth andreaskurth approved these changes

@moidx moidx Awaiting requested review from moidx

@nasahlpa nasahlpa Awaiting requested review from nasahlpa

@h-filali h-filali Awaiting requested review from h-filali

@felixmiller felixmiller Awaiting requested review from felixmiller

@sameo sameo Awaiting requested review from sameo

+1 more reviewer

@andrea-caforio andrea-caforio andrea-caforio approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

CherryPick:earlgrey_1.0.0 This PR should be cherry-picked to earlgrey_1.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@johannheyszl @andreaskurth @h-filali @andrea-caforio