Backport hfilali to earlgrey 1.0.0 #28434
Merged
+2,442
−1,374
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
h-filali
requested review from
nasahlpa and
pamaury
and removed request for
a team
h-filali
force-pushed
the
backport-hfilali-to-earlgrey_1.0.0
branch
3 times, most recently
from
becb4d6 to
2d4d1be
Compare
nasahlpa
approved these changes
Oct 9, 2025
This commit adds is on curve checks each time scalar_mult_int is executed. This serves as an FI countermeasure. In case a fault is injected to get an invalid point such that the secret can be leaked this will be caught by the is on curve check. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 22d99a4)
This commit adds instruction count checks to ECC functions that run in constant time. This helps protect against fault injection. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit b6300df)
This commit adds instruction count checks to ECC functions that run in constant time. This helps protect against fault injection. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit b6300df)
This commit adds a is on curve check to the base point multiplication after the multiplication is done. This validates that the product is still on the curve and acts as a fault injection countermeasure. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 986e27d)
Signed-off-by: Hakim Filali <[email protected]>
Signed-off-by: Hakim Filali <[email protected]>
This commit adds a new procedure that does an is on curve check on projective coordinates for p256. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 4c68fa9)
This commit adds the new is on curve check to the shared keygen function after the scalar multiplication as FI countermeasure. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit cc56065)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 5788aa2)
This commit adds the existing affine is on curve check to base point multiplications in ECDSA. This is done as a FI countermeasure. This commit also adds a wrapper function that does the comparison between the right hand and the left hand side of the result of the is on curve check. This way we save some IMEM. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 8237f51)
This commit adds a new procedure that does an is on curve check on projective coordinates for p384. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit a22f9f7)
This commit uses the new projective is on curve check routine to check whether the result of the scalar multiplications for ECDH are still on the p384 curve. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit bb4818b)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 0685dc0)
After two PRs were merged at the same time the instruction time check didn't check for the correct value any more. This commit fixes that issue. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit eff223f)
Avoid potential horizontal SCA issue in P256 scalar multiplication based on code review. Avoid that source and dest of one case in BN.SEL uses the same value by preseting with randomness. Re-order code to randomize destination of (first) BN.SEL before 1st use. Typos and minor edits of comments in P256 scalar mult. Signed-off-by: Johann Heyszl <[email protected]> (cherry picked from commit 17586fbe367a3d598aa5490200f6d4c3458f5b4c)
This commit adds blinding for the secret scalar d each time before a scalar multiplication is performed. This is done as a SCA countermeasure. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit c7726c9)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit a3817ac)
This commit adds mask refreshing before the secret scalar is used for the p256 sign algorithm. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit c88d89c)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit c2e7296)
This commit adds a new internal point multiplication which refreshes the blinding on the secret scalar and also extends the number of blinding bits as a SCA countermeasure. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit ca59a7d)
This commit adds a new test for the internal multiplication, since the scalar_mult_test will be using the blinded version of the internal multiplication and will thus no longer test the basic internal multiplication which is still needed for the sign algorithm. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 9c26142)
This commit changes all point multiplications which use the secret key scalar d to now use the new point multiplication with additional blinding bits and blinding refreshing. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 13323b5)
The preceding commits overflow the memory. For this reason this commit moves all the memory variables into a single file to avoid this issue. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit e132285)
Most of the tests have to be moved to the hjson framework since the variables have been moved to a single memory file. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 3ad4a52)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 585e1c3)
This commit adds remasking of the secret key scalar each time the sign routine is executed. This is added as a countermeasure against SCA. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit d7453a5)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 882630f)
This commit changes all the instructions in the p384 library that violate rules 6 and 7 related to bn.sel instructions. The destination register should not match any of the source registers. The two source registers can't be two shares of the same secret. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 9e1eb86)
This commit changes all the instructions in the p384 library that violate rule 8 related to bn.mulqacc instructions. After executing a mulqacc instruction on a secret the accumulation register and the flags need to be cleared. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit e7faf36)
…/sub This commit changes all the instructions in the p384 library that violate rule 5 or 9 related to bn.add and bn.sub instructions. After executing a bn.add or bn.sub instructions some sensitive state can remain in the flags. For this reason we need to be careful with these instructions and clear the flags in case they can contain sensitive data. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit c6390ae)
This commit changes all the instructions in the p384 library that violate rules 1-4 related to the handling of shares. Shares of the same secret should not be: - in different parts of the same reg - accessed in consecutive instructions - accessed in the same instruction - over write each other In some parts of the p384 library the shares are combined and some of these rules are violated by necessity. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 89e99eb)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 002fc75)
This commit pads the secret scalar with randomness instead of zeros for the scalar point multiplication of p384. Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit 01ee97e)
Signed-off-by: Hakim Filali <[email protected]> (cherry picked from commit b117008)
nasahlpa
force-pushed
the
backport-hfilali-to-earlgrey_1.0.0
branch
from
2d4d1be to
1230f2e
Compare
timothytrippel
approved these changes
Oct 15, 2025
timothytrippel
merged commit 806d853
into
lowRISC:earlgrey_1.0.0
64 of 66 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a backport to earlgrey 1.0.0 for my cryptolib PRs that require manual intervention.
This PR is based on @nasahlpa s backport PR #28433