Test and document EC blinding overhead
diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index 5942231..31f9e6d 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -427,8 +427,10 @@
* \note If f_rng is not NULL, it is used to randomize projective
* coordinates of indermediate results, in order to prevent
* more elaborate timing attacks relying on intermediate
- * operations. (This is a prophylactic measure since so such
- * attack has been published yet.)
+ * operations. (This is a prophylactic measure since no such
+ * attack has been published yet.) Since this contermeasure
+ * has very low overhead, it is recommended to always provide
+ * a non-NULL f_rng parameter when using secret inputs.
*/
int ecp_mul( const ecp_group *grp, ecp_point *R,
const mpi *m, const ecp_point *P,
diff --git a/programs/test/ecp-bench.c b/programs/test/ecp-bench.c
index e200c42..9231118 100644
--- a/programs/test/ecp-bench.c
+++ b/programs/test/ecp-bench.c
@@ -28,6 +28,29 @@
#else
+static int myrand( void *rng_state, unsigned char *output, size_t len )
+{
+ size_t use_len;
+ int rnd;
+
+ if( rng_state != NULL )
+ rng_state = NULL;
+
+ while( len > 0 )
+ {
+ use_len = len;
+ if( use_len > sizeof(int) )
+ use_len = sizeof(int);
+
+ rnd = rand();
+ memcpy( output, &rnd, use_len );
+ output += use_len;
+ len -= use_len;
+ }
+
+ return( 0 );
+}
+
static void dhm_bench_case( const char *s, const char *p,
const char *g, const char *x )
{
@@ -161,7 +184,7 @@
set_alarm( 3 );
for( i = 1; ! alarmed; i++ )
- ecp_mul( &grp, &R, &M, &grp.G, NULL, NULL );
+ ecp_mul( &grp, &R, &M, &grp.G, myrand, NULL );
printf( "%9lu mul/s\n", i / 3 );