Add implementation note

2024-09-20 10:50:09 +00:00 · 2014-03-27 15:12:21 +09:00 · 2014-03-27 15:12:21 +09:00 · 9c5eb9ea4b
commit 9c5eb9ea4b
parent 356a9cc615
1 changed files with 16 additions and 0 deletions
--- a/src/ecc-edwards.c
+++ b/src/ecc-edwards.c
@ -45,6 +45,22 @@
 *     http://cr.yp.to/papers.html#twisted
 */

+/*
+ * IMPLEMENTATION NOTE
+ *
+ * (0) We assume that the processor has no cache, nor branch target
+ *     prediction.  Thus, we don't avoid indexing by secret value. 
+ *     We don't avoid conditional jump if both cases have same timing,
+ *     either.
+ *
+ * (1) We use Radix-32 field arithmetic.  It's a representation like
+ *     2^256-38, but it's more redundant.  For example, "1" can be
+ *     represented in three ways in 256-bit: 1, 2^255-18, and
+ *     2^256-37.
+ *
+ * (2) We use comb multiplication.
+ */
+
 /*
 * Identity element: (0,1)
 * Negation: -(x,y) = (-x,y)