From 337b29c3345201e7556d6f3718b189e65a4298fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Sat, 7 Sep 2013 11:52:27 +0200
Subject: [PATCH] Test and document EC blinding overhead

---
 include/polarssl/ecp.h    |  6 ++++--
 programs/test/ecp-bench.c | 25 ++++++++++++++++++++++++-
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/include/polarssl/ecp.h b/include/polarssl/ecp.h
index 5942231335..31f9e6ddba 100644
--- a/include/polarssl/ecp.h
+++ b/include/polarssl/ecp.h
@@ -427,8 +427,10 @@ int ecp_sub( const ecp_group *grp, ecp_point *R,
  * \note            If f_rng is not NULL, it is used to randomize projective
  *                  coordinates of indermediate results, in order to prevent
  *                  more elaborate timing attacks relying on intermediate
- *                  operations. (This is a prophylactic measure since so such
- *                  attack has been published yet.)
+ *                  operations. (This is a prophylactic measure since no such
+ *                  attack has been published yet.) Since this contermeasure
+ *                  has very low overhead, it is recommended to always provide
+ *                  a non-NULL f_rng parameter when using secret inputs.
  */
 int ecp_mul( const ecp_group *grp, ecp_point *R,
              const mpi *m, const ecp_point *P,
diff --git a/programs/test/ecp-bench.c b/programs/test/ecp-bench.c
index e200c42677..923111876a 100644
--- a/programs/test/ecp-bench.c
+++ b/programs/test/ecp-bench.c
@@ -28,6 +28,29 @@ int main( int argc, char *argv[] )
 
 #else
 
+static int myrand( void *rng_state, unsigned char *output, size_t len )
+{
+    size_t use_len;
+    int rnd;
+
+    if( rng_state != NULL )
+        rng_state  = NULL;
+
+    while( len > 0 )
+    {
+        use_len = len;
+        if( use_len > sizeof(int) )
+            use_len = sizeof(int);
+
+        rnd = rand();
+        memcpy( output, &rnd, use_len );
+        output += use_len;
+        len -= use_len;
+    }
+
+    return( 0 );
+}
+
 static void dhm_bench_case( const char *s, const char *p,
                             const char *g, const char *x )
 {
@@ -161,7 +184,7 @@ static void ecp_bench_case( size_t dp, const char *s, const char *m )
     set_alarm( 3 );
 
     for( i = 1; ! alarmed; i++ )
-        ecp_mul( &grp, &R, &M, &grp.G, NULL, NULL );
+        ecp_mul( &grp, &R, &M, &grp.G, myrand, NULL );
 
     printf( "%9lu mul/s\n", i / 3 );