Re: [PATCH] crypto: ecc - Optimize vli additive operations using compiler builtins

Next message: Abhishek Bapat: "Re: [PATCH v3 4/6] alloc_tag: add accuracy based filtering to ioctl"
Previous message: Guenter Roeck: "Re: [PATCH 2/5] hwmon: (cros_ec) Prepare the addition of custom groups"
In reply to: Stefan Berger: "Re: [PATCH] crypto: ecc - Optimize vli additive operations using compiler builtins"
Next in thread: Stefan Berger: "Re: [PATCH] crypto: ecc - Optimize vli additive operations using compiler builtins"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Fabian

Date: Tue Jun 09 2026 - 16:54:05 EST

On Tue, 9 Jun 2026 at 20:58, Stefan Berger <stefanb@xxxxxxxxxxxxx> wrote:
>
>
>
> On 6/7/26 7:24 AM, Fabian Blatter wrote:
> > Replace the software carry flag emulation with compiler builtins.
> >
> > Even the newest compilers struggle with taking advantage of the
> > hardware carry flag. Compiler builtins allow the compiler to
> > much more easily achieve this while still remaining constant-time.
>
> It looks like you made vli_usub and vli_uadd constant-time now because
> otherwise the loops could be ended early once borrow == 0 or carry == 0
> respectively. Are all the other functions that operate on the private
> keys constant-time?
>

Thanks for the reply,

My primary goal with this patch was performance optimization.
I did not add early exiting because the original version didn't either.

To answer your question: No, some other functions in ecc.c
are not constant-time. For example, vli_is_zero and vli_cmp both
contain early exits.

My patch does remove the branches in the inner loop,
however, the original ones were already constant-time in practice,
because the compiler replaces the branches with cmov's.

I am happy to make any changes to this patch if you like.
I could also look into making `vli_cmp` and `vli_is_zero`,
or others constant-time in a future patch.