Test and document EC blinding overhead

include/polarssl/ecp.h

@@ -427,8 +427,10 @@ int ecp_sub( const ecp_group *grp, ecp_point *R,
  * \note            If f_rng is not NULL, it is used to randomize projective
  *                  coordinates of indermediate results, in order to prevent
  *                  more elaborate timing attacks relying on intermediate
- *                  operations. (This is a prophylactic measure since so such
- *                  attack has been published yet.)
+ *                  operations. (This is a prophylactic measure since no such
+ *                  attack has been published yet.) Since this contermeasure
+ *                  has very low overhead, it is recommended to always provide
+ *                  a non-NULL f_rng parameter when using secret inputs.
  */
 int ecp_mul( const ecp_group *grp, ecp_point *R,
              const mpi *m, const ecp_point *P,

programs/test/ecp-bench.c

@@ -28,6 +28,29 @@ int main( int argc, char *argv[] )
 
 #else
 
+static int myrand( void *rng_state, unsigned char *output, size_t len )
+{
+    size_t use_len;
+    int rnd;
+
+    if( rng_state != NULL )
+        rng_state  = NULL;
+
+    while( len > 0 )
+    {
+        use_len = len;
+        if( use_len > sizeof(int) )
+            use_len = sizeof(int);
+
+        rnd = rand();
+        memcpy( output, &rnd, use_len );
+        output += use_len;
+        len -= use_len;
+    }
+
+    return( 0 );
+}
+
 static void dhm_bench_case( const char *s, const char *p,
                             const char *g, const char *x )
 {
@@ -161,7 +184,7 @@ static void ecp_bench_case( size_t dp, const char *s, const char *m )
     set_alarm( 3 );
 
     for( i = 1; ! alarmed; i++ )
-        ecp_mul( &grp, &R, &M, &grp.G, NULL, NULL );
+        ecp_mul( &grp, &R, &M, &grp.G, myrand, NULL );
 
     printf( "%9lu mul/s\n", i / 3 );