2014-06-20 20:00:00 +01:00
|
|
|
/* Originally written by Bodo Moeller for the OpenSSL project.
|
|
|
|
* ====================================================================
|
|
|
|
* Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
*
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
*
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in
|
|
|
|
* the documentation and/or other materials provided with the
|
|
|
|
* distribution.
|
|
|
|
*
|
|
|
|
* 3. All advertising materials mentioning features or use of this
|
|
|
|
* software must display the following acknowledgment:
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
|
|
|
|
*
|
|
|
|
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
|
|
|
|
* endorse or promote products derived from this software without
|
|
|
|
* prior written permission. For written permission, please contact
|
|
|
|
* openssl-core@openssl.org.
|
|
|
|
*
|
|
|
|
* 5. Products derived from this software may not be called "OpenSSL"
|
|
|
|
* nor may "OpenSSL" appear in their names without prior written
|
|
|
|
* permission of the OpenSSL Project.
|
|
|
|
*
|
|
|
|
* 6. Redistributions of any form whatsoever must retain the following
|
|
|
|
* acknowledgment:
|
|
|
|
* "This product includes software developed by the OpenSSL Project
|
|
|
|
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
|
|
|
|
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
|
|
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
|
|
|
|
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
|
|
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
|
|
|
|
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
|
|
|
|
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
|
|
|
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
|
|
|
* OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
* ====================================================================
|
|
|
|
*
|
|
|
|
* This product includes cryptographic software written by Eric Young
|
|
|
|
* (eay@cryptsoft.com). This product includes software written by Tim
|
|
|
|
* Hudson (tjh@cryptsoft.com).
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
/* ====================================================================
|
|
|
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
|
|
|
*
|
|
|
|
* Portions of the attached software ("Contribution") are developed by
|
|
|
|
* SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project.
|
|
|
|
*
|
|
|
|
* The Contribution is licensed pursuant to the OpenSSL open source
|
|
|
|
* license provided above.
|
|
|
|
*
|
|
|
|
* The elliptic curve binary polynomial software is originally written by
|
|
|
|
* Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems
|
|
|
|
* Laboratories. */
|
|
|
|
|
|
|
|
#ifndef OPENSSL_HEADER_EC_INTERNAL_H
|
|
|
|
#define OPENSSL_HEADER_EC_INTERNAL_H
|
|
|
|
|
|
|
|
#include <openssl/base.h>
|
|
|
|
|
|
|
|
#include <openssl/bn.h>
|
|
|
|
#include <openssl/ex_data.h>
|
2015-05-15 20:49:30 +01:00
|
|
|
#include <openssl/thread.h>
|
2017-11-11 03:37:40 +00:00
|
|
|
#include <openssl/type_check.h>
|
|
|
|
|
|
|
|
#include "../bn/internal.h"
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
#if defined(__cplusplus)
|
|
|
|
extern "C" {
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
2017-11-11 03:37:40 +00:00
|
|
|
// Cap the size of all field elements and scalars, including custom curves, to
|
|
|
|
// 66 bytes, large enough to fit secp521r1 and brainpoolP512r1, which appear to
|
|
|
|
// be the largest fields anyone plausibly uses.
|
|
|
|
#define EC_MAX_SCALAR_BYTES 66
|
|
|
|
#define EC_MAX_SCALAR_WORDS ((66 + BN_BYTES - 1) / BN_BYTES)
|
|
|
|
|
|
|
|
OPENSSL_COMPILE_ASSERT(EC_MAX_SCALAR_WORDS <= BN_SMALL_MAX_WORDS,
|
|
|
|
bn_small_functions_applicable);
|
|
|
|
|
2017-11-30 21:05:36 +00:00
|
|
|
// An EC_SCALAR is an integer fully reduced modulo the order. Only the first
|
2018-01-15 10:23:24 +00:00
|
|
|
// |order->width| words are used. An |EC_SCALAR| is specific to an |EC_GROUP|
|
|
|
|
// and must not be mixed between groups.
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
typedef union {
|
|
|
|
// bytes is the representation of the scalar in little-endian order.
|
|
|
|
uint8_t bytes[EC_MAX_SCALAR_BYTES];
|
|
|
|
BN_ULONG words[EC_MAX_SCALAR_WORDS];
|
|
|
|
} EC_SCALAR;
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
struct ec_method_st {
|
|
|
|
int (*group_init)(EC_GROUP *);
|
|
|
|
void (*group_finish)(EC_GROUP *);
|
|
|
|
int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *,
|
|
|
|
BIGNUM *x, BIGNUM *y, BN_CTX *);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// Computes |r = g_scalar*generator + p_scalar*p| if |g_scalar| and |p_scalar|
|
|
|
|
// are both non-null. Computes |r = g_scalar*generator| if |p_scalar| is null.
|
|
|
|
// Computes |r = p_scalar*p| if g_scalar is null. At least one of |g_scalar|
|
|
|
|
// and |p_scalar| must be non-null, and |p| must be non-null if |p_scalar| is
|
|
|
|
// non-null.
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
int (*mul)(const EC_GROUP *group, EC_POINT *r, const EC_SCALAR *g_scalar,
|
|
|
|
const EC_POINT *p, const EC_SCALAR *p_scalar, BN_CTX *ctx);
|
ec/p256.c: fiat-crypto field arithmetic (64, 32)
The fiat-crypto-generated code uses the Montgomery form implementation
strategy, for both 32-bit and 64-bit code.
64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?)
32-bit throughput has decreased significantly for ECDH (-40%). I am
attributing this to the change from varibale-time scalar multiplication
to constant-time scalar multiplication. Due to the same bottleneck,
ECDSA verification still uses the old code (otherwise there would have
been a 60% throughput decrease). On the other hand, ECDSA signing
throughput has increased slightly (+10%), perhaps due to the use of a
precomputed table of multiples of the base point.
64-bit benchmarks (Google Cloud Haswell):
with this change:
Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec)
Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec)
master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8):
Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec)
Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec)
benchmarks on ARMv7 (LG Nexus 4):
with this change:
Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec)
Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec)
Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec)
master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4):
Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec)
Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec)
Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec)
64-bit tables converted as follows:
import re, sys, math
p = 2**256 - 2**224 + 2**192 + 2**96 - 1
R = 2**256
def convert(t):
x0, s1, x1, s2, x2, s3, x3 = t.groups()
v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) ))
w = v*R%p
y0 = hex(w%(2**64))
y1 = hex((w>>64)%(2**64))
y2 = hex((w>>(2*64))%(2**64))
y3 = hex((w>>(3*64))%(2**64))
ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) ))
if ww != v*R%p:
print(x0,x1,x2,x3)
print(hex(v))
print(y0,y1,y2,y3)
print(hex(w))
print(hex(ww))
assert 0
return '{'+y0+s1+y1+s2+y2+s3+y3+'}'
fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}')
print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n'))
32-bit tables converted from 64-bit tables
Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799
Reviewed-on: https://boringssl-review.googlesource.com/23244
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-11-08 20:32:38 +00:00
|
|
|
// mul_public performs the same computation as mul. It further assumes that
|
|
|
|
// the inputs are public so there is no concern about leaking their values
|
|
|
|
// through timing.
|
|
|
|
int (*mul_public)(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
const EC_SCALAR *g_scalar, const EC_POINT *p,
|
|
|
|
const EC_SCALAR *p_scalar, BN_CTX *ctx);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// 'field_mul' and 'field_sqr' can be used by 'add' and 'dbl' so that the
|
|
|
|
// same implementations of point operations can be used with different
|
|
|
|
// optimized implementations of expensive field operations:
|
2014-06-20 20:00:00 +01:00
|
|
|
int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *);
|
|
|
|
|
|
|
|
int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
2017-08-18 19:06:02 +01:00
|
|
|
BN_CTX *); // e.g. to Montgomery
|
2014-06-20 20:00:00 +01:00
|
|
|
int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
2017-08-18 19:06:02 +01:00
|
|
|
BN_CTX *); // e.g. from Montgomery
|
2014-06-20 20:00:00 +01:00
|
|
|
} /* EC_METHOD */;
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
const EC_METHOD *EC_GFp_mont_method(void);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
struct ec_group_st {
|
|
|
|
const EC_METHOD *meth;
|
|
|
|
|
2017-10-26 20:48:18 +01:00
|
|
|
// Unlike all other |EC_POINT|s, |generator| does not own |generator->group|
|
|
|
|
// to avoid a reference cycle.
|
2016-02-06 00:12:04 +00:00
|
|
|
EC_POINT *generator;
|
2016-06-17 01:40:18 +01:00
|
|
|
BIGNUM order;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
int curve_name; // optional NID for named curve
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-11-13 06:55:25 +00:00
|
|
|
BN_MONT_CTX *order_mont; // data for ECDSA inverse
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// The following members are handled by the method functions,
|
|
|
|
// even if they appear generic
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
BIGNUM field; // For curves over GF(p), this is the modulus.
|
2015-04-08 22:11:16 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
BIGNUM a, b; // Curve coefficients.
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
int a_is_minus3; // enable optimized point arithmetics for special case
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-10-26 19:53:29 +01:00
|
|
|
CRYPTO_refcount_t references;
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
BN_MONT_CTX *mont; // Montgomery structure.
|
2015-11-26 00:19:21 +00:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
BIGNUM one; // The value one.
|
2014-06-20 20:00:00 +01:00
|
|
|
} /* EC_GROUP */;
|
|
|
|
|
|
|
|
struct ec_point_st {
|
2017-10-26 20:48:18 +01:00
|
|
|
// group is an owning reference to |group|, unless this is
|
|
|
|
// |group->generator|.
|
|
|
|
EC_GROUP *group;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
BIGNUM X;
|
|
|
|
BIGNUM Y;
|
2017-08-18 19:06:02 +01:00
|
|
|
BIGNUM Z; // Jacobian projective coordinates:
|
|
|
|
// (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0
|
2014-06-20 20:00:00 +01:00
|
|
|
} /* EC_POINT */;
|
|
|
|
|
|
|
|
EC_GROUP *ec_group_new(const EC_METHOD *meth);
|
|
|
|
|
2017-11-30 21:05:36 +00:00
|
|
|
// ec_bignum_to_scalar converts |in| to an |EC_SCALAR| and writes it to
|
|
|
|
// |*out|. It returns one on success and zero if |in| is out of range.
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
int ec_bignum_to_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
|
|
|
const BIGNUM *in);
|
|
|
|
|
2017-11-30 21:05:36 +00:00
|
|
|
// ec_bignum_to_scalar_unchecked behaves like |ec_bignum_to_scalar| but does not
|
|
|
|
// check |in| is fully reduced.
|
|
|
|
int ec_bignum_to_scalar_unchecked(const EC_GROUP *group, EC_SCALAR *out,
|
|
|
|
const BIGNUM *in);
|
|
|
|
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
// ec_random_nonzero_scalar sets |out| to a uniformly selected random value from
|
|
|
|
// 1 to |group->order| - 1. It returns one on success and zero on error.
|
|
|
|
int ec_random_nonzero_scalar(const EC_GROUP *group, EC_SCALAR *out,
|
|
|
|
const uint8_t additional_data[32]);
|
|
|
|
|
|
|
|
// ec_point_mul_scalar sets |r| to generator * |g_scalar| + |p| *
|
|
|
|
// |p_scalar|. Unlike other functions which take |EC_SCALAR|, |g_scalar| and
|
|
|
|
// |p_scalar| need not be fully reduced. They need only contain as many bits as
|
|
|
|
// the order.
|
|
|
|
int ec_point_mul_scalar(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
const EC_SCALAR *g_scalar, const EC_POINT *p,
|
|
|
|
const EC_SCALAR *p_scalar, BN_CTX *ctx);
|
|
|
|
|
ec/p256.c: fiat-crypto field arithmetic (64, 32)
The fiat-crypto-generated code uses the Montgomery form implementation
strategy, for both 32-bit and 64-bit code.
64-bit throughput seems slower, but the difference is smaller than noise between repetitions (-2%?)
32-bit throughput has decreased significantly for ECDH (-40%). I am
attributing this to the change from varibale-time scalar multiplication
to constant-time scalar multiplication. Due to the same bottleneck,
ECDSA verification still uses the old code (otherwise there would have
been a 60% throughput decrease). On the other hand, ECDSA signing
throughput has increased slightly (+10%), perhaps due to the use of a
precomputed table of multiples of the base point.
64-bit benchmarks (Google Cloud Haswell):
with this change:
Did 9126 ECDH P-256 operations in 1009572us (9039.5 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039832us (22119.0 ops/sec)
Did 8820 ECDSA P-256 verify operations in 1024242us (8611.2 ops/sec)
master (40e8c921cab5cce2bc10722ecf4ebe0e380cf6c8):
Did 9340 ECDH P-256 operations in 1017975us (9175.1 ops/sec)
Did 23000 ECDSA P-256 signing operations in 1039820us (22119.2 ops/sec)
Did 8688 ECDSA P-256 verify operations in 1021108us (8508.4 ops/sec)
benchmarks on ARMv7 (LG Nexus 4):
with this change:
Did 150 ECDH P-256 operations in 1029726us (145.7 ops/sec)
Did 506 ECDSA P-256 signing operations in 1065192us (475.0 ops/sec)
Did 363 ECDSA P-256 verify operations in 1033298us (351.3 ops/sec)
master (2fce1beda0f7e74e2d687860f807cf0b8d8056a4):
Did 245 ECDH P-256 operations in 1017518us (240.8 ops/sec)
Did 473 ECDSA P-256 signing operations in 1086281us (435.4 ops/sec)
Did 360 ECDSA P-256 verify operations in 1003846us (358.6 ops/sec)
64-bit tables converted as follows:
import re, sys, math
p = 2**256 - 2**224 + 2**192 + 2**96 - 1
R = 2**256
def convert(t):
x0, s1, x1, s2, x2, s3, x3 = t.groups()
v = int(x0, 0) + 2**64 * (int(x1, 0) + 2**64*(int(x2,0) + 2**64*(int(x3, 0)) ))
w = v*R%p
y0 = hex(w%(2**64))
y1 = hex((w>>64)%(2**64))
y2 = hex((w>>(2*64))%(2**64))
y3 = hex((w>>(3*64))%(2**64))
ww = int(y0, 0) + 2**64 * (int(y1, 0) + 2**64*(int(y2,0) + 2**64*(int(y3, 0)) ))
if ww != v*R%p:
print(x0,x1,x2,x3)
print(hex(v))
print(y0,y1,y2,y3)
print(hex(w))
print(hex(ww))
assert 0
return '{'+y0+s1+y1+s2+y2+s3+y3+'}'
fe_re = re.compile('{'+r'(\s*,\s*)'.join(r'(\d+|0x[abcdefABCDEF0123456789]+)' for i in range(4)) + '}')
print (re.sub(fe_re, convert, sys.stdin.read()).rstrip('\n'))
32-bit tables converted from 64-bit tables
Change-Id: I52d6e5504fcb6ca2e8b0ee13727f4500c80c1799
Reviewed-on: https://boringssl-review.googlesource.com/23244
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2017-11-08 20:32:38 +00:00
|
|
|
// ec_point_mul_scalar_public performs the same computation as
|
|
|
|
// ec_point_mul_scalar. It further assumes that the inputs are public so
|
|
|
|
// there is no concern about leaking their values through timing.
|
|
|
|
int ec_point_mul_scalar_public(const EC_GROUP *group, EC_POINT *r,
|
|
|
|
const EC_SCALAR *g_scalar, const EC_POINT *p,
|
|
|
|
const EC_SCALAR *p_scalar, BN_CTX *ctx);
|
|
|
|
|
2018-02-02 23:24:09 +00:00
|
|
|
// ec_compute_wNAF writes the modified width-(w+1) Non-Adjacent Form (wNAF) of
|
|
|
|
// |scalar| to |out| and returns one on success or zero on internal error. |out|
|
|
|
|
// must have room for |bits| + 1 elements, each of which will be either zero or
|
|
|
|
// odd with an absolute value less than 2^w satisfying
|
|
|
|
// scalar = \sum_j out[j]*2^j
|
|
|
|
// where at most one of any w+1 consecutive digits is non-zero
|
|
|
|
// with the exception that the most significant digit may be only
|
|
|
|
// w-1 zeros away from that next non-zero digit.
|
|
|
|
int ec_compute_wNAF(const EC_GROUP *group, int8_t *out, const EC_SCALAR *scalar,
|
|
|
|
size_t bits, int w);
|
|
|
|
|
Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.
All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.
This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.
Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d1011946b26ff1bb2fd98a081ba4753c9cc8. Along
the way, we avoid some unnecessary mallocs.
BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:
Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)
After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)
Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-13 03:58:00 +00:00
|
|
|
int ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const EC_SCALAR *g_scalar,
|
|
|
|
const EC_POINT *p, const EC_SCALAR *p_scalar, BN_CTX *ctx);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// method functions in simple.c
|
2014-06-20 20:00:00 +01:00
|
|
|
int ec_GFp_simple_group_init(EC_GROUP *);
|
|
|
|
void ec_GFp_simple_group_finish(EC_GROUP *);
|
|
|
|
int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a,
|
|
|
|
BIGNUM *b, BN_CTX *);
|
2015-10-09 04:10:15 +01:00
|
|
|
unsigned ec_GFp_simple_group_get_degree(const EC_GROUP *);
|
2014-06-20 20:00:00 +01:00
|
|
|
int ec_GFp_simple_point_init(EC_POINT *);
|
|
|
|
void ec_GFp_simple_point_finish(EC_POINT *);
|
|
|
|
int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *);
|
|
|
|
int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *);
|
|
|
|
int ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *,
|
|
|
|
const BIGNUM *x, const BIGNUM *y,
|
|
|
|
BN_CTX *);
|
|
|
|
int ec_GFp_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
const EC_POINT *b, BN_CTX *);
|
|
|
|
int ec_GFp_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a,
|
|
|
|
BN_CTX *);
|
|
|
|
int ec_GFp_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *);
|
|
|
|
int ec_GFp_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *);
|
|
|
|
int ec_GFp_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *);
|
|
|
|
int ec_GFp_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b,
|
|
|
|
BN_CTX *);
|
|
|
|
int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *);
|
|
|
|
int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num,
|
|
|
|
EC_POINT * [], BN_CTX *);
|
|
|
|
int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
BN_CTX *);
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// method functions in montgomery.c
|
2014-06-20 20:00:00 +01:00
|
|
|
int ec_GFp_mont_group_init(EC_GROUP *);
|
|
|
|
int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a,
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
void ec_GFp_mont_group_finish(EC_GROUP *);
|
|
|
|
int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
const BIGNUM *b, BN_CTX *);
|
|
|
|
int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
BN_CTX *);
|
|
|
|
int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
BN_CTX *);
|
|
|
|
int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a,
|
|
|
|
BN_CTX *);
|
|
|
|
|
2015-04-14 20:07:44 +01:00
|
|
|
void ec_GFp_nistp_recode_scalar_bits(uint8_t *sign, uint8_t *digit, uint8_t in);
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
const EC_METHOD *EC_GFp_nistp224_method(void);
|
|
|
|
const EC_METHOD *EC_GFp_nistp256_method(void);
|
2015-04-14 20:07:44 +01:00
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// EC_GFp_nistz256_method is a GFp method using montgomery multiplication, with
|
|
|
|
// x86-64 optimized P256. See http://eprint.iacr.org/2013/816.
|
2017-05-02 22:25:39 +01:00
|
|
|
const EC_METHOD *EC_GFp_nistz256_method(void);
|
2015-11-03 22:02:04 +00:00
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
struct ec_key_st {
|
|
|
|
EC_GROUP *group;
|
|
|
|
|
|
|
|
EC_POINT *pub_key;
|
|
|
|
BIGNUM *priv_key;
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// fixed_k may contain a specific value of 'k', to be used in ECDSA signing.
|
|
|
|
// This is only for the FIPS power-on tests.
|
2017-06-13 20:45:49 +01:00
|
|
|
BIGNUM *fixed_k;
|
|
|
|
|
2014-06-20 20:00:00 +01:00
|
|
|
unsigned int enc_flag;
|
|
|
|
point_conversion_form_t conv_form;
|
|
|
|
|
2015-05-15 20:49:30 +01:00
|
|
|
CRYPTO_refcount_t references;
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
ECDSA_METHOD *ecdsa_meth;
|
|
|
|
|
|
|
|
CRYPTO_EX_DATA ex_data;
|
|
|
|
} /* EC_KEY */;
|
|
|
|
|
2017-06-21 19:37:22 +01:00
|
|
|
struct built_in_curve {
|
|
|
|
int nid;
|
|
|
|
const uint8_t *oid;
|
|
|
|
uint8_t oid_len;
|
2017-08-18 19:06:02 +01:00
|
|
|
// comment is a human-readable string describing the curve.
|
2014-07-19 00:26:25 +01:00
|
|
|
const char *comment;
|
2017-08-18 19:06:02 +01:00
|
|
|
// param_len is the number of bytes needed to store a field element.
|
2014-07-19 00:26:25 +01:00
|
|
|
uint8_t param_len;
|
2017-08-18 19:06:02 +01:00
|
|
|
// params points to an array of 6*|param_len| bytes which hold the field
|
|
|
|
// elements of the following (in big-endian order): prime, a, b, generator x,
|
|
|
|
// generator y, order.
|
2017-06-21 19:37:22 +01:00
|
|
|
const uint8_t *params;
|
2016-08-14 21:41:27 +01:00
|
|
|
const EC_METHOD *method;
|
2014-07-19 00:26:25 +01:00
|
|
|
};
|
|
|
|
|
2017-05-02 22:25:39 +01:00
|
|
|
#define OPENSSL_NUM_BUILT_IN_CURVES 4
|
|
|
|
|
|
|
|
struct built_in_curves {
|
|
|
|
struct built_in_curve curves[OPENSSL_NUM_BUILT_IN_CURVES];
|
|
|
|
};
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
// OPENSSL_built_in_curves returns a pointer to static information about
|
|
|
|
// standard curves. The array is terminated with an entry where |nid| is
|
|
|
|
// |NID_undef|.
|
2017-05-02 22:25:39 +01:00
|
|
|
const struct built_in_curves *OPENSSL_built_in_curves(void);
|
2014-06-20 20:00:00 +01:00
|
|
|
|
|
|
|
#if defined(__cplusplus)
|
2017-08-18 19:06:02 +01:00
|
|
|
} // extern C
|
2014-06-20 20:00:00 +01:00
|
|
|
#endif
|
|
|
|
|
2017-08-18 19:06:02 +01:00
|
|
|
#endif // OPENSSL_HEADER_EC_INTERNAL_H
|