Enable Ed25519 when building with OPENSSL_SMALL.

OPENSSL_SMALL will still cause the smaller base-point table to be used and so won't be as fast at signing as the full version, but Ed25519 will now work in those builds. Without OPENSSL_SMALL: Did 20000 Ed25519 key generation operations in 1008347us (19834.4 ops/sec) Did 20000 Ed25519 signing operations in 1025594us (19500.9 ops/sec) Did 6138 Ed25519 verify operations in 1001712us (6127.5 ops/sec) Did 21000 Curve25519 base-point multiplication operations in 1019237us (20603.6 ops/sec) Did 7095 Curve25519 arbitrary point multiplication operations in 1065986us (6655.8 ops/sec) With (on the same machine): Did 8415 Ed25519 key generation operations in 1020958us (8242.3 ops/sec) Did 8952 Ed25519 signing operations in 1077635us (8307.1 ops/sec) Did 6358 Ed25519 verify operations in 1047533us (6069.5 ops/sec) Did 6620 Curve25519 base-point multiplication operations in 1008922us (6561.5 ops/sec) Did 7183 Curve25519 arbitrary point multiplication operations in 1096285us (6552.1 ops/sec) Change-Id: Ib443c0e2bdfd11e044087e66efd55b651a5667e7 Reviewed-on: https://boringssl-review.googlesource.com/6772 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
2015-12-18 14:58:40 -08:00 · 2015-12-18 14:58:40 -08:00 · 77c3c0b025
commit 77c3c0b025
parent 9f897b2580
3 changed files with 4 additions and 41 deletions
--- a/crypto/curve25519/curve25519.c
+++ b/crypto/curve25519/curve25519.c
@ -17,8 +17,7 @@
 * public domain but this file has the ISC license just to keep licencing
 * simple.
 *
- * The field functions are shared by Ed25519 and X25519, although Ed25519 is
+ * The field functions are shared by Ed25519 and X25519 where possible. */
 * disabled when |OPENSSL_SMALL| is defined. */
 #include <openssl/curve25519.h>
@ -785,9 +784,6 @@ static void fe_mul121666(fe h, fe f) {
  h[9] = h9;
 }
 /* Ed25519 support is disabled when built with |OPENSSL_SMALL|. */
 #if !defined(OPENSSL_SMALL)
 /* h = -f
 *
 * Preconditions:
@ -1329,13 +1325,10 @@ static void cmov(ge_precomp *t, ge_precomp *u, uint8_t b) {
  fe_cmov(t->xy2d, u->xy2d, b);
 }
-#if 0
+#if defined(OPENSSL_SMALL)
-/* At the moment, building with |OPENSSL_SMALL| causes Ed25519 to be disabled.
+/* This block of code replaces the standard base-point table with a much smaller
- * In the future we might enable it but, in that case, we'll still probably
+ * one. The standard table is 30,720 bytes while this one is just 960.
 * want to keep the size down. This block of code replaces the standard
 * base-point table with a much smaller one. The standard table is 30,720 bytes
 * while this one is just 960.
 *
 * This table contains 15 pairs of group elements, (x, y), where each field
 * element is serialised with |fe_tobytes|. If |i| is the index of the group
@ -4768,8 +4761,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len,
  return CRYPTO_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0;
 }
 #endif
 static void x25519_scalar_mult_generic(uint8_t out[32],
                                       const uint8_t scalar[32],
                                       const uint8_t point[32]) {
@ -4852,19 +4843,6 @@ int X25519(uint8_t out_shared_key[32], const uint8_t private_key[32],
  return CRYPTO_memcmp(kZeros, out_shared_key, 32) != 0;
 }
 #if defined(OPENSSL_SMALL)
 /* When |OPENSSL_SMALL| is set, base point multiplication is done with the
 * Montgomery ladder because the Ed25519 code isn't included. */
 void X25519_public_from_private(uint8_t out_public_value[32],
                                const uint8_t private_key[32]) {
  static const uint8_t kMongomeryBasePoint[32] = {9};
  x25519_scalar_mult(out_public_value, private_key, kMongomeryBasePoint);
 }
 #else
 void X25519_public_from_private(uint8_t out_public_value[32],
                                const uint8_t private_key[32]) {
 #if defined(OPENSSL_ARM)
@ -4893,5 +4871,3 @@ void X25519_public_from_private(uint8_t out_public_value[32],
  fe_mul(zplusy, zplusy, zminusy_inv);
  fe_tobytes(out_public_value, zplusy);
 }
 #endif
--- a/crypto/curve25519/ed25519_test.cc
+++ b/crypto/curve25519/ed25519_test.cc
@ -20,15 +20,6 @@
 #include "../test/file_test.h"
 #if defined(OPENSSL_SMALL)
 int main(int argc, char **argv) {
  printf("PASS\n");
  return 0;
 }
 #else
 static bool TestSignature(FileTest *t, void *arg) {
  std::vector<uint8_t> private_key, public_key, message, expected_signature;
  if (!t->GetBytes(&private_key, "PRIV") ||
@ -70,5 +61,3 @@ int main(int argc, char **argv) {
  return FileTestMain(TestSignature, nullptr, argv[1]);
 }
 #endif  /* OPENSSL_SMALL */
--- a/tool/speed.cc
+++ b/tool/speed.cc
@ -405,7 +405,6 @@ static bool Speed25519(const std::string &selected) {
  TimeResults results;
 #if !defined(OPENSSL_SMALL)
  uint8_t public_key[32], private_key[64];
  if (!TimeFunction(&results, [&public_key, &private_key]() -> bool {
@ -438,7 +437,6 @@ static bool Speed25519(const std::string &selected) {
  }
  results.Print("Ed25519 verify");
 #endif
  if (!TimeFunction(&results, []() -> bool {
        uint8_t out[32], in[32];