Only do 16 iterations to blind the primality test.

With this, in 0.02% of 1024-bit primes (which is what's used with an RSA 2048 generation), we'll leak that we struggled to generate values less than the prime. I.e. that there's a greater likelihood of zero bits after the leading 1 bit in the prime. But this recovers all the speed loss from making key generation constant-time, and then some. Did 273 RSA 2048 key-gen operations in 30023223us (9.1 ops/sec) min: 23867us, median: 93688us, max: 421466us Did 66 RSA 3072 key-gen operations in 30041763us (2.2 ops/sec) min: 117044us, median: 402095us, max: 1096538us Did 31 RSA 4096 key-gen operations in 31673405us (1.0 ops/sec) min: 245109us, median: 769480us, max: 2659386us Change-Id: Id82dedde35f5fbb36b278189c0685a13c7824590 Reviewed-on: https://boringssl-review.googlesource.com/26924 Reviewed-by: Adam Langley <alangley@gmail.com>
2018-03-30 15:11:47 -07:00 · 2018-03-30 15:11:47 -07:00 · eb7c3008cc
commit eb7c3008cc
parent a0f1c8e3b1
1 changed files with 13 additions and 12 deletions
--- a/crypto/fipsmodule/bn/prime.c
+++ b/crypto/fipsmodule/bn/prime.c
@ -359,8 +359,9 @@ import math
 # selecting one in range is at least sqrt(2)/2.
 p = math.sqrt(2) / 2

-# Target a 2^-80 probability of the blinding being insufficient.
-epsilon = 2**-80
+# Target around 2^-8 probability of the blinding being insufficient given that
+# key generation is a one-time, noisy operation.
+epsilon = 2**-8

 def choose(a, b):
  r = 1
@ -389,19 +390,19 @@ for min_uniform in (3, 4, 5, 6, 8, 13, 19, 28):
    iterations += 1

 Output:
-  3 53 4.43927387758e-25
-  4 56 5.4559565573e-25
-  5 59 5.47044804496e-25
-  6 62 4.74781795233e-25
-  8 67 8.11486028886e-25
-  13 80 5.52341867763e-25
-  19 94 5.74309668718e-25
-  28 114 4.39583733951e-25
+  3 9 0.00368894873911
+  4 11 0.00363319494662
+  5 13 0.00336215573898
+  6 15 0.00300145783158
+  8 19 0.00225214119331
+  13 27 0.00385610026955
+  19 38 0.0021410539126
+  28 52 0.00325405801769

-64 iterations suffices for 400-bit primes and larger (6 uniform samples needed),
+16 iterations suffices for 400-bit primes and larger (6 uniform samples needed),
 which is already well below the minimum acceptable key size for RSA.
 */
-#define BN_PRIME_CHECKS_BLINDED 64
+#define BN_PRIME_CHECKS_BLINDED 16

 static int probable_prime(BIGNUM *rnd, int bits);
 static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,