From eb7c3008cc85c9cfedca7690f147f5773483f941 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Fri, 30 Mar 2018 15:11:47 -0700 Subject: [PATCH] Only do 16 iterations to blind the primality test. With this, in 0.02% of 1024-bit primes (which is what's used with an RSA 2048 generation), we'll leak that we struggled to generate values less than the prime. I.e. that there's a greater likelihood of zero bits after the leading 1 bit in the prime. But this recovers all the speed loss from making key generation constant-time, and then some. Did 273 RSA 2048 key-gen operations in 30023223us (9.1 ops/sec) min: 23867us, median: 93688us, max: 421466us Did 66 RSA 3072 key-gen operations in 30041763us (2.2 ops/sec) min: 117044us, median: 402095us, max: 1096538us Did 31 RSA 4096 key-gen operations in 31673405us (1.0 ops/sec) min: 245109us, median: 769480us, max: 2659386us Change-Id: Id82dedde35f5fbb36b278189c0685a13c7824590 Reviewed-on: https://boringssl-review.googlesource.com/26924 Reviewed-by: Adam Langley --- crypto/fipsmodule/bn/prime.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/crypto/fipsmodule/bn/prime.c b/crypto/fipsmodule/bn/prime.c index aff237fd..35b1034d 100644 --- a/crypto/fipsmodule/bn/prime.c +++ b/crypto/fipsmodule/bn/prime.c @@ -359,8 +359,9 @@ import math # selecting one in range is at least sqrt(2)/2. p = math.sqrt(2) / 2 -# Target a 2^-80 probability of the blinding being insufficient. -epsilon = 2**-80 +# Target around 2^-8 probability of the blinding being insufficient given that +# key generation is a one-time, noisy operation. +epsilon = 2**-8 def choose(a, b): r = 1 @@ -389,19 +390,19 @@ for min_uniform in (3, 4, 5, 6, 8, 13, 19, 28): iterations += 1 Output: - 3 53 4.43927387758e-25 - 4 56 5.4559565573e-25 - 5 59 5.47044804496e-25 - 6 62 4.74781795233e-25 - 8 67 8.11486028886e-25 - 13 80 5.52341867763e-25 - 19 94 5.74309668718e-25 - 28 114 4.39583733951e-25 + 3 9 0.00368894873911 + 4 11 0.00363319494662 + 5 13 0.00336215573898 + 6 15 0.00300145783158 + 8 19 0.00225214119331 + 13 27 0.00385610026955 + 19 38 0.0021410539126 + 28 52 0.00325405801769 -64 iterations suffices for 400-bit primes and larger (6 uniform samples needed), +16 iterations suffices for 400-bit primes and larger (6 uniform samples needed), which is already well below the minimum acceptable key size for RSA. */ -#define BN_PRIME_CHECKS_BLINDED 64 +#define BN_PRIME_CHECKS_BLINDED 16 static int probable_prime(BIGNUM *rnd, int bits); static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,