Only do 16 iterations to blind the primality test.
With this, in 0.02% of 1024-bit primes (which is what's used with an RSA 2048 generation), we'll leak that we struggled to generate values less than the prime. I.e. that there's a greater likelihood of zero bits after the leading 1 bit in the prime. But this recovers all the speed loss from making key generation constant-time, and then some. Did 273 RSA 2048 key-gen operations in 30023223us (9.1 ops/sec) min: 23867us, median: 93688us, max: 421466us Did 66 RSA 3072 key-gen operations in 30041763us (2.2 ops/sec) min: 117044us, median: 402095us, max: 1096538us Did 31 RSA 4096 key-gen operations in 31673405us (1.0 ops/sec) min: 245109us, median: 769480us, max: 2659386us Change-Id: Id82dedde35f5fbb36b278189c0685a13c7824590 Reviewed-on: https://boringssl-review.googlesource.com/26924 Reviewed-by: Adam Langley <alangley@gmail.com>
This commit is contained in:
Adam Langley
parent
a0f1c8e3b1
commit
eb7c3008cc
@ -359,8 +359,9 @@ import math
|
|||||||
# selecting one in range is at least sqrt(2)/2.
|
# selecting one in range is at least sqrt(2)/2.
|
||||||
p = math.sqrt(2) / 2
|
p = math.sqrt(2) / 2
|
||||||
|
|
||||||
# Target a 2^-80 probability of the blinding being insufficient.
|
# Target around 2^-8 probability of the blinding being insufficient given that
|
||||||
epsilon = 2**-80
|
# key generation is a one-time, noisy operation.
|
||||||
|
epsilon = 2**-8
|
||||||
|
|
||||||
def choose(a, b):
|
def choose(a, b):
|
||||||
r = 1
|
r = 1
|
||||||
@ -389,19 +390,19 @@ for min_uniform in (3, 4, 5, 6, 8, 13, 19, 28):
|
|||||||
iterations += 1
|
iterations += 1
|
||||||
|
|
||||||
Output:
|
Output:
|
||||||
3 53 4.43927387758e-25
|
3 9 0.00368894873911
|
||||||
4 56 5.4559565573e-25
|
4 11 0.00363319494662
|
||||||
5 59 5.47044804496e-25
|
5 13 0.00336215573898
|
||||||
6 62 4.74781795233e-25
|
6 15 0.00300145783158
|
||||||
8 67 8.11486028886e-25
|
8 19 0.00225214119331
|
||||||
13 80 5.52341867763e-25
|
13 27 0.00385610026955
|
||||||
19 94 5.74309668718e-25
|
19 38 0.0021410539126
|
||||||
28 114 4.39583733951e-25
|
28 52 0.00325405801769
|
||||||
|
|
||||||
64 iterations suffices for 400-bit primes and larger (6 uniform samples needed),
|
16 iterations suffices for 400-bit primes and larger (6 uniform samples needed),
|
||||||
which is already well below the minimum acceptable key size for RSA.
|
which is already well below the minimum acceptable key size for RSA.
|
||||||
*/
|
*/
|
||||||
#define BN_PRIME_CHECKS_BLINDED 64
|
#define BN_PRIME_CHECKS_BLINDED 16
|
||||||
|
|
||||||
static int probable_prime(BIGNUM *rnd, int bits);
|
static int probable_prime(BIGNUM *rnd, int bits);
|
||||||
static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
|
static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user