kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
23af438ccd
boringssl/crypto/fipsmodule/bn
History
David Benjamin 23af438ccd Compute p - q in constant time. 
Expose the constant-time abs_sub functions from the fixed Karatsuba code
in BIGNUM form for RSA to call into. RSA key generation involves
checking if |p - q| is above some lower bound.

BN_sub internally branches on which of p or q is bigger. For any given
iteration, this is not secret---one of p or q is necessarily the larger,
and whether we happened to pick the larger or smaller first is
irrelevant. Accordingly, there is no need to perform the p/q swap at the
end in constant-time.

However, this stage of the algorithm picks p first, sticks with it, and
then computes |p - q| for various q candidates. The distribution of
comparisons leaks information about p. The leak is unlikely to be
problematic, but plug it anyway.

Median of 29 RSA keygens: 0m0.210s -> 0m0.212s
(Accuracy beyond 0.1s is questionable.)

Bug: 238
Change-Id: I024b4e51b364f5ca2bcb419a0393e7be13249aec
Reviewed-on: https://boringssl-review.googlesource.com/26368
Reviewed-by: Adam Langley <alangley@gmail.com>
2018-03-30 19:53:28 +00:00
..
asm Merge Intel copyright notice into standard 2018-02-12 21:44:27 +00:00
add.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Compute p - q in constant time. 2018-03-30 19:53:28 +00:00
bn_tests.txt Use a Barrett reduction variant for trial division. 2018-03-28 01:42:18 +00:00
bn.c Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
bytes.c Simplify BN_bn2bin_padded. 2018-02-06 02:41:38 +00:00
check_bn_tests.go Add some tests for BN_gcd. 2018-03-20 16:08:56 +00:00
cmp.c Make various BIGNUM comparisons constant-time. 2018-03-26 18:53:53 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00
exponentiation.c Remove some easy bn_set_minimal_width calls. 2018-02-05 23:47:14 +00:00
gcd.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Compute p - q in constant time. 2018-03-30 19:53:28 +00:00
jacobi.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
montgomery_inv.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00
montgomery.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00
mul.c Compute p - q in constant time. 2018-03-30 19:53:28 +00:00
prime.c Change the order of GCD and trial division. 2018-03-30 19:53:06 +00:00
random.c Blind the range check for finding a Rabin-Miller witness. 2018-03-29 22:02:24 +00:00
rsaz_exp.c Document RSAZ slightly better. 2018-02-15 18:14:04 +00:00
rsaz_exp.h clang-format RSAZ C code. 2018-02-13 22:30:03 +00:00
shift.c Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
sqrt.c Name constant-time functions more consistently. 2018-03-29 23:30:55 +00:00