boringssl/crypto/err
David Benjamin a838f9dc7e Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.

All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.

This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.

Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d10119. Along
the way, we avoid some unnecessary mallocs.

BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:

Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)

After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)

Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-22 22:51:40 +00:00
..
asn1.errordata
bio.errordata
bn.errordata Update BN_enhanced_miller_rabin_primality_test to enforce preconditions and accept BN_prime_checks. 2017-04-21 22:24:01 +00:00
cipher.errordata Enforce incrementing counter for TLS 1.2 AES-GCM. 2017-05-26 20:06:36 +00:00
CMakeLists.txt Move PKCS#7 functions into their own directory. 2017-04-19 17:24:51 +00:00
conf.errordata
dh.errordata
digest.errordata
dsa.errordata
ec.errordata Make ECDSA signing 10% faster and plug some timing leaks. 2017-11-22 22:51:40 +00:00
ecdh.errordata
ecdsa.errordata
engine.errordata
err_data_generate.go
err_test.cc Add the ability to save and restore the error state. 2017-10-09 21:43:13 +00:00
err.c Add the ability to save and restore the error state. 2017-10-09 21:43:13 +00:00
evp.errordata Implement scrypt from RFC 7914. 2017-06-12 20:32:21 +00:00
hkdf.errordata
internal.h Add the ability to save and restore the error state. 2017-10-09 21:43:13 +00:00
obj.errordata Get rid of err function codes. 2015-07-16 02:02:08 +00:00
pem.errordata
pkcs7.errordata Move PKCS#7 functions into their own directory. 2017-04-19 17:24:51 +00:00
pkcs8.errordata Update pkcs8 error data. 2017-03-23 15:07:28 +00:00
rsa.errordata Add RSA_check_fips to support public key validation checks. 2017-04-12 20:00:30 +00:00
ssl.errordata Run TLS 1.3 tests at all variants and fix bugs. 2017-11-20 18:19:18 +00:00
x509.errordata
x509v3.errordata