kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
8eadca50a2
boringssl/crypto/fipsmodule/bn
History
David Benjamin 8eadca50a2 Don't leak |a| in the primality test. 
(This is actually slightly silly as |a|'s probability distribution falls
off exponentially, but it's easy enough to do right.)

Instead, we run the loop to the end. This is still performant because we
can, as before, return early on composite numbers. Only two calls
actually run to the end. Moreover, running to the end has comparable
cost to BN_mod_exp_mont_consttime.

Median time goes from 0.140s to 0.231s. That cost some, but we're still
faster than the original implementation.

We're down to one more leak, which is that the BN_rand_range_ex call
does not hide |w1|. That one may only be solved probabilistically...

Median of 29 RSA keygens: 0m0.123s -> 0m0.145s
(Accuracy beyond 0.1s is questionable.)

Bug: 238
Change-Id: I4847cb0053118c572d2dd5f855388b5199fa6ce2
Reviewed-on: https://boringssl-review.googlesource.com/25888
Reviewed-by: Adam Langley <agl@google.com>
2018-03-28 01:44:31 +00:00
..
asm Merge Intel copyright notice into standard 2018-02-12 21:44:27 +00:00
add.c Add bn_usub_fixed. 2018-03-26 18:53:43 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
bn_tests.txt Use a Barrett reduction variant for trial division. 2018-03-28 01:42:18 +00:00
bn.c Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
bytes.c Simplify BN_bn2bin_padded. 2018-02-06 02:41:38 +00:00
check_bn_tests.go Add some tests for BN_gcd. 2018-03-20 16:08:56 +00:00
cmp.c Make various BIGNUM comparisons constant-time. 2018-03-26 18:53:53 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Return NULL instead of zero in |bn_resized_from_ctx|. 2018-02-10 23:10:54 +00:00
exponentiation.c Remove some easy bn_set_minimal_width calls. 2018-02-05 23:47:14 +00:00
gcd.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
jacobi.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
montgomery_inv.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
montgomery.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
mul.c Simplify bn_mul_part_recursive. 2018-02-06 03:04:04 +00:00
prime.c Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
random.c Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
rsaz_exp.c Document RSAZ slightly better. 2018-02-15 18:14:04 +00:00
rsaz_exp.h clang-format RSAZ C code. 2018-02-13 22:30:03 +00:00
shift.c Don't leak |a| in the primality test. 2018-03-28 01:44:31 +00:00
sqrt.c Make BN_mod_*_quick constant-time. 2018-02-06 01:16:04 +00:00