kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
9362ed9e14
boringssl/crypto/fipsmodule/bn
History
David Benjamin 9362ed9e14 Use a Barrett reduction variant for trial division. 
Compilers use a variant of Barrett reduction to divide by constants,
which conveniently also avoids problematic operations on the secret
numerator. Implement the variant as described here:
http://ridiculousfish.com/blog/posts/labor-of-division-episode-i.html

Repurpose this to implement a constant-time BN_mod_word replacement.
It's even much faster! I've gone ahead and replaced the other
BN_mod_word calls on the primes table.

That should give plenty of budget for the other changes. (I am assuming
that a regression is okay, as RSA keygen is not performance-sensitive,
but that I should avoid anything too dramatic.)

Proof of correctness: https://github.com/davidben/fiat-crypto/blob/barrett/src/Arithmetic/BarrettReduction/RidiculousFish.v

Median of 29 RSA keygens: 0m0.621s -> 0m0.123s
(Accuracy beyond 0.1s is questionable, though this particular
improvement is quite solid.)

Bug: 238
Change-Id: I67fa36ffe522365b13feb503c687b20d91e72932
Reviewed-on: https://boringssl-review.googlesource.com/25887
Reviewed-by: Adam Langley <agl@google.com>
2018-03-28 01:42:18 +00:00
..
asm Merge Intel copyright notice into standard 2018-02-12 21:44:27 +00:00
add.c Add bn_usub_fixed. 2018-03-26 18:53:43 +00:00
bn_test_to_fuzzer.go Generate bn_div and bn_mod_exp corpus from bn_tests.txt. 2017-10-27 18:57:48 +00:00
bn_test.cc Use a Barrett reduction variant for trial division. 2018-03-28 01:42:18 +00:00
bn_tests.txt Use a Barrett reduction variant for trial division. 2018-03-28 01:42:18 +00:00
bn.c Make bn_sqr_recursive constant-time. 2018-02-06 02:47:34 +00:00
bytes.c Simplify BN_bn2bin_padded. 2018-02-06 02:41:38 +00:00
check_bn_tests.go Add some tests for BN_gcd. 2018-03-20 16:08:56 +00:00
cmp.c Make various BIGNUM comparisons constant-time. 2018-03-26 18:53:53 +00:00
ctx.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
div.c Return NULL instead of zero in |bn_resized_from_ctx|. 2018-02-10 23:10:54 +00:00
exponentiation.c Remove some easy bn_set_minimal_width calls. 2018-02-05 23:47:14 +00:00
gcd.c Run the comment converter on libcrypto. 2017-08-18 21:49:04 +00:00
generic.c Enable __asm__ and uint128_t code in clang-cl. 2017-12-11 22:46:26 +00:00
internal.h Use a Barrett reduction variant for trial division. 2018-03-28 01:42:18 +00:00
jacobi.c Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
montgomery_inv.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
montgomery.c Compute mont->RR in constant-time. 2018-02-06 01:40:24 +00:00
mul.c Simplify bn_mul_part_recursive. 2018-02-06 03:04:04 +00:00
prime.c Use a Barrett reduction variant for trial division. 2018-03-28 01:42:18 +00:00
random.c Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
rsaz_exp.c Document RSAZ slightly better. 2018-02-15 18:14:04 +00:00
rsaz_exp.h clang-format RSAZ C code. 2018-02-13 22:30:03 +00:00
shift.c Fix 20-year-old typo in BN_mask_bits. 2018-03-08 21:53:06 +00:00
sqrt.c Make BN_mod_*_quick constant-time. 2018-02-06 01:16:04 +00:00