kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
9af9b946d2
boringssl/crypto
History
David Benjamin 9af9b946d2 Restore the BN_mod codepath for public Montgomery moduli. 
https://boringssl-review.googlesource.com/10520 and then later
https://boringssl-review.googlesource.com/25285 made BN_MONT_CTX_set
constant-time, which is necessary for RSA's mont_p and mont_q. However,
due to a typo in the benchmark, they did not correctly measure.

Split BN_MONT_CTX creation into a constant-time and variable-time one.
The constant-time one uses our current algorithm and the latter restores
the original BN_mod codepath.

Should we wish to avoid BN_mod, I have an alternate version lying
around:

First, BN_set_bit + bn_mod_lshift1_consttime as now to count up to 2*R.
Next, observe that 2*R = BN_to_montgomery(2) and R*R =
BN_to_montgomery(R) = BN_to_montgomery(2^r_bits) Also observe that
BN_mod_mul_montgomery only needs n0, not RR. Split the core of
BN_mod_exp_mont into its own function so the caller handles conversion.
Raise 2*R to the r_bits power to get 2^r_bits*R = R*R.

The advantage of that algorithm is that it is still constant-time, so we
only need one BN_MONT_CTX_new. Additionally, it avoids BN_mod which is
otherwise (almost, but the remaining links should be easy to cut) out of
the critical path for correctness. One less operation to worry about.

The disadvantage is that it is gives a 25% (RSA-2048) or 32% (RSA-4096)
slower RSA verification speed. I went with the BN_mod one for the time
being.

Before:
Did 9204 RSA 2048 signing operations in 10052053us (915.6 ops/sec)
Did 326000 RSA 2048 verify (same key) operations in 10028823us (32506.3 ops/sec)
Did 50830 RSA 2048 verify (fresh key) operations in 10033794us (5065.9 ops/sec)
Did 1269 RSA 4096 signing operations in 10019204us (126.7 ops/sec)
Did 88435 RSA 4096 verify (same key) operations in 10031129us (8816.1 ops/sec)
Did 14552 RSA 4096 verify (fresh key) operations in 10053411us (1447.5 ops/sec)

After:
Did 9150 RSA 2048 signing operations in 10022831us (912.9 ops/sec)
Did 322000 RSA 2048 verify (same key) operations in 10028604us (32108.2 ops/sec)
Did 289000 RSA 2048 verify (fresh key) operations in 10017205us (28850.4 ops/sec)
Did 1270 RSA 4096 signing operations in 10072950us (126.1 ops/sec)
Did 87480 RSA 4096 verify (same key) operations in 10036328us (8716.3 ops/sec)
Did 80730 RSA 4096 verify (fresh key) operations in 10073614us (8014.0 ops/sec)

Change-Id: Ie8916d1634ccf8513ceda458fa302f09f3e93c07
Reviewed-on: https://boringssl-review.googlesource.com/27287
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
Reviewed-by: Adam Langley <agl@google.com>
2018-04-20 20:50:15 +00:00
..
asn1 Avoid modifying stack in sk_find. 2018-04-12 21:02:12 +00:00
base64
bio Remove files from Trusty which can't link because of Trusty libc. 2018-04-19 19:06:58 +00:00
bn_extra Rename bn->top to bn->width. 2018-02-05 23:44:24 +00:00
buf Always process handshake records in full. 2017-10-17 14:53:11 +00:00
bytestring bytestring: document that |CBS_get_optional_asn1| can have a NULL output. 2018-03-19 20:22:25 +00:00
chacha Sync up some perlasm license headers and easy fixes. 2018-02-11 01:00:35 +00:00
cipher_extra Avoid some divisions in Lucky 13 fix. 2018-04-17 15:13:55 +00:00
cmac
conf Add more compatibility symbols for Node. 2017-11-03 01:31:50 +00:00
curve25519 Require that Ed25519 |s| values be < order. 2018-02-02 20:45:08 +00:00
dh Fx DH_set0_pqg. 2017-10-05 18:50:48 +00:00
digest_extra
dsa Remove DSA k+q kludge. 2018-02-06 00:51:54 +00:00
ec_extra Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
ecdh Store EC_KEY's private key as an EC_SCALAR. 2018-03-07 21:17:31 +00:00
ecdsa_extra Remove ECDSA_sign_setup and friends. 2017-11-22 20:23:40 +00:00
engine
err Check d is mostly-reduced in RSA_check_key. 2018-03-30 19:54:10 +00:00
evp Perform the RSA CRT reductions with Montgomery reduction. 2017-12-18 18:59:18 +00:00
fipsmodule Restore the BN_mod codepath for public Montgomery moduli. 2018-04-20 20:50:15 +00:00
hkdf
hmac_extra
lhash Unexport more of lhash. 2017-10-25 04:17:18 +00:00
obj Also add a decoupled OBJ_obj2txt. 2017-11-30 18:21:48 +00:00
pem Clear some _CRT_SECURE_NO_WARNINGS warnings. 2017-10-25 04:14:28 +00:00
perlasm Sync up some perlasm license headers and easy fixes. 2018-02-11 01:00:35 +00:00
pkcs7
pkcs8
poly1305 Remove custom memcpy and memset from poly1305_vec. 2017-11-10 20:53:30 +00:00
pool
rand_extra
rc4
rsa_extra Check d is mostly-reduced in RSA_check_key. 2018-03-30 19:54:10 +00:00
stack Avoid modifying stack in sk_find. 2018-04-12 21:02:12 +00:00
test Support KAS tests for NIAP. 2018-01-16 22:57:01 +00:00
x509 Remove files from Trusty which can't link because of Trusty libc. 2018-04-19 19:06:58 +00:00
x509v3 Avoid modifying stack in sk_find. 2018-04-12 21:02:12 +00:00
CMakeLists.txt Add cpu-aarch64-fuchsia.c 2018-02-13 20:12:47 +00:00
compiler_test.cc
constant_time_test.cc Add a test for CRYPTO_memcmp. 2018-03-27 16:22:47 +00:00
cpu-aarch64-fuchsia.c Add cpu-aarch64-fuchsia.c 2018-02-13 20:12:47 +00:00
cpu-aarch64-linux.c Add cpu-aarch64-fuchsia.c 2018-02-13 20:12:47 +00:00
cpu-arm-linux.c
cpu-arm.c
cpu-intel.c Change OPENSSL_cpuid_setup to reserve more extended feature space. 2018-04-19 20:48:58 +00:00
cpu-ppc64le.c
crypto.c Add an OPENSSL_malloc_init stub. 2018-04-13 17:30:44 +00:00
ex_data.c Unexport more of lhash. 2017-10-25 04:17:18 +00:00
internal.h Move OPENSSL_FALLTHROUGH to internal headers. 2018-01-29 18:17:57 +00:00
mem.c Remove unused strings.h #include from crypto/mem.c 2018-02-14 01:40:23 +00:00
refcount_c11.c
refcount_lock.c
refcount_test.cc
self_test.cc Extract FIPS KAT tests into a function. 2018-01-22 20:16:38 +00:00
thread_none.c
thread_pthread.c Delete |pthread_key_t| on dlclose. 2018-02-20 19:53:24 +00:00
thread_test.cc
thread_win.c
thread.c