boringssl/crypto/fipsmodule/bn
David Benjamin a838f9dc7e Make ECDSA signing 10% faster and plug some timing leaks.
None of the asymmetric crypto we inherented from OpenSSL is
constant-time because of BIGNUM. BIGNUM chops leading zeros off the
front of everything, so we end up leaking information about the first
word, in theory. BIGNUM functions additionally tend to take the full
range of inputs and then call into BN_nnmod at various points.

All our secret values should be acted on in constant-time, but k in
ECDSA is a particularly sensitive value. So, ecdsa_sign_setup, in an
attempt to mitigate the BIGNUM leaks, would add a couple copies of the
order.

This does not work at all. k is used to compute two values: k^-1 and kG.
The first operation when computing k^-1 is to call BN_nnmod if k is out
of range. The entry point to our tuned constant-time curve
implementations is to call BN_nnmod if the scalar has too many bits,
which this causes. The result is both corrections are immediately undone
but cause us to do more variable-time work in the meantime.

Replace all these computations around k with the word-based functions
added in the various preceding CLs. In doing so, replace the BN_mod_mul
calls (which internally call BN_nnmod) with Montgomery reduction. We can
avoid taking k^-1 out of Montgomery form, which combines nicely with
Brian Smith's trick in 3426d10119. Along
the way, we avoid some unnecessary mallocs.

BIGNUM still affects the private key itself, as well as the EC_POINTs.
But this should hopefully be much better now. Also it's 10% faster:

Before:
Did 15000 ECDSA P-224 signing operations in 1069117us (14030.3 ops/sec)
Did 18000 ECDSA P-256 signing operations in 1053908us (17079.3 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1087853us (990.9 ops/sec)
Did 473 ECDSA P-521 signing operations in 1069835us (442.1 ops/sec)

After:
Did 16000 ECDSA P-224 signing operations in 1064799us (15026.3 ops/sec)
Did 19000 ECDSA P-256 signing operations in 1007839us (18852.2 ops/sec)
Did 1078 ECDSA P-384 signing operations in 1079413us (998.7 ops/sec)
Did 484 ECDSA P-521 signing operations in 1083616us (446.7 ops/sec)

Change-Id: I2a25e90fc99dac13c0616d0ea45e125a4bd8cca1
Reviewed-on: https://boringssl-review.googlesource.com/23075
Reviewed-by: Adam Langley <agl@google.com>
2017-11-22 22:51:40 +00:00
..
asm Use dec/jnz instead of loop in bn_add_words and bn_sub_words. 2017-11-22 21:56:05 +00:00
add.c
bn_test_to_fuzzer.go
bn_test.cc Add bn_mod_exp_mont_small and bn_mod_inverse_prime_mont_small. 2017-11-20 16:23:48 +00:00
bn_tests.txt Add bn_mul_small and bn_sqr_small. 2017-11-20 16:22:30 +00:00
bn.c
bytes.c
check_bn_tests.go
cmp.c Make BN_generate_dsa_nonce internally constant-time. 2017-11-20 16:18:30 +00:00
ctx.c
div.c Align |BN_div| with its documentation. 2017-11-06 22:55:30 +00:00
exponentiation.c Add bn_mod_exp_mont_small and bn_mod_inverse_prime_mont_small. 2017-11-20 16:23:48 +00:00
gcd.c
generic.c Const-correct some of the low-level BIGNUM functions. 2017-11-20 16:20:40 +00:00
internal.h Make ECDSA signing 10% faster and plug some timing leaks. 2017-11-22 22:51:40 +00:00
jacobi.c
montgomery_inv.c
montgomery.c Add "small" variants of Montgomery logic. 2017-11-20 16:23:01 +00:00
mul.c Include a couple of missing header files. 2017-11-20 20:36:38 +00:00
prime.c
random.c Make ECDSA signing 10% faster and plug some timing leaks. 2017-11-22 22:51:40 +00:00
rsaz_exp.c
rsaz_exp.h
shift.c Add bn_mod_exp_mont_small and bn_mod_inverse_prime_mont_small. 2017-11-20 16:23:48 +00:00
sqrt.c