[Cryptech-Commits] [sw/libhal] 03/04: Use ModExp fast mode for Miller-Rabin tests.

git at cryptech.is git at cryptech.is
Mon Jul 24 15:51:25 UTC 2017

Previous message (by thread): [Cryptech-Commits] [sw/libhal] 02/04: Fencepost error (1-based counting using xrange(), sigh).
Next message (by thread): [Cryptech-Commits] [sw/libhal] 04/04: Split compile-time control of RSA ModExp.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository sw/libhal.

commit c669159880c4b9564b8176c113e3c0778ca55851
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Mon Jul 24 08:10:41 2017 -0400

    Use ModExp fast mode for Miller-Rabin tests.
    
    Trying to make RSA key generation run in constant time is probably
    both futile and unnecessary, so we can speed it up a bit by switching
    the ModExpA7 core to use "fast" mode rather than "constant time" mode.
    
    Sadly, while this change produces a measureable improvement, it
    doesn't bring FGPA ModExp anywhere near the speed of the software
    equivalent in this case.  Don't really know why.
---
 modexp.c | 7 ++++---
 rsa.c    | 4 +++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/modexp.c b/modexp.c
index f097f33..3e634aa 100644
--- a/modexp.c
+++ b/modexp.c
@@ -182,8 +182,9 @@ hal_error_t hal_modexp(hal_core_t *core,
    * We probably ought to take the mode (fast vs constant-time) as an
    * argument, but for the moment we just guess that really short
    * exponent means we're using the public key and can use fast mode,
-   * all other cases are something to do with the private key and
-   * therefore must use constant-time mode.
+   * really short messages are Miller-Rabin tests and can also use
+   * fast mode, all other cases are something to do with the private
+   * key and therefore must use constant-time mode.
    *
    * Unclear whether it's worth trying to figure out exactly how long
    * the operands are: assuming a multiple of eight is safe, but makes
@@ -194,7 +195,7 @@ hal_error_t hal_modexp(hal_core_t *core,
    */
 
   /* Select mode (1 = fast, 0 = safe) */
-  check(set_register(core, MODEXPS6_ADDR_MODE, (exp_len <= 4)));
+  check(set_register(core, MODEXPS6_ADDR_MODE, (exp_len <= 4 || msg_len <= 4)));
 
   /* Set modulus size in bits */
   check(set_register(core, MODEXPS6_ADDR_MODULUS_WIDTH, mod_len * 8));
diff --git a/rsa.c b/rsa.c
index d2a7798..6fde683 100644
--- a/rsa.c
+++ b/rsa.c
@@ -207,10 +207,11 @@ static hal_error_t modexp(hal_core_t *core,
     msg = reduced_msg;
   }
 
+  const size_t msg_len = (fp_unsigned_bin_size(unconst_fp_int(msg)) + 3) & ~3;
   const size_t exp_len = (fp_unsigned_bin_size(unconst_fp_int(exp)) + 3) & ~3;
   const size_t mod_len = (fp_unsigned_bin_size(unconst_fp_int(mod)) + 3) & ~3;
 
-  uint8_t msgbuf[mod_len];
+  uint8_t msgbuf[msg_len];
   uint8_t expbuf[exp_len];
   uint8_t modbuf[mod_len];
   uint8_t resbuf[mod_len];
@@ -231,6 +232,7 @@ static hal_error_t modexp(hal_core_t *core,
   memset(msgbuf, 0, sizeof(msgbuf));
   memset(expbuf, 0, sizeof(expbuf));
   memset(modbuf, 0, sizeof(modbuf));
+  memset(resbuf, 0, sizeof(resbuf));
   return err;
 }

Previous message (by thread): [Cryptech-Commits] [sw/libhal] 02/04: Fencepost error (1-based counting using xrange(), sigh).
Next message (by thread): [Cryptech-Commits] [sw/libhal] 04/04: Split compile-time control of RSA ModExp.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Commits mailing list