[Cryptech-Commits] [sw/libhal] 04/04: Split compile-time control of RSA ModExp.

[git at cryptech.is]

This is an automated email from the git hooks/post-receive script.

sra at hactrn.net pushed a commit to branch master
in repository sw/libhal.

commit 19f92790c2f9fc7f4e019d7b20663453606f210f
Author: Rob Austein <sra at hactrn.net>
AuthorDate: Mon Jul 24 11:40:12 2017 -0400

    Split compile-time control of RSA ModExp.
    
    At least for now, the speed tradeoff between software ModExp and our
    Verilog ModExp core differs significantly between signature and key
    generation.  We don't really know why, but since key generation does
    not need to be constant time, we split out control over whether to use
    the software or FPGA implementation, so that we can use the FPGA for
    signature while using software for key generation.
    
    Revisit this if and when we figure out what the bottleneck is, as well
    as any time that the FPGA core itself changes significantly.
---
 Makefile |  8 ++++----
 rsa.c    | 63 ++++++++++++++++++++++++++++++++++++++-------------------------
 2 files changed, 42 insertions(+), 29 deletions(-)

diff --git a/Makefile b/Makefile
index 866cb2b..ae6888d 100644
--- a/Makefile
+++ b/Makefile
@@ -175,28 +175,28 @@ endif
 
 ifeq "${RPC_MODE}" "none"
   OBJ += ${CORE_OBJ}
-  CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+  CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=${RSA_USE_MODEXP_CORE}
   CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES}
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE}
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE}
 else ifeq "${RPC_MODE}" "server"
   OBJ += ${CORE_OBJ} ${RPC_SERVER_OBJ}
   CFLAGS += -DRPC_CLIENT=RPC_CLIENT_LOCAL
-  CFLAGS += -DHAL_RSA_USE_MODEXP=${RSA_USE_MODEXP_CORE}
+  CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=${RSA_USE_MODEXP_CORE}
   CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=${HASH_ONLY_USE_SOFT_CORES}
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=${ECDSA_USE_ECDSA256_CORE}
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=${ECDSA_USE_ECDSA384_CORE}
 else ifeq "${RPC_MODE}" "client-simple"
   OBJ += ${RPC_CLIENT_OBJ}
   CFLAGS += -DRPC_CLIENT=RPC_CLIENT_REMOTE
-  CFLAGS += -DHAL_RSA_USE_MODEXP=0
+  CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=0
   CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0
 else ifeq "${RPC_MODE}" "client-mixed"
   OBJ += ${RPC_CLIENT_OBJ}
   CFLAGS += -DRPC_CLIENT=RPC_CLIENT_MIXED
-  CFLAGS += -DHAL_RSA_USE_MODEXP=0
+  CFLAGS += -DHAL_RSA_SIGN_USE_MODEXP=0
   CFLAGS += -DHAL_ONLY_USE_SOFTWARE_HASH_CORES=1
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA256_MULTIPLIER=0
   CFLAGS += -DHAL_ECDSA_VERILOG_ECDSA384_MULTIPLIER=0
diff --git a/rsa.c b/rsa.c
index 6fde683..eeb611c 100644
--- a/rsa.c
+++ b/rsa.c
@@ -78,12 +78,15 @@
 #include "asn1_internal.h"
 
 /*
- * Whether to use ModExp core.  It works, but at the moment it's so
- * slow that a full test run can take more than an hour.
+ * Whether to use ModExp core.  It works, but it's painfully slow.
  */
 
-#ifndef HAL_RSA_USE_MODEXP
-#define HAL_RSA_USE_MODEXP 1
+#ifndef HAL_RSA_SIGN_USE_MODEXP
+#define HAL_RSA_SIGN_USE_MODEXP 1
+#endif
+
+#ifndef HAL_RSA_KEYGEN_USE_MODEXP
+#define HAL_RSA_KEYGEN_USE_MODEXP 0
 #endif
 
 #if defined(RPC_CLIENT) && RPC_CLIENT != RPC_CLIENT_LOCAL
@@ -182,7 +185,7 @@ static hal_error_t unpack_fp(const fp_int * const bn, uint8_t *buffer, const siz
   return err;
 }
 
-#if HAL_RSA_USE_MODEXP
+#if HAL_RSA_SIGN_USE_MODEXP
 
 /*
  * Unwrap bignums into byte arrays, feed them into hal_modexp(), and
@@ -236,27 +239,13 @@ static hal_error_t modexp(hal_core_t *core,
   return err;
 }
 
-/*
- * Wrapper to let us export our modexp function as a replacement for
- * TFM's, to avoid dragging in all of the TFM montgomery code when we
- * use TFM's Miller-Rabin test code.
- *
- * This code is here rather than in a separate module because of the
- * error handling: TFM's error codes aren't really capable of
- * expressing all the things that could go wrong here.
- */
-
-int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
-{
-  return modexp(NULL, a, b, c, d) == HAL_OK ? FP_OKAY : FP_VAL;
-}
-
-#else /* HAL_RSA_USE_MODEXP */
+#else /* HAL_RSA_SIGN_USE_MODEXP */
 
 /*
- * Workaround to let us use TFM's software implementation of modular
- * exponentiation when we want to test other things and don't want to
- * wait for the slow FPGA implementation.
+ * Use libtfm's software implementation of modular exponentiation.
+ * Now that the ModExpA7 core performs about as well as the software
+ * implementation, there's probably no need to use this, but we're
+ * still tuning things, so leave the hook here for now.
  */
 
 static hal_error_t modexp(const hal_core_t *core, /* ignored */
@@ -271,7 +260,31 @@ static hal_error_t modexp(const hal_core_t *core, /* ignored */
   return err;
 }
 
-#endif /* HAL_RSA_USE_MODEXP */
+#endif /* HAL_RSA_SIGN_USE_MODEXP */
+
+/*
+ * Wrapper to let us export our modexp function as a replacement for
+ * libtfm's when running libtfm's Miller-Rabin test code.
+ *
+ * At the moment, the libtfm software implementation performs
+ * disproportionately better than our core does for the specific case
+ * of Miller-Rabin tests, for reasons we don't really understand.
+ * So there's not much point in enabling this, except as a test to
+ * confirm this behavior.
+ *
+ * This code is here rather than in a separate module because of the
+ * error handling: libtfm's error codes aren't really capable of
+ * expressing all the things that could go wrong here.
+ */
+
+#if HAL_RSA_SIGN_USE_MODEXP && HAL_RSA_KEYGEN_USE_MODEXP
+
+int fp_exptmod(fp_int *a, fp_int *b, fp_int *c, fp_int *d)
+{
+  return modexp(NULL, a, b, c, d) == HAL_OK ? FP_OKAY : FP_VAL;
+}
+
+#endif /* HAL_RSA_SIGN_USE_MODEXP && HAL_RSA_KEYGEN_USE_MODEXP */
 
 /*
  * Create blinding factors.  There are various schemes for amortizing