[Cryptech Core] modexp optimization plans

[Peter Stuge]

Joachim Strömbergson wrote:
> > 4194304 / 65536 = factor 64 doesn't seem huge to me. Typo?
> 
> 64 is huge increase in performance. It is difference in number of
> operations, not cycles.

How many cycles are there per operation?

I was expecting cores to be single-cycle. Thinking a bit more, I
could have guessed that this is not the case based on the presence
of a BUSY bit.


> > Different size moduli still have different number of words. I think 
> > completely data-independent constant-time execution is highly
> > desirable.
> 
> Are you suggesting that all operations should fake a max size modulus
> (8192) and always do that many operations.

Right, I think that should be the default.


> Jakob can probably answer, bit I would find that solution to be
> very uncommon even in $$$$ and certified HSMs.

Let's evaluate the idea based on merit, not based on decisions made
in existing products. The reason for Cryptech is that existing
products aren't good enough.


> >> One could further optimize to find the MSB one of the exponent and
> >> set the size to that. And then you could end up with data
> >> dependent execution time.
> > 
> > It seems that this is already the case?
> 
> No, not at all.

If number of operations = time depends on modulus size then it is, right?


//Peter