Issue 82740043: code review 82740043: crypto/(ec)dsa: use Fermat's inversion.

Keyboard Shortcuts

	File
u :	up to issue
m :	publish + mail comments
M :	edit review message
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line
<Enter> :	respond to / edit current comment
d :	mark current comment as done

	Issue
u :	up to list of issues
m :	publish + mail comments
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue
# :	close issue

	Comment/message editing
<Ctrl> + s or <Ctrl> + Enter :	save comment
<Esc> :	cancel edit

Issue 82740043: code review 82740043: crypto/(ec)dsa: use Fermat's inversion. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
10 years, 1 month ago by agl1

Modified:
10 years ago

Reviewers:
rsc

CC:
golang-codereviews, bradfitz, rsc

Visibility:
Public.

Description

crypto/(ec)dsa: use Fermat's inversion. Now that we have a constant-time P-256 implementation, it's worth paying more attention elsewhere. The inversion of k in (EC)DSA was using Euclid's algorithm which isn't constant-time. This change switches to Fermat's algorithm, which is much better. However, it's important to note that math/big itself isn't constant time and is using a 4-bit window for exponentiation with variable memory access patterns. (Since math/big depends quite deeply on its values being in minimal (as opposed to fixed-length) represetation, perhaps crypto/elliptic should grow a constant-time implementation of exponentiation in the scalar field.) R=bradfitz Fixes issue 7652.

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+22 lines, -2 lines)			Patch
	M	src/pkg/crypto/dsa/dsa.go	View	1	2 chunks	+11 lines, -1 line	0 comments	Download
	M	src/pkg/crypto/ecdsa/ecdsa.go	View	1	2 chunks	+11 lines, -1 line	0 comments	Download

Messages

Total messages: 5

Expand All Messages | Collapse All Messages

agl1

Hello golang-codereviews@googlegroups.com, I'd like you to review this change to https://code.google.com/p/go/

10 years, 1 month ago (2014-03-31 17:34:29 UTC) #1

bradfitz

Nowadays you should either mail it to somebody (R=) or cc one or more likely ...

10 years, 1 month ago (2014-04-03 15:33:34 UTC) #3

agl1

10 years ago (2014-04-08 23:33:21 UTC) #5

*** Submitted as https://code.google.com/p/go/source/detail?r=8b76bd413bcb ***

crypto/(ec)dsa: use Fermat's inversion.

Now that we have a constant-time P-256 implementation, it's worth
paying more attention elsewhere.

The inversion of k in (EC)DSA was using Euclid's algorithm which isn't
constant-time. This change switches to Fermat's algorithm, which is
much better. However, it's important to note that math/big itself isn't
constant time and is using a 4-bit window for exponentiation with
variable memory access patterns.

(Since math/big depends quite deeply on its values being in minimal (as
opposed to fixed-length) represetation, perhaps crypto/elliptic should
grow a constant-time implementation of exponentiation in the scalar
field.)

R=bradfitz
Fixes issue 7652.

LGTM=rsc
R=golang-codereviews, bradfitz, rsc
CC=golang-codereviews
https://codereview.appspot.com/82740043

Expand All Messages | Collapse All Messages