RFR 8181594: Efficient and constant-time modular arithmetic

Xuelei Fan xuelei.fan at oracle.com
Fri Feb 23 17:46:45 UTC 2018


ArrayUtil.java:
===============
I'm not very sure how widely this utilities will be used in the future. 
Looks like only BigIntegerModuloP uses this classes.  I may prefer to 
define private methods for byte array swap in BigIntegerModuloP.


BigIntegerModuloP.java:
=======================
As this is a class for testing or ptototype purpose,  it might not be a 
part of JDK products, like JRE.  Would you mind move it to a test 
package if you want to keep it?


IntegerModuloP, IntegerModuloP_Base and MutableIntegerModuloP
=============================================================
In the security package/context, it may make sense to use 
"IntegerModulo" for the referring to "integers modulo a prime value". 
The class name of "IntegerModuloP_Base" is not a general Java coding 
style.  I may prefer a little bit name changes like:
      IntegerModuloP_Base   -> IntegerModulo
      IntegerModuloP        -> ImmutableIntegerModulo
      MutableIntegerModuloP -> MutableIntegerModulo

      IntegerFieldModuloP   -> IntegerModuloField (?)


MutableIntegerModuloP.java
==========================
void conditionalSwapWith(MutableIntegerModuloP b, int swap);
As the 'swap' parameter can only be 0 or 1, could it be a boolean parameter?

Except the conditionalSwapWith() method, I did not get the points why we 
need a mutable version.  Would you please have more description of this 
requirement?


IntegerModuloP_Base.java
========================
default byte[] addModPowerTwo(IntegerModuloP_Base b, int len)
void addModPowerTwo(IntegerModuloP_Base b, byte[] result);

For the first sign of the method names, I thought it is to calculate as 
"(this + b) ^ 2 mod m".  Besides, what's the benefits of the two 
methods?  Could we just use:
       this.add(b).asByteArray()

I guess, but not very sure, it is for constant time calculation.  If the 
function is required, could it be renamed as:

       // the result is inside of the size range
       IntegerModuloP addModSize(IntegerModuloP_Base b, int size)
Or
       // the result is wrapped if outside of the size range
       IntegerModuloP addOnWrap(IntegerModuloP_Base b, int size)

and the use may look like:
       this.addModSize(b, size).asByteArray()


Will review the rest when I understand more about the interfaces design.

Thanks,
Xuelei

On 1/30/2018 8:52 AM, Adam Petcher wrote:
> +core-libs-dev
> 
> 
> On 1/26/2018 4:06 PM, Adam Petcher wrote:
>> JBS: https://bugs.openjdk.java.net/browse/JDK-8181594
>> Webrev: http://cr.openjdk.java.net/~apetcher/8181594/webrev.00/
>>
>> This is a code review for the field arithmetic that will be used in 
>> implementations of X25519/X448 key agreement, the Poly1305 
>> authenticator, and EdDSA signatures. I believe that the library has 
>> all the features necessary for X25519/X448 and Poly1305, and I expect 
>> at most a couple of minor enhancements will be required to support 
>> EdDSA. There is no public API for this library, so we can change it in 
>> the future to suit the needs of new algorithms without breaking 
>> compatibility with external code. Still, I made an attempt to clearly 
>> structure and document the (internal) API, and I want to make sure it 
>> is understandable and easy to use.
>>
>> This is not a general-purpose modular arithmetic library. It will only 
>> work well in circumstances where the sequence of operations is 
>> restricted, and where the prime that defines the field has some useful 
>> structure. Moreover, each new field will require some field-specific 
>> code that takes into account the structure of the prime and the way 
>> the field is used in the application. The initial implementation 
>> includes a field for Poly1305 and the fields for X25519/X448 which 
>> should also work for EdDSA.
>>
>> The benefits of using this library are that it is much more efficient 
>> than using similar operations in BigInteger. Also, many operations are 
>> branch-free, making them suitable for use in a side-channel resistant 
>> implementation that does not branch on secrets.
>>
>> To provide some context, I have attached a code snippet describing how 
>> this library can be used. The snippet is the constant-time Montgomery 
>> ladder from my X25519/X448 implementation, which I expect to be out 
>> for review soon. X25519/X448 only uses standard arithmetic operations, 
>> and the more unusual features (e.g. add modulo a power of 2) are 
>> needed by Poly1305.
>>
>> The field arithmetic (for all fields) is implemented using a 32-bit 
>> representation similar to the one described in the Ed448 paper[1] (in 
>> the "Implementation on 32-bit platforms" section). Though my 
>> implementation uses signed limbs, and grade-school multiplication 
>> instead of Karatsuba. The argument for correctness is essentially the 
>> same for all three fields: the magnitude of each 64-bit limb is at 
>> most 2^(k-1) after reduction, except for the last limb which may have 
>> a magnitude of up to 2^k. The values of k are between 26 to 28 
>> (depending on the field), and we can calculate that the maximum 
>> magnitude for any limb during an add-multiply-carry-reduce sequence is 
>> always less than 2^63. Therefore, no overflow occurs and all 
>> operations are correct.
>>
>> Process note: this enhancement is part of JEP 324 (Key Agreement with 
>> Curve25519 and Curve448). When this code review is complete, nothing 
>> will happen until all other work for this JEP is complete, and the JEP 
>> is accepted as part of some release. This means that this code will be 
>> pushed to the repo along with the X25519/X448 code that uses it.
>>
>> [1] https://eprint.iacr.org/2015/625.pdf
>>
>>
>>
> 



More information about the security-dev mailing list