RFR 8203228: Branch-free output conversion for X25519 and X448
Adam Petcher
adam.petcher at oracle.com
Mon Jun 25 12:49:49 UTC 2018
It would be nice to get this X25519/X448 enhancement into JDK 11. If
anyone has some time to review this in the next day or so, I would
appreciate it.
On 5/15/2018 2:42 PM, Adam Petcher wrote:
> Webrev: http://cr.openjdk.java.net/~apetcher/8203228/webrev.00/
>
> Please review the change for this leftover task from the X25519/X448
> JEP. The current code uses BigInteger to convert the final result from
> a field element to a byte array that can be used to derive a key.
> Using branch-free operations instead of BigInteger will protect this
> secret from certain side-channel attacks.
>
> The output conversion is done entirely by the asByteArray method of
> IntegerPolynomial, which is implemented by limbsToByteArray. For this
> change, I took the branch-free output conversion routine from the
> Poly1305 field and pushed it into the parent class. I had to
> generalize it a bit in order to deal with the peculiarities of the
> X25519/X448 fields and their representations. I also made
> addModPowerTwo branch free, because this was a relatively simple
> change once the rest was done. But this method is not used by
> X25519/X448.
>
> In addition to running the full regression test suite, I also ran some
> benchmarks on X25519 and X448 to confirm that performance wasn't
> impacted. Not surprising, since this method is only called once per
> key generation/agreement operation.
>
More information about the security-dev
mailing list