RFR 8203228: Branch-free output conversion for X25519 and X448
Anthony Scarpino
anthony.scarpino at oracle.com
Mon Jun 25 22:07:01 UTC 2018
The change looks fine to me
Tony
On 06/25/2018 05:49 AM, Adam Petcher wrote:
> It would be nice to get this X25519/X448 enhancement into JDK 11. If
> anyone has some time to review this in the next day or so, I would
> appreciate it.
>
>
> On 5/15/2018 2:42 PM, Adam Petcher wrote:
>> Webrev: http://cr.openjdk.java.net/~apetcher/8203228/webrev.00/
>>
>> Please review the change for this leftover task from the X25519/X448
>> JEP. The current code uses BigInteger to convert the final result from
>> a field element to a byte array that can be used to derive a key.
>> Using branch-free operations instead of BigInteger will protect this
>> secret from certain side-channel attacks.
>>
>> The output conversion is done entirely by the asByteArray method of
>> IntegerPolynomial, which is implemented by limbsToByteArray. For this
>> change, I took the branch-free output conversion routine from the
>> Poly1305 field and pushed it into the parent class. I had to
>> generalize it a bit in order to deal with the peculiarities of the
>> X25519/X448 fields and their representations. I also made
>> addModPowerTwo branch free, because this was a relatively simple
>> change once the rest was done. But this method is not used by
>> X25519/X448.
>>
>> In addition to running the full regression test suite, I also ran some
>> benchmarks on X25519 and X448 to confirm that performance wasn't
>> impacted. Not surprising, since this method is only called once per
>> key generation/agreement operation.
>>
>
More information about the security-dev
mailing list