RFR 8203228: Branch-free output conversion for X25519 and X448
Adam Petcher
adam.petcher at oracle.com
Tue May 15 18:42:39 UTC 2018
Webrev: http://cr.openjdk.java.net/~apetcher/8203228/webrev.00/
Please review the change for this leftover task from the X25519/X448
JEP. The current code uses BigInteger to convert the final result from a
field element to a byte array that can be used to derive a key. Using
branch-free operations instead of BigInteger will protect this secret
from certain side-channel attacks.
The output conversion is done entirely by the asByteArray method of
IntegerPolynomial, which is implemented by limbsToByteArray. For this
change, I took the branch-free output conversion routine from the
Poly1305 field and pushed it into the parent class. I had to generalize
it a bit in order to deal with the peculiarities of the X25519/X448
fields and their representations. I also made addModPowerTwo branch
free, because this was a relatively simple change once the rest was
done. But this method is not used by X25519/X448.
In addition to running the full regression test suite, I also ran some
benchmarks on X25519 and X448 to confirm that performance wasn't
impacted. Not surprising, since this method is only called once per key
generation/agreement operation.
More information about the security-dev
mailing list