RFR 8208698: Improved ECC Implementation

Adam Petcher adam.petcher at oracle.com
Fri Nov 30 20:01:20 UTC 2018


JBS: https://bugs.openjdk.java.net/browse/JDK-8208698
webrev: http://cr.openjdk.java.net/~apetcher/8208698/webrev.00/

This is a re-implementation of ECDH and ECDSA that is designed to be 
resilient against side-channel attacks. The implementation only supports 
the 256-bit, 384-bit, and 521-bit NIST curves, and only key pair 
generation, key agreement, and signature is implemented. For other 
curves/algorithms, the existing native ECC implementation will be used. 
This change depends on a separate change (reviewed concurrently) that 
enhances the finite field arithmetic library. The implementation is 
intended to follow the recommendations in FIPS 186-4 and SP 800-56A. 
More information on the techniques used can be found in the JBS ticket.

There is no new signature verification implementation, because signature 
verification typically does not involve secret inputs. If anyone has any 
desire for branchless signature verification, please let me know.

I tested this change by running all the existing regression tests, and 
by checking it against some additional test vectors. I've done some 
initial benchmarking on two platforms: a Linux VM with a Skylake CPU, 
and a Macbook with a Haswell CPU. In general, the performance of the new 
implementation is 20-30% faster than the existing native implementation. 
Though the performance of the 521-bit curve is actually around 10% 
slower on Mac/Haswell. I think this regression is acceptable, because 
the 521-bit curve is not used as much as the others, and it is only used 
if lower performance is acceptable. I plan to do some additional 
benchmarking while the review is in progress.

This change includes a new (internal) class hierarchy for EC points in 
various coordinate systems. It may seem a little over-complicated, since 
the only type of point used in the implementation (other than affine) is 
ProjectivePoint. But it is common for different curves to use different 
coordinate systems, even within the same ECC algorithm/implementation. 
The EdDSA prototype also uses these point classes, and it uses extended 
homogeneous coordinates, in addition to projective coordinates.




More information about the security-dev mailing list