RFR: 8294731: Improve multiplicative inverse for secp256r1 implementation [v2]
Ferenc Rakoczi
duke at openjdk.org
Mon Oct 10 08:25:47 UTC 2022
On Fri, 7 Oct 2022 16:31:13 GMT, Daniel Jeliński <djelinski at openjdk.org> wrote:
> BigInteger exponentiation time also depends on also depends on the base; quick benchmark: `BigInteger.ONE.modPow(mod.subtract(BigInteger.TWO), mod)` vs `BigInteger.TWO.modPow(mod.subtract(BigInteger.TWO), mod)`:
>
> ```
> Benchmark (messageLength) Mode Cnt Score Error Units
> Signatures.pow1 64 thrpt 15 67352286,115 ± 1281517,907 ops/s
> Signatures.pow2 64 thrpt 15 62431,716 ± 1056,398 ops/s
> ```
>
> for IntegerModuloP the result should not depend on base, and if it does, we should fix that.
Well, if you ever encounter the special cased "ONE" during ECDSA signature, you have a bigger problem than that the exponentiation is not exactly constant time. Also, if you can get close enough to the system doing the signing to be able to measure the time of the exponentiation precisely enough to differentiate one really occurring base from another -- you only have one chance to measure, so cannot average out noise -- than again, you probably have better methods to get to the key than trying to measure time.
-------------
PR: https://git.openjdk.org/jdk/pull/10544
More information about the security-dev
mailing list