diff options
| author | Jack Lloyd <[email protected]> | 2018-02-21 11:12:32 -0500 |
|---|---|---|
| committer | Jack Lloyd <[email protected]> | 2018-02-21 11:12:32 -0500 |
| commit | 1d07f8287a452420db969cafd61bc223214cff03 (patch) | |
| tree | fd78e74fd7dd766f690654fa4c8c940e02c2e2c0 /src/cli | |
| parent | 061182a46f8b9e42808d57ec7bbafc13db7cf809 (diff) | |
New API for blinded ECC point multiplication
No shared state
Diffstat (limited to 'src/cli')
| -rw-r--r-- | src/cli/speed.cpp | 7 | ||||
| -rw-r--r-- | src/cli/timing_tests.cpp | 119 |
2 files changed, 109 insertions, 17 deletions
diff --git a/src/cli/speed.cpp b/src/cli/speed.cpp index 78cbdccf6..465389dc9 100644 --- a/src/cli/speed.cpp +++ b/src/cli/speed.cpp @@ -1229,14 +1229,17 @@ class Speed final : public Command const Botan::BigInt scalar(rng(), group.get_p_bits()); const Botan::PointGFp& base_point = group.get_base_point(); - Botan::Blinded_Point_Multiply scalar_mult(base_point, group.get_order(), 4); + + const Botan::PointGFp_Blinded_Multiplier scalar_mult(base_point); + + std::vector<Botan::BigInt> ws; while(blinded_mult_timer.under(runtime)) { const Botan::PointGFp r1 = mult_timer.run([&]() { return base_point * scalar; }); const Botan::PointGFp r2 = blinded_mult_timer.run( - [&]() { return scalar_mult.blinded_multiply(scalar, rng()); }); + [&]() { return scalar_mult.mul(scalar, group.get_order(), rng(), ws); }); BOTAN_ASSERT_EQUAL(r1, r2, "Same point computed by both methods"); } diff --git a/src/cli/timing_tests.cpp b/src/cli/timing_tests.cpp index 86c1572ac..3e267829f 100644 --- a/src/cli/timing_tests.cpp +++ b/src/cli/timing_tests.cpp @@ -44,7 +44,6 @@ #if defined(BOTAN_HAS_ECDSA) #include <botan/ecdsa.h> - #include <botan/reducer.h> #include <botan/numthry.h> #endif @@ -251,19 +250,17 @@ class ECDSA_Timing_Test final : public Timing_Test ticks measure_critical_function(std::vector<uint8_t> input) override; private: + const Botan::EC_Group m_group; const Botan::ECDSA_PrivateKey m_privkey; - const Botan::BigInt m_order; - Botan::Blinded_Point_Multiply m_base_point; - const Botan::BigInt m_x; - const Botan::Modular_Reducer m_mod_order; + const Botan::BigInt& m_x; + std::vector<Botan::BigInt> m_ws; }; ECDSA_Timing_Test::ECDSA_Timing_Test(std::string ecgroup) - : m_privkey(Timing_Test::timing_test_rng(), Botan::EC_Group(ecgroup)) - , m_order(m_privkey.domain().get_order()) - , m_base_point(m_privkey.domain().get_base_point(), m_order) + : m_group(ecgroup) + , m_privkey(Timing_Test::timing_test_rng(), m_group) , m_x(m_privkey.private_value()) - , m_mod_order(m_order) {} + {} std::vector<uint8_t> ECDSA_Timing_Test::prepare_input(std::string input) { @@ -274,16 +271,94 @@ std::vector<uint8_t> ECDSA_Timing_Test::prepare_input(std::string input) ticks ECDSA_Timing_Test::measure_critical_function(std::vector<uint8_t> input) { const Botan::BigInt k(input.data(), input.size()); - const Botan::BigInt msg(Timing_Test::timing_test_rng(), m_order.bits()); + const Botan::BigInt msg(5); // fixed message to minimize noise ticks start = get_ticks(); //The following ECDSA operations involve and should not leak any information about k. - const Botan::PointGFp k_times_P = m_base_point.blinded_multiply(k, Timing_Test::timing_test_rng()); - const Botan::BigInt r = m_mod_order.reduce(k_times_P.get_affine_x()); - const Botan::BigInt s = m_mod_order.multiply(inverse_mod(k, m_order), mul_add(m_x, r, msg)); - BOTAN_UNUSED(r); - BOTAN_UNUSED(s); + + const Botan::BigInt k_inv = Botan::inverse_mod(k, m_group.get_order()); + const Botan::PointGFp k_times_P = m_group.blinded_base_point_multiply(k, Timing_Test::timing_test_rng(), m_ws); + const Botan::BigInt r = m_group.mod_order(k_times_P.get_affine_x()); + const Botan::BigInt s = m_group.multiply_mod_order(k_inv, mul_add(m_x, r, msg)); + + BOTAN_UNUSED(r, s); + + ticks end = get_ticks(); + + return (end - start); + } + +#endif + +#if defined(BOTAN_HAS_EC_CURVE_GFP) + +class ECC_Mul_Timing_Test final : public Timing_Test + { + public: + ECC_Mul_Timing_Test(std::string ecgroup) : + m_group(ecgroup) + {} + + std::vector<uint8_t> prepare_input(std::string input) override; + ticks measure_critical_function(std::vector<uint8_t> input) override; + + private: + const Botan::EC_Group m_group; + std::vector<Botan::BigInt> m_ws; + }; + +std::vector<uint8_t> ECC_Mul_Timing_Test::prepare_input(std::string input) + { + const std::vector<uint8_t> input_vector = Botan::hex_decode(input); + return input_vector; + } + +ticks ECC_Mul_Timing_Test::measure_critical_function(std::vector<uint8_t> input) + { + const Botan::BigInt k(input.data(), input.size()); + + ticks start = get_ticks(); + + const Botan::PointGFp k_times_P = m_group.blinded_base_point_multiply(k, Timing_Test::timing_test_rng(), m_ws); + + ticks end = get_ticks(); + + return (end - start); + } + +#endif + +#if defined(BOTAN_HAS_NUMBERTHEORY) + +class Invmod_Timing_Test final : public Timing_Test + { + public: + Invmod_Timing_Test(size_t p_bits) + { + m_p = Botan::random_prime(timing_test_rng(), p_bits); + } + + std::vector<uint8_t> prepare_input(std::string input) override; + ticks measure_critical_function(std::vector<uint8_t> input) override; + + private: + Botan::BigInt m_p; + }; + +std::vector<uint8_t> Invmod_Timing_Test::prepare_input(std::string input) + { + const std::vector<uint8_t> input_vector = Botan::hex_decode(input); + return input_vector; + } + +ticks Invmod_Timing_Test::measure_critical_function(std::vector<uint8_t> input) + { + const Botan::BigInt k(input.data(), input.size()); + + ticks start = get_ticks(); + + const Botan::BigInt inv = inverse_mod(k, m_p); ticks end = get_ticks(); @@ -458,6 +533,20 @@ std::unique_ptr<Timing_Test> Timing_Test_Command::lookup_timing_test(const std:: } #endif +#if defined(BOTAN_HAS_EC_CURVE_GFP) + if(test_type == "ecc_mul") + { + return std::unique_ptr<Timing_Test>(new ECC_Mul_Timing_Test("brainpool512r1")); + } +#endif + +#if defined(BOTAN_HAS_NUMBERTHEORY) + if(test_type == "inverse_mod") + { + return std::unique_ptr<Timing_Test>(new Invmod_Timing_Test(512)); + } +#endif + #if defined(BOTAN_HAS_TLS_CBC) if(test_type == "lucky13sha1sec3" || test_type == "lucky13sha1sec4") { |