aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/pubkey
Commit message (Collapse)AuthorAgeFilesLines
* Add message to BOTAN_ARG_CHECK and use it more widelyJack Lloyd2018-05-131-0/+1
|
* Add a comment on side channels hereJack Lloyd2018-04-261-4/+5
|
* Remove unused includeJack Lloyd2018-04-261-1/+0
|
* Add final annotations [ci skip]Jack Lloyd2018-04-241-3/+3
|
* Add BigInt::mod_subJack Lloyd2018-04-232-93/+63
|
* Use EC_Group::inverse_mod_order where appropriateJack Lloyd2018-04-202-6/+3
|
* Add Fermat based inversion of P-384 field elementsJack Lloyd2018-04-191-0/+72
| | | | | | | | | Cuts about 100K cycles from the inversion, improving ECDSA sign by 10% and ECDH by ~2% Addition chain from https://briansmith.org/ecc-inversion-addition-chains-01 GH #1479
* Add field inversion for P-521Jack Lloyd2018-04-181-0/+68
| | | | ECDSA sign about 10% faster, ECDSA verify and ECDH about 5% faster.
* Add optimized inversion for P-256Jack Lloyd2018-04-181-0/+75
| | | | | | Could be slightly more clever here but this is pretty decent. GH #1479
* Add EC_Group::inverse_mod_orderJack Lloyd2018-04-176-6/+21
| | | | | | | Centralizing this logic allows curve specific implementations such as using a precomputed ladder for exponentiating by p - 2 GH #1479
* Precompute for multiexponentation when verifying ECC signaturesJack Lloyd2018-04-174-15/+19
| | | | | ECDSA already did this. Improves repeated ECGDSA, ECKCDSA, SM2, and GOST signature verification by 10-15%
* Avoid potential side channel when generating RSA primesJack Lloyd2018-04-171-2/+6
| | | | | | | | | | Add a new function dedicated to generating RSA primes. Don't test for p.bits() > bits until the very end - rarely happens, and speeds up prime generation quite noticably. Add Miller-Rabin error probabilities for 1/2**128, which again speeds up RSA keygen and DL param gen quite a bit.
* Add const time annotationsJack Lloyd2018-04-151-1/+1
|
* Add an explicit test mode buildJack Lloyd2018-04-141-2/+2
| | | | GH #1537
* Merge GH #1538 Minor ECC optimizationsJack Lloyd2018-04-147-21/+105
|\
| * Various minor ECC optimizationsJack Lloyd2018-04-137-21/+105
| | | | | | | | | | | | | | | | | | Add a way of getting Montgomery representation of one. Reduce use of temporaries in variable point mult. Prefer doubling over addition in precomputing fixed window. Add Brainpool ECDH tests Improves ECDH by 2-3% across the board
* | Merge GH #1531 Improve XMSS test coverageJack Lloyd2018-04-143-12/+8
|\ \ | |/ |/|
| * Removes unused overload in XMSS_HashMatthias Gierlings2018-04-122-12/+0
| | | | | | | | - Removes overload `XMSS_Hash::h_msg_update(secure_vector<uint8_t>&)`
| * Codecov - cover MT code in XMSS_PrivateKeyMatthias Gierlings2018-04-121-0/+8
| | | | | | | | | | | | Codecov does not reach all parts of the `XMSS_PrivateKey` code because too few cores are detected during the CI run. To cover the missed codepaths always return a large enough core count if botan is compiled with coverage.
* | Merge GH #1537 Add missing XMSS signature length checkJack Lloyd2018-04-122-22/+21
|\ \
| * | Adds missing XMSS signature length check.Matthias Gierlings2018-04-122-22/+21
| | | | | | | | | | | | | | | | | | | | | | | | - Fixes out of bounds read in `XMSS_Signature` constructor when the raw signature data supplied as arguments is shorter than the signature size defined by the XMSS parameter set encoded in the `XMSS_PublicKey`. - Fixes valid signatures with arbitrary appended data to be verified as correct signature.
* | | In XMSS_Tools::bench_threads only call hardware_concurrency onceJack Lloyd2018-04-121-7/+9
| |/ |/| | | | | | | Getting this value will typically require either a system call or a cpuid call, both of which are fairly expensive.
* | Optimize EC point doubling for a == 0 and a == -3Jack Lloyd2018-04-113-9/+61
|/
* Add EC_Group::a_is_zeroJack Lloyd2018-04-112-1/+14
|
* Add DL_Group::exponent_bitsJack Lloyd2018-04-094-7/+25
| | | | Just a useful helper
* Add a Montgomery exponentiation that takes variable timeJack Lloyd2018-04-091-7/+14
| | | | | | | | In the case of RSA encryption/verification the public exponent is... public. So we don't need to carefully guard against side channels that leak the exponent. Improves RSA verification performance by 50% or more.
* Add RAII versions of get_cipher_mode and get_aeadJack Lloyd2018-04-073-14/+5
| | | | See also #1526
* Add pk_workfactor CLI and refactor workfactor estimator functionsJack Lloyd2018-04-051-12/+19
| | | | No reason to duplicate the NFS workfactor estimator twice
* Merge GH #1523 RSA optimizations and exponent blindingJack Lloyd2018-04-042-25/+53
|\
| * Work around a bug in MSVC lambda handlingJack Lloyd2018-04-041-1/+1
| |
| * Add RSA exponent blindingJack Lloyd2018-04-042-5/+14
| | | | | | | | Additional paranoia never hurt.
| * Tweak how RSA private operations are performedJack Lloyd2018-04-041-25/+44
| | | | | | | | Improves perf by about 15%
* | Add DL_Group::monty_params_p to get Montgomery paramsJack Lloyd2018-04-042-2/+13
|/
* Fix problems with failure to build in various configurationsJack Lloyd2018-03-311-1/+1
|
* Minor DH optimizationJack Lloyd2018-03-281-4/+6
| | | | Saves 30k-170k cycles depending on param size.
* Fix some Doxygen errorsJack Lloyd2018-03-281-0/+12
|
* Fix carry bugs introduced in 8a7559e4f8adJack Lloyd2018-03-272-22/+23
|
* Handle some corner cases in ECC multJack Lloyd2018-03-253-5/+19
| | | | | | | | For blinded_base_point_multiply_x if result is point at inifinity (eg due to k == group_order) return 0 instead of throwing. For base point multiply, reduce k mod order before masking otherwise the combination of k + mask might exceed our precomputed table.
* Add warning commentJack Lloyd2018-03-221-0/+6
|
* Add back mul/sqr to CurveGFp [ci skip]Jack Lloyd2018-03-221-0/+10
| | | | | These were available in 2.4 and while users "shouldn't" be using CurveGFp, it is an exposed API.
* Revamp GOST-34.10 testsJack Lloyd2018-03-211-6/+1
| | | | | Use an official vector (from RFC 5832), support arbitrary curves since GOST likes those for testing.
* Add EC_Group::random_scalarJack Lloyd2018-03-218-6/+16
|
* Remove bogus -1 from DSA key generationJack Lloyd2018-03-211-1/+1
| | | | GH #222
* Throw Lookup_Error here for benefit of testsJack Lloyd2018-03-211-2/+2
|
* Change DSA behavior similarlyJack Lloyd2018-03-211-2/+2
|
* Shift ECDSA inputs to match OpenSSL behaviorJack Lloyd2018-03-212-4/+4
| | | | See also GH #986
* Remove unused variables [ci skip]Jack Lloyd2018-03-212-4/+0
|
* Add another Ed25519 helper to save a few hundred redundant linesJack Lloyd2018-03-203-301/+106
| | | | No impact on performance.
* Add some helpers for handling carries in Ed25519Jack Lloyd2018-03-204-893/+491
|
* Store base point multiplies in a single std::vectorJack Lloyd2018-03-206-30/+158
| | | | | | | | | | | Since the point is public all the values are also, so this reduces pressure on the mlock allocator and may (slightly) help perf through cache read-ahead. Downside is cache based side channels are slightly easier (vs the data being stored in discontigious vectors). But we shouldn't rely on that in any case. And having it be in an array makes a masked table lookup easier to arrange.