| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Normally all elements will be exact number of limbs as the field.
Any situation with short elements is rare and not worth optimizing
for, and likely leads to some unfortunate side channel.
|
| |
|
|
|
|
|
| |
The size is rounded up to next 8 words so there was substantial
slack here.
No noticable perf difference.
|
| | |
|
| |
|
|
| |
The previous message was both incorrect and very misleading.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the core hotspot of XMSS signatures. Avoiding the
secure_vector allocation for the PRF output improves performance
quite noticably.
Before:
XMSS_SHA2-256_W16_H10 1940.74 ms/op
XMSS_SHA2-512_W16_H10 3985.98 ms/op
XMSS_SHAKE128_W16_H10 1910.48 ms/op
XMSS_SHAKE256_W16_H10 4074.65 ms/op
After:
XMSS_SHA2-256_W16_H10 1204.34 ms/op
XMSS_SHA2-512_W16_H10 2498.17 ms/op
XMSS_SHAKE128_W16_H10 1176.55 ms/op
XMSS_SHAKE256_W16_H10 2689.76 ms/op
|
| |
|
|
|
|
|
|
|
|
| |
Prior to this patch the sanity check for XMSS leaf indices was wrongly based on
the tree height. As a result only half of the one-time keys could be used.
Instead base leaf index sanity check on the number of levels in a tree which
equals tree height + 1.
(see also: https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12#section-4.1.1)
|
| |
|
|
| |
Making them usable for private key encryption
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Let DER_Encoder write to a user specified vector instead of only to an
internal vector. This allows encoding to a std::vector without having
to first write to a locked vector and then copying out the result.
Add ASN1_Object::BER_encode convenience method. Replaces
X509_Object::BER_encode which had the same logic but was restricted to
a subtype. This replaces many cases where DER_Encoder was just used
to encode a single object (X509_DN, AlgorithmIdentifier, etc).
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Cuts about 100K cycles from the inversion, improving ECDSA sign by 10%
and ECDH by ~2%
Addition chain from https://briansmith.org/ecc-inversion-addition-chains-01
GH #1479
|
| |
|
|
| |
ECDSA sign about 10% faster, ECDSA verify and ECDH about 5% faster.
|
| |
|
|
|
|
| |
Could be slightly more clever here but this is pretty decent.
GH #1479
|
| |
|
|
|
|
|
| |
Centralizing this logic allows curve specific implementations such
as using a precomputed ladder for exponentiating by p - 2
GH #1479
|
| |
|
|
|
| |
ECDSA already did this. Improves repeated ECGDSA, ECKCDSA, SM2,
and GOST signature verification by 10-15%
|
| |
|
|
|
|
|
|
|
|
| |
Add a new function dedicated to generating RSA primes.
Don't test for p.bits() > bits until the very end - rarely happens,
and speeds up prime generation quite noticably.
Add Miller-Rabin error probabilities for 1/2**128, which again
speeds up RSA keygen and DL param gen quite a bit.
|
| | |
|
| |
|
|
| |
GH #1537
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a way of getting Montgomery representation of one.
Reduce use of temporaries in variable point mult.
Prefer doubling over addition in precomputing fixed window.
Add Brainpool ECDH tests
Improves ECDH by 2-3% across the board
|
| |\ \
| |/
|/| |
|
| | |
| |
| |
| | |
- Removes overload `XMSS_Hash::h_msg_update(secure_vector<uint8_t>&)`
|
| | |
| |
| |
| |
| |
| | |
Codecov does not reach all parts of the `XMSS_PrivateKey` code because too few
cores are detected during the CI run. To cover the missed codepaths always
return a large enough core count if botan is compiled with coverage.
|
| |\ \ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
- Fixes out of bounds read in `XMSS_Signature` constructor when the raw
signature data supplied as arguments is shorter than the signature size
defined by the XMSS parameter set encoded in the `XMSS_PublicKey`.
- Fixes valid signatures with arbitrary appended data to be verified as
correct signature.
|
| | |/
|/|
| |
| |
| | |
Getting this value will typically require either a system call or
a cpuid call, both of which are fairly expensive.
|
| |/ |
|
| | |
|
| |
|
|
| |
Just a useful helper
|
| |
|
|
|
|
|
|
| |
In the case of RSA encryption/verification the public exponent is...
public. So we don't need to carefully guard against side channels
that leak the exponent.
Improves RSA verification performance by 50% or more.
|
| |
|
|
| |
See also #1526
|
| |
|
|
| |
No reason to duplicate the NFS workfactor estimator twice
|
| |\ |
|
| | | |
|
| | |
| |
| |
| | |
Additional paranoia never hurt.
|
| | |
| |
| |
| | |
Improves perf by about 15%
|
| |/ |
|
| | |
|
| |
|
|
| |
Saves 30k-170k cycles depending on param size.
|
| | |
|
| | |
|
