Comments on the change: Mitigate a flush+reload cache attack on RSA secret exponents
NIIBE Yutaka
gniibe at fsij.org
Thu Aug 8 07:20:00 CEST 2013
For the commit of 287bf0e543f244d784cf8b58340bf0ab3c6aba97, I add my
git notes below.
I realized that git notes are basically local stuff, and we need some
practice to share notes.
If this is useful, I'd like to push my notes using the namespace
'gniibe', that is, refs/notes/gniibe (to avoid conflict). Or should I
use refs/notes/commits?
--------------------------------------
Here are results in my notebook PC (Pentium M 1.10GHz).
We have performance regression. But possible change of SQR->MUL
will be comparable to original.
Original:
Call SQR and then, call MUL only when E's bit is 1.
====================== original =====================
$ ./tests/benchmark rsa
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 340ms 860ms 30ms
RSA 2048 bit 870ms 5510ms 110ms
RSA 3072 bit 6440ms 16930ms 210ms
RSA 4096 bit 17470ms 37270ms 360ms
Current fix:
Call MUL always, regardless of E's bit.
====================== Always MUL ===================
$ ./tests/benchmark rsa
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 210ms 1180ms 30ms
RSA 2048 bit 2040ms 7450ms 110ms
RSA 3072 bit 21720ms 21960ms 210ms
RSA 4096 bit 25290ms 49680ms 360ms
Possible change to recover performance regression:
For first SQR, use MUL instread.
Then, call MUL only when E's bit is 1.
====================== SQR->MUL =====================
$ ./tests/benchmark rsa
Algorithm generate 100*sign 100*verify
------------------------------------------------
RSA 1024 bit 100ms 870ms 30ms
RSA 2048 bit 860ms 5570ms 100ms
RSA 3072 bit 12430ms 16600ms 210ms
RSA 4096 bit 32000ms 37470ms 360ms
--
More information about the Gcrypt-devel
mailing list