On Sunday, June 14, 2015 at 12:04:46 AM UTC-4, Jeffrey Walton wrote: > > Hi Everyone, > > Attached is a proposed patch for CVE-2015-2141 mitigation, blinding and > OpenMP support. Information can be found at Evgeny Sidorov's "Breaking the > Rabin-Williams digital signature system...", > https://eprint.iacr.org/2015/368. > > The goals of the patch were to: > > (1) mitigate CVE-2015-2141 > (2) improve CalculateInverse efficiency > > There are two mitigations available for (1). First is to disable blinding > (A). Second is to ensure the blinding value satisfies preconditions (B). > Both are available in the patch. By default, blinding is enabled, so > exiting behavior is preserved. > > For (2), Bernstein's Tweaked Roots was provided with precomputation. Its > controlled by CRYPTOPP_USE_RW_TWEAKED_ROOTS in config.h. It is enabled by > default. > > More details are below and in the patch. > > Any feedback or comments are welcomed. > ... >
I ran some more complete benchmarks with the P1363 algorithm versus Bernstein's Tweaked Roots. Here are the numbers with and without OMP. The results below test 5000 signing operations in a tight loop on an Intel i5 with 4 cores. I get similar numbers (relatively speaking) on other processors. Using Tweaked Roots, without OMP * 9750 milliseconds Using P1363, without OMP * 12250 milliseconds Using Tweaked Roots, with OMP * 10250 milliseconds Using P1363, with OMP * 18250 milliseconds Based on the numbers, I don't see a need for CRYPTOPP_USE_RW_TWEAKED_ROOTS. There could be a need for CRYPTOPP_USE_RW_TWEAKED_ROOTS if Bernstein was wrong, but I don't think that's likely. We probably have a better chance of winning the lottery... Does anyone know a reason to retain the P1363 algorithm as a fallback controlled through CRYPTOPP_USE_RW_TWEAKED_ROOTS? Jeff -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
