Hey Jeffrey, if I'm understanding things right, dropping P1363 style won't drop any compability, meaning the tweaked square roots only speed up signing and change internal storage of the private keys, but public keys and signatures stay the same? If so I don't see any reason holding the tweaked roots back and we can drop P1363 here no problem.
Now another question: Do you have any idea why the performance /drops/ when OMP is /enabled/? BR JPM Am 27.06.2015 um 02:21 schrieb Jeffrey Walton: > > > On Sunday, June 14, 2015 at 12:04:46 AM UTC-4, Jeffrey Walton wrote: > > Hi Everyone, > > Attached is a proposed patch for CVE-2015-2141 mitigation, > blinding and OpenMP support. Information can be found at Evgeny > Sidorov's "Breaking the Rabin-Williams digital signature > system...", https://eprint.iacr.org/2015/368 > <https://eprint.iacr.org/2015/368>. > > The goals of the patch were to: > > (1) mitigate CVE-2015-2141 > (2) improve CalculateInverse efficiency > > There are two mitigations available for (1). First is to disable > blinding (A). Second is to ensure the blinding value satisfies > preconditions (B). Both are available in the patch. By default, > blinding is enabled, so exiting behavior is preserved. > > For (2), Bernstein's Tweaked Roots was provided with > precomputation. Its controlled by CRYPTOPP_USE_RW_TWEAKED_ROOTS in > config.h. It is enabled by default. > > More details are below and in the patch. > > Any feedback or comments are welcomed. > ... > > > I ran some more complete benchmarks with the P1363 algorithm versus > Bernstein's Tweaked Roots. Here are the numbers with and without OMP. > The results below test 5000 signing operations in a tight loop on an > Intel i5 with 4 cores. I get similar numbers (relatively speaking) on > other processors. > > Using Tweaked Roots, without OMP > * 9750 milliseconds > > Using P1363, without OMP > * 12250 milliseconds > > Using Tweaked Roots, with OMP > * 10250 milliseconds > > Using P1363, with OMP > * 18250 milliseconds > > Based on the numbers, I don't see a need for > CRYPTOPP_USE_RW_TWEAKED_ROOTS. There could be a need for > CRYPTOPP_USE_RW_TWEAKED_ROOTS if Bernstein was wrong, but I don't > think that's likely. We probably have a better chance of winning the > lottery... > > Does anyone know a reason to retain the P1363 algorithm as a fallback > controlled through CRYPTOPP_USE_RW_TWEAKED_ROOTS? > > Jeff > -- > -- > You received this message because you are subscribed to the "Crypto++ > Users" Google Group. > To unsubscribe, send an email to > [email protected]. > More information about Crypto++ and this group is available at > http://www.cryptopp.com. > --- > You received this message because you are subscribed to the Google > Groups "Crypto++ Users" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] > <mailto:[email protected]>. > For more options, visit https://groups.google.com/d/optout. -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
