1284941 - Constant-time 32 bit implementation of P384

Status: RESOLVED FIXED

(NSS :: Libraries, defect, P2)

Description

[Watson Ladd]

I've now got a constant time 32-bit implementation of P384 which manages to outperform the code that currently runs, at least on my machine. (We don't seem to have enabled the NIST prime specific optimizations).

Comment 1

[Watson Ladd]

Attachment: constant.diff

Comment 2

[Watson Ladd]

Hold off: there is a problem in certuitil tests I need to track down. We've got known answer tests outside of tree which pass, so this might take a while.

Comment 3

[Watson Ladd]

I'm not sure what info is needed. I've hunted down the bug, running full tests to be sure, and then going to make another patch/try codereview as well as it is a rather big patch. It does give more performance, and if you want I can even go to combs for extra ECDSA signing performance.

The severity on servers is moderately bad. We're using wNAF and leaking a lot through choices of slow function calls and memory accesses. I expect that if someone tried to write a paper exploiting this on AWS, they would not have very much trouble: similar papers have been written for much smaller signals.(see for instance https://eprint.iacr.org/2013/346.pdf)

Comment 4

[Watson Ladd]

Attachment: A corrected patch that passes all tests in all.sh

Reorders two arguments and removes some code.

Comment 5

[Franziskus Kiefer [:franziskus]]

This is, same as bug 1281548, sec-low as far as Firefox is considered and sec-moderate for servers.

Comment 6

[Watson Ladd]

Attachment: Passes on treeherder

Comment 7

[Kevin Jacobs [:kjacobs]]

NSS 3.55 replaced both P384 and P521 with verifiable implementations from Fiat-Crypto and ECCKiila. I'm closing this bug as code in question is no longer used in NSS, and to the best of our knowledge no such issues are present in the new code.