Closed
Bug 1284941
Opened 8 years ago
Closed 4 years ago
Constant-time 32 bit implementation of P384
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wladd, Assigned: wladd)
References
Details
(Keywords: sec-moderate)
Attachments
(1 file, 2 obsolete files)
29.41 KB,
patch
|
Details | Diff | Splinter Review |
I've now got a constant time 32-bit implementation of P384 which manages to outperform the code that currently runs, at least on my machine. (We don't seem to have enabled the NIST prime specific optimizations).
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8768471 -
Flags: review?(franziskuskiefer)
Assignee | ||
Comment 2•8 years ago
|
||
Hold off: there is a problem in certuitil tests I need to track down. We've got known answer tests outside of tree which pass, so this might take a while.
Updated•8 years ago
|
Flags: needinfo?(wladd)
Keywords: sec-moderate
Assignee | ||
Comment 3•8 years ago
|
||
I'm not sure what info is needed. I've hunted down the bug, running full tests to be sure, and then going to make another patch/try codereview as well as it is a rather big patch. It does give more performance, and if you want I can even go to combs for extra ECDSA signing performance.
The severity on servers is moderately bad. We're using wNAF and leaking a lot through choices of slow function calls and memory accesses. I expect that if someone tried to write a paper exploiting this on AWS, they would not have very much trouble: similar papers have been written for much smaller signals.(see for instance https://eprint.iacr.org/2013/346.pdf)
Assignee | ||
Comment 4•8 years ago
|
||
Reorders two arguments and removes some code.
Attachment #8768471 -
Attachment is obsolete: true
Attachment #8768471 -
Flags: review?(franziskuskiefer)
Attachment #8768936 -
Flags: review?(franziskuskiefer)
Comment 5•8 years ago
|
||
This is, same as bug 1281548, sec-low as far as Firefox is considered and sec-moderate for servers.
Assignee: nobody → wladd
Flags: needinfo?(wladd)
Priority: -- → P2
Assignee | ||
Comment 6•8 years ago
|
||
Attachment #8768936 -
Attachment is obsolete: true
Attachment #8768936 -
Flags: review?(franziskuskiefer)
Updated•5 years ago
|
QA Contact: jjones
Comment 7•4 years ago
•
|
||
NSS 3.55 replaced both P384 and P521 with verifiable implementations from Fiat-Crypto and ECCKiila. I'm closing this bug as code in question is no longer used in NSS, and to the best of our knowledge no such issues are present in the new code.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Updated•4 years ago
|
Group: crypto-core-security → core-security-release
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•