I've forked this code to add Diffie-Hellman key exchange #8
Comments
|
RE: array loads, I realized you could use a fully packed table for the scalarmult_base lookup (the 24k table used by amd64-64-24k), and expand ysubx, xaddy, and t2d at the end. This results in slightly-slower-to-about-the-same for the portable code (handling endian safe loads in curve25519_expand), but is noticeably faster otherwise. With 64bit code you only need one pass of the table using SSE2 registers. Since I don't need a dummy register I'll see if I can squeeze it in to 12 registers and see how cmov performs. |
|
cmov in one pass appears to be a bit slower than sse2 registers in one pass |
|
@floodyberry Just an FYI, floodyberry.com looks like it needs to be renewed on GoDaddy (as of Oct. 23). |
|
pushed all my latest stuff! and renewed (whoops), but now the webserver has broken. I should probably check it a little more often and do something with it. |
|
@forthy42 @floodyberry is it possible to do constant time ecdh on current codebase? |
I've forked this code to add Diffie-Hellman key exchange, so the same keypair can be used for signing and encryption (primitive ge25519_scalarmult; I've first written a variable time scalarmult derived from the verifying code, to make sure the constant time one does the same thing).
The other thing I changed is that I can compile a shared library consisting only of the primitives, not the signing/verifying code itself; as I use SHA-3/Keccak as hash, keeping the actual signature function out of the primitive library makes those experiments easier.
I've also experimented with a high-level implementation that makes GCC generate cmove instructions for the constant time array loads, which does about the same thing as your recently written assembler code; though I use less registers (3 or 4, because starting with 5, gcc thinks a branch is better).
BTW: You don't need to load into a register first, CMOVcc always reads, so you can use a mem operand. Andy Glew originally wanted it to actually load conditionally, but that request was denied, so cmove reg, mem is fine for crypto code - it will always load from mem, regardless of the condition.
The text was updated successfully, but these errors were encountered: