When computing modular inverses distingush which case we are in #4569
Conversation
randombit
force-pushed
the
jack/mod-inv-distinguish-cases
branch
from
dbf8c3f to
541bdbc
Compare
randombit
force-pushed
the
jack/mod-inv-distinguish-cases
branch
2 times, most recently
from
fe8e981 to
b3da780
Compare
randombit
force-pushed
the
jack/mod-inv-distinguish-cases
branch
5 times, most recently
from
4800c83 to
120fe32
Compare
There was a problem hiding this comment.
Actual change makes sense to us (/cc @FAlbertDev). A few minor style suggestions below.
| */ | ||
|
|
||
| #ifndef BOTAN_MOD_INV_H_ | ||
| #define BOTAN_MOD_INV_H_ |
There was a problem hiding this comment.
Proper nit: modular_inverse.h as the name of this file? More typing, but easier to read and more accessible by beginners. Totally fine with just leaving it as is, though.
| @@ -744,6 +752,58 @@ class Lucas_Primality_Test final : public Test { | |||
|
|
|||
| BOTAN_REGISTER_TEST("math", "bn_lucas", Lucas_Primality_Test); | |||
|
|
|||
| class RSA_Compute_Exp_Test : public Test { | |||
There was a problem hiding this comment.
This is quite some Monte Carlo test. No general objection to that, but wouldn't it make sense to implement that as part of the fuzzing somehow?
There was a problem hiding this comment.
Likely yes. In fact we should do this for all of our (many) Monte Carlo tests. And likewise most of the fuzzers we have should also be tests that run as part of the regular test suite. Some of them do already exist in both systems, but only a few. I'll create a ticket describing the situation.
randombit
force-pushed
the
jack/mod-inv-distinguish-cases
branch
from
120fe32 to
77338d0
Compare
There are several different scenarios where we need to compute a modular inverse * A secret value modulo a secret prime (eg RSA-CRT setup) * A (potentially) secret value modulo a public prime (eg inversion modulo an DL group order) * A secret value modulo a public value that is not prime (RSA blinding setup) * RSA secret exponent calculation, where e and phi(n) are relatively prime, phi(n) is secret and not prime, and e is public * The general case where we have no idea as to the structure of the modulus, and we don't know if it is public so must treat it as secret Previously all of these went through `inverse_mod` which prevented any possible optimizations based on cases. Add a new (internal) header which directly exposes the various cases and apply them within the codebase. The only new algorithm implemented (so far) is Arazi's algorithm for inversion of a prime modulo a non-prime. Specifically this is a special case for computing the RSA secret exponent when `e=65537`. (Would also work for `e=3`/`e=17`/etc but this is not implemented)
There are several different scenarios where we need to compute a modular inverse
Previously all of these went through
inverse_modwhich prevented any possible optimizations based on cases.Add a new (internal) header which directly exposes the various cases and apply them within the codebase.
The only new algorithm implemented (so far) is Arazi's algorithm for inversion of a prime modulo a non-prime. (TIL) Specifically this is a special case for computing the RSA secret exponent when
e=65537. (Would also work fore=3/e=17/etc but this is not implemented)