crypto/ecdsa: use bigmod and nistec instead of math/big and crypto/elliptic

Ignoring custom curves, this makes the whole package constant-time. There is a slight loss in performance for P-384 and P-521 because bigmod is slower than math/big (but P-256 has an assembly scalar field inversion, so doesn't use bigmod for anything big). name old time/op new time/op delta Sign/P256-8 19.2µs ± 2% 19.1µs ± 2% ~ (p=0.268 n=9+10) Sign/P384-8 166µs ± 3% 188µs ± 2% +13.52% (p=0.000 n=10+10) Sign/P521-8 337µs ± 2% 359µs ± 2% +6.46% (p=0.000 n=10+10) Verify/P256-8 58.1µs ± 2% 58.1µs ± 2% ~ (p=0.971 n=10+10) Verify/P384-8 484µs ± 2% 569µs ±12% +17.65% (p=0.000 n=10+10) Verify/P521-8 1.03ms ± 4% 1.14ms ± 2% +11.02% (p=0.000 n=10+10) GenerateKey/P256-8 12.4µs ±12% 12.0µs ± 2% ~ (p=0.063 n=10+10) GenerateKey/P384-8 129µs ±18% 119µs ± 2% ~ (p=0.190 n=10+10) GenerateKey/P521-8 241µs ± 2% 240µs ± 2% ~ (p=0.436 n=10+10) name old alloc/op new alloc/op delta Sign/P256-8 3.08kB ± 0% 2.47kB ± 0% -19.77% (p=0.000 n=10+10) Sign/P384-8 6.16kB ± 0% 2.64kB ± 0% -57.16% (p=0.000 n=10+10) Sign/P521-8 7.87kB ± 0% 3.01kB ± 0% -61.80% (p=0.000 n=10+10) Verify/P256-8 1.29kB ± 1% 0.48kB ± 0% -62.69% (p=0.000 n=10+10) Verify/P384-8 2.49kB ± 1% 0.64kB ± 0% -74.25% (p=0.000 n=10+10) Verify/P521-8 3.31kB ± 0% 0.96kB ± 0% -71.02% (p=0.000 n=7+10) GenerateKey/P256-8 720B ± 0% 920B ± 0% +27.78% (p=0.000 n=10+10) GenerateKey/P384-8 921B ± 0% 1120B ± 0% +21.61% (p=0.000 n=9+10) GenerateKey/P521-8 1.30kB ± 0% 1.44kB ± 0% +10.45% (p=0.000 n=10+10) name old allocs/op new allocs/op delta Sign/P256-8 45.0 ± 0% 33.0 ± 0% -26.67% (p=0.000 n=10+10) Sign/P384-8 69.0 ± 0% 34.0 ± 0% -50.72% (p=0.000 n=10+10) Sign/P521-8 71.0 ± 0% 35.0 ± 0% -50.70% (p=0.000 n=10+10) Verify/P256-8 23.0 ± 0% 10.0 ± 0% -56.52% (p=0.000 n=10+10) Verify/P384-8 43.0 ± 0% 14.0 ± 0% -67.44% (p=0.000 n=10+10) Verify/P521-8 45.0 ± 0% 14.0 ± 0% -68.89% (p=0.000 n=7+10) GenerateKey/P256-8 13.0 ± 0% 14.0 ± 0% +7.69% (p=0.000 n=10+10) GenerateKey/P384-8 16.0 ± 0% 17.0 ± 0% +6.25% (p=0.000 n=10+10) GenerateKey/P521-8 16.5 ± 3% 17.0 ± 0% +3.03% (p=0.033 n=10+10) Change-Id: I4e074ef039b0f7ffbc436a4cdbe4ef90c647018d Reviewed-on: https://go-review.googlesource.com/c/go/+/353849 Auto-Submit: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Than McIntosh <thanm@google.com> Reviewed-by: David Chase <drchase@google.com> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org>
2025-04-03 20:17:36 +03:00 · 2022-11-14 18:43:43 +01:00 · 2022-11-14 18:43:43 +01:00 · 5661b3ddeb
commit 5661b3ddeb
parent 6c18b7b0fd
8 changed files with 442 additions and 446 deletions
--- a/testdata/Server-TLSv12-ECDHE-ECDSA-AES
+++ b/testdata/Server-TLSv12-ECDHE-ECDSA-AES
@ -1,14 +1,13 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 97 01 00 00  93 03 03 86 3b 10 1e 5f  |............;.._|
-00000010  81 eb 21 bd 77 47 61 e9  3f 82 85 14 91 8c ab 7d  |..!.wGa.?......}|
-00000020  84 bd b1 f0 06 20 8a 7b  06 d6 78 00 00 04 c0 0a  |..... .{..x.....|
-00000030  00 ff 01 00 00 66 00 00  00 0e 00 0c 00 00 09 31  |.....f.........1|
-00000040  32 37 2e 30 2e 30 2e 31  00 0b 00 04 03 00 01 02  |27.0.0.1........|
-00000050  00 0a 00 0c 00 0a 00 1d  00 17 00 1e 00 19 00 18  |................|
-00000060  00 16 00 00 00 17 00 00  00 0d 00 30 00 2e 04 03  |...........0....|
-00000070  05 03 06 03 08 07 08 08  08 09 08 0a 08 0b 08 04  |................|
-00000080  08 05 08 06 04 01 05 01  06 01 03 03 02 03 03 01  |................|
-00000090  02 01 03 02 02 02 04 02  05 02 06 02              |............|
+00000000  16 03 01 00 85 01 00 00  81 03 03 20 34 f0 4b 7a  |........... 4.Kz|
+00000010  4f ed 31 de 38 ef 33 2e  69 7d 74 35 e5 02 b9 bb  |O.1.8.3.i}t5....|
+00000020  bd 1a 5c 3a f2 57 f1 23  62 66 52 00 00 04 c0 0a  |..\:.W.#bfR.....|
+00000030  00 ff 01 00 00 54 00 0b  00 04 03 00 01 02 00 0a  |.....T..........|
+00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 16  |................|
+00000050  00 00 00 17 00 00 00 0d  00 30 00 2e 04 03 05 03  |.........0......|
+00000060  06 03 08 07 08 08 08 09  08 0a 08 0b 08 04 08 05  |................|
+00000070  08 06 04 01 05 01 06 01  03 03 02 03 03 01 02 01  |................|
+00000080  03 02 02 02 04 02 05 02  06 02                    |..........|
 >>> Flow 2 (server to client)
 00000000  16 03 03 00 37 02 00 00  33 03 03 00 00 00 00 00  |....7...3.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@ -47,39 +46,39 @@
 00000220  0d 94 06 bb d4 37 7a f6  ec 7a c9 86 2e dd d7 11  |.....7z..z......|
 00000230  69 7f 85 7c 56 de fb 31  78 2b e4 c7 78 0d ae cb  |i..|V..1x+..x...|
 00000240  be 9e 4e 36 24 31 7b 6a  0f 39 95 12 07 8f 2a 16  |..N6$1{j.9....*.|
-00000250  03 03 00 b7 0c 00 00 b3  03 00 1d 20 2f e5 7d a3  |........... /.}.|
+00000250  03 03 00 b6 0c 00 00 b2  03 00 1d 20 2f e5 7d a3  |........... /.}.|
 00000260  47 cd 62 43 15 28 da ac  5f bb 29 07 30 ff f6 84  |G.bC.(.._.).0...|
-00000270  af c4 cf c2 ed 90 99 5f  58 cb 3b 74 04 03 00 8b  |......._X.;t....|
-00000280  30 81 88 02 42 01 c5 d1  36 97 5b 0e 5e a6 90 50  |0...B...6.[.^..P|
-00000290  a0 2e 80 b5 df d7 5a f6  95 0d a4 c6 f0 da 2e e7  |......Z.........|
-000002a0  91 79 9f 85 2e ef ca 66  3c f7 c4 7b bd 61 70 bb  |.y.....f<..{.ap.|
-000002b0  16 c5 aa 00 35 33 ae 58  00 b3 f1 fe 0f 77 52 23  |....53.X.....wR#|
-000002c0  f4 40 ba 4b c7 e5 43 02  42 01 64 af ab 8a 87 38  |.@.K..C.B.d....8|
-000002d0  a1 7f b8 ae 84 0e a4 ff  ad 16 09 44 0b 65 67 70  |...........D.egp|
-000002e0  12 7f 1a 37 9a 1d 5e b7  3b 63 df f9 6b f1 b9 ba  |...7..^.;c..k...|
-000002f0  6b 35 8f b3 03 da 3d 61  00 3d 4e 75 b4 d0 92 d5  |k5....=a.=Nu....|
-00000300  ee 50 9d d7 f9 26 69 e6  ec cf 3b 16 03 03 00 04  |.P...&i...;.....|
-00000310  0e 00 00 00                                       |....|
+00000270  af c4 cf c2 ed 90 99 5f  58 cb 3b 74 04 03 00 8a  |......._X.;t....|
+00000280  30 81 87 02 41 21 2b cf  6b fc 8a 13 b6 21 8a 46  |0...A!+.k....!.F|
+00000290  fc 7c 56 7e 28 22 4d b2  c2 c8 45 92 cc 99 6a 3c  |.|V~("M...E...j<|
+000002a0  48 0f 16 95 6c 43 3d ea  bd ac 25 88 a3 35 0c 14  |H...lC=...%..5..|
+000002b0  c6 43 46 16 ec b5 57 76  86 1c 5a d1 52 44 3b 8c  |.CF...Wv..Z.RD;.|
+000002c0  e5 b3 46 3b 47 d8 02 42  01 ad a2 c3 4c 69 35 13  |..F;G..B....Li5.|
+000002d0  d7 66 37 63 c9 43 50 68  f6 ff 7f 7d be 7e 8d 89  |.f7c.CPh...}.~..|
+000002e0  db 57 3e 0f 51 c8 49 9b  3a e2 87 65 dd 28 21 9a  |.W>.Q.I.:..e.(!.|
+000002f0  c3 36 28 a4 e8 25 7b ae  8e 45 35 22 8f 2d 97 27  |.6(..%{..E5".-.'|
+00000300  fe b8 99 a9 c1 5f d8 8b  70 d3 16 03 03 00 04 0e  |....._..p.......|
+00000310  00 00 00                                          |...|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 54 db 5b a1 4c e0  |....%...! T.[.L.|
-00000010  0e 52 a2 45 e3 b4 ac 91  3d e1 de a9 3e eb 80 9e  |.R.E....=...>...|
-00000020  f5 04 7b fc 82 10 2f d9  d1 41 14 03 03 00 01 01  |..{.../..A......|
-00000030  16 03 03 00 40 47 68 cc  5e 68 3f 05 d6 f8 5c 11  |....@Gh.^h?...\.|
-00000040  08 a3 91 72 ae 4c 98 67  2f 45 ee 16 6b 8b 2d 28  |...r.L.g/E..k.-(|
-00000050  15 34 43 47 f9 46 f2 96  c2 85 d5 cc 03 e0 84 de  |.4CG.F..........|
-00000060  9c 03 fe bf c9 73 23 15  d0 0f 85 3a 76 db 9f 5d  |.....s#....:v..]|
-00000070  95 b7 de 9c c2                                    |.....|
+00000000  16 03 03 00 25 10 00 00  21 20 c4 25 45 6f 39 18  |....%...! .%Eo9.|
+00000010  b1 f6 0a b3 f7 3e 98 ed  63 ae bd 74 12 91 0d 81  |.....>..c..t....|
+00000020  84 71 13 3c a7 cf a5 d2  24 5f 14 03 03 00 01 01  |.q.<....$_......|
+00000030  16 03 03 00 40 27 8d 44  74 7a ae 8a 4e 1c f9 1b  |....@'.Dtz..N...|
+00000040  05 23 c4 89 57 27 4c dc  db 4a ae aa 08 74 00 55  |.#..W'L..J...t.U|
+00000050  f9 4e 63 02 75 24 ca fb  30 78 cc 82 8a 69 be ab  |.Nc.u$..0x...i..|
+00000060  10 9d 25 2d a8 b6 bb 64  6e 32 68 4b 0a 32 06 74  |..%-...dn2hK.2.t|
+00000070  26 5e bc 68 25                                    |&^.h%|
 >>> Flow 4 (server to client)
 00000000  14 03 03 00 01 01 16 03  03 00 40 00 00 00 00 00  |..........@.....|
-00000010  00 00 00 00 00 00 00 00  00 00 00 98 34 52 f3 44  |............4R.D|
-00000020  18 69 23 61 ef 8f e9 c0  88 9c ad 1f cb e4 8d 55  |.i#a...........U|
-00000030  bd bb 77 9c 65 9d 21 f0  54 4c 46 db 4f e6 e8 ab  |..w.e.!.TLF.O...|
-00000040  6b 1d 60 38 7f e0 2c 38  ef e7 43 17 03 03 00 40  |k.`8..,8..C....@|
+00000010  00 00 00 00 00 00 00 00  00 00 00 b0 cf 70 b3 00  |.............p..|
+00000020  89 e2 77 af 87 08 f5 2f  2c c8 75 ce 8a ed 30 d8  |..w..../,.u...0.|
+00000030  f7 44 f3 9d 8b 4c 42 7a  52 d0 c8 37 9b 45 46 1c  |.D...LBzR..7.EF.|
+00000040  56 3b ee 52 5d c4 72 04  13 49 aa 17 03 03 00 40  |V;.R].r..I.....@|
 00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000060  44 68 90 07 1e 8c 7f db  3e 3f 8c 28 e1 d7 41 38  |Dh......>?.(..A8|
-00000070  e2 78 04 e3 42 c2 a9 76  bb 0a ae b9 93 df 81 d7  |.x..B..v........|
-00000080  9b 0f 1d 44 19 79 ff 7c  21 8f 75 ca e2 82 cc c4  |...D.y.|!.u.....|
+00000060  ce c4 34 c2 d8 4e f5 db  d1 ff 6d 64 ae 39 6d 78  |..4..N....md.9mx|
+00000070  3c c4 57 32 d1 af 35 d3  b4 79 3c b4 bd a1 21 7b  |<.W2..5..y<...!{|
+00000080  1f ef b8 3c 97 37 18 e5  10 62 e8 3d 7d 12 f5 db  |...<.7...b.=}...|
 00000090  15 03 03 00 30 00 00 00  00 00 00 00 00 00 00 00  |....0...........|
-000000a0  00 00 00 00 00 82 1f e6  2c 3f c7 55 19 01 0b 62  |........,?.U...b|
-000000b0  1a 99 fc f8 d3 b0 38 21  41 92 1a d1 e0 43 96 da  |......8!A....C..|
-000000c0  80 4b 58 91 c8                                    |.KX..|
+000000a0  00 00 00 00 00 81 75 ae  71 18 61 61 ae 35 ce c8  |......u.q.aa.5..|
+000000b0  43 57 52 c9 68 5e 0d 63  c4 0e 7d 36 90 b2 f6 f6  |CWR.h^.c..}6....|
+000000c0  ea 72 3c d9 41                                    |.r<.A|