)]}' { "commit": "6a7d8b54725d6e762f758726464da2dc2e112435", "tree": "198f0a8f877f338f7be4b58fda6b41dd507f7fe0", "parents": [ "02d2715bcc95d0f03ae394310d32739f4fcfa1ac" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Sun Jun 11 16:05:05 2023 -0400" }, "committer": { "name": "Boringssl LUCI CQ", "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com", "time": "Tue Jun 13 22:47:13 2023 +0000" }, "message": "Remove p \u003e q normalization in RSA keys\n\nRSA CRT is tiny bit messier when p \u003c q.\nhttps://boringssl-review.googlesource.com/25263 solved this by\nnormalizing to p \u003e q. The cost was we sometimes had to compute a new\niqmp.\n\nModular inversion is expensive. We did it only once per key, but it\u0027s\nstill a performance cliff in per-key costs. When later work moves\nfreeze_private_key into RSA private key parsing, it will be a\nperformance cliff in the private key parser.\n\nInstead, just handle p \u003c q in the CRT function. The only difference is\nneeding one extra reduction before the modular subtraction. Even using\nthe fully general mod_montgomery function (as opposed to checking p \u003c q,\nor using bn_reduce_once when num_bits(p) \u003d\u003d num_bits(q)) was not\nmeasurable.\n\nIn doing so, I noticed we didn\u0027t actually have tests that exercise the\nreduction step. I added one to evp_tests.txt, but it is only meaningful\nwhen blinding is disabled. (Another cost of blinding.) When blinding is\nenabled, the answers mod p and q are randomized and we hit this case\nwith about 1.8% probability. See comment in evp_test.txt.\n\nI kept the optimization where we store iqmp in Montgomery form, not\nbecause the optimization matters, but because we need to store a\ncorrected, fixed-width version of the value anyway, so we may as well\nstore it in a more convenient form.\n\nM1 Max\nBefore:\nDid 9048 RSA 2048 signing operations in 5033403us (1797.6 ops/sec)\nDid 1500 RSA 4096 signing operations in 5009288us (299.4 ops/sec)\nAfter:\nDid 9116 RSA 2048 signing operations in 5053802us (1803.8 ops/sec) [+0.3%]\nDid 1500 RSA 4096 signing operations in 5008283us (299.5 ops/sec) [+0.0%]\n\nIntel(R) Xeon(R) Gold 6154 CPU @ 3.00GHz\nBefore:\nDid 9282 RSA 2048 signing operations in 5019395us (1849.2 ops/sec)\nDid 1302 RSA 4096 signing operations in 5055011us (257.6 ops/sec)\nAfter:\nDid 9240 RSA 2048 signing operations in 5024845us (1838.9 ops/sec) [-0.6%]\nDid 1302 RSA 4096 signing operations in 5046157us (258.0 ops/sec) [+0.2%]\n\nBug: 316\nChange-Id: Icb90c7d5f5188f9b69a6d7bcc63db13d92ec26d5\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60705\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "9c4f14d7459a9ec4c8148af53fffc7204306dcdb", "old_mode": 33188, "old_path": "crypto/evp/evp_test.cc", "new_id": "fafd50bb530729371cff749b94ba59357153180a", "new_mode": 33188, "new_path": "crypto/evp/evp_test.cc" }, { "type": "modify", "old_id": "238a602eb13567b565293afe5d508209a9af2c0b", "old_mode": 33188, "old_path": "crypto/evp/evp_tests.txt", "new_id": "cbce1b08aef99375542c9187ab18b7d54a1a5ecf", "new_mode": 33188, "new_path": "crypto/evp/evp_tests.txt" }, { "type": "modify", "old_id": "c6bf60a44144e629f3953b1b2c40228d0ecb25f1", "old_mode": 33188, "old_path": "crypto/fipsmodule/rsa/internal.h", "new_id": "5a993a2780b123aac9db25bb68af90103b7cfd77", "new_mode": 33188, "new_path": "crypto/fipsmodule/rsa/internal.h" }, { "type": "modify", "old_id": "120639703c9652dff7f3ee564892f3f359f7e00f", "old_mode": 33188, "old_path": "crypto/fipsmodule/rsa/rsa_impl.c", "new_id": "6cdc2909033001c0cf17afc2771b496c3d9ba1cc", "new_mode": 33188, "new_path": "crypto/fipsmodule/rsa/rsa_impl.c" }, { "type": "modify", "old_id": "87e0396d1fac2c6ef6c5c4d30e4c5ea30e6ff9b5", "old_mode": 33188, "old_path": "crypto/rsa_extra/rsa_test.cc", "new_id": "e332cdf736a5f3241b85eecabbe5472f399cb4c5", "new_mode": 33188, "new_path": "crypto/rsa_extra/rsa_test.cc" } ] }