Raif S. Naffah wrote: > the attractiveness of the native code is performance. to > quickly see how the > new methods improve for example RSA key generation, one can > modify the code > in TestOfRSAKeyGeneration (Mauve) to call the generate() > method N times and > print the duration --on my machine i get for 5 rounds: > > + with GMP 969ms. > - without GMP 11,718ms.
Hmm. That is indeed significant. However, looking at the profile for generate(), it spends nearly all its time in BigInteger.isProbablePrime() and I ran a few comparisons between our implementation of isProbablePrime() and Sun's and we're not that much slower (on IKVM only about 50% slower), I'm not sure what to make of that. > > - Can you prove there aren't any security holes in your native code? > > there are none to my knowledge. The finalizer looks dangerous. For example, a subclass could call finalize multiple times, resulting in multiple calls to free() (which may or may not be exploitable). Note that you cannot solve this by only fixing the finalizer (see the PDF I linked to previously). Regards, Jeroen
