On 29/05/12 22:52, Matt Caswell (fr...@baggins.org) wrote:
On 29/05/12 16:55, chip...@gmx.de wrote:
Now I set for every variable the BN_FLG_CONSTIME Flag, so that I can
be sure, that they will need the same time.
I measured the time the BN_nnmod operation in the BN_mod_add function
needs for the modulo operation and I see again big differences in the
operationtimes. Shouldn't the modulo operation now need nearly equal
time for the same modulos? It seems to me that all mod-operations
needs a little bit more time now but they only little converge. The
difference is about 40 percent sometimes. A number which is bigger
then the modulos takes normally about 30 percent more time for the
Mod operation, then a smaller one. How can one converge the operation
time?
Hmmm...that is strange. I just did some testing of my own to check
this out. I wrote a quick test program that times how long it takes to
do 10,000,000 BN_mod_add operations first adding a 254 bit number to a
254 bit number such that the result was greater than the modulus. I
then repeated but adding a 254 bit number to a 253 bit number such
that the result was less than the modulus. Finally I repeated both
experiments but with BN_FLG_CONSTTIME set on both numbers.
These are my results:
Without CONSTTIME flag
Result greater than modulus (BN_FLG_CONSTTIME not set) :11s 328065us
Result less than modulus (BN_FLG_CONSTTIME not set) :2s 665665us
With CONSTTIME flag
Result greater than modulus (BN_FLG_CONSTTIME set) :11s 219340us
Result less than modulus (BN_FLG_CONSTTIME set) :2s 656643us
This doesn't seem right to me. Can anyone on the list suggest if this
is correct behaviour or a bug? This is not the way I thought
BN_FLG_CONSTTIME worked? I would have expected the final result to be
roughly the same as the third?
My code is attached in case I made a stupid error.
Yep...stupid error!!!
Ran this through the debugger and realised that it was ignoring the
BN_FLG_CONSTTIME flag. That was because I was only setting the flag on
the two values I was adding together (not on the modulus). However the
big time difference was coming from BN_mod, which was being passed a
temporary output value from BN_add which didn't have the flag set. When
I set the flag on the modulus as well I see the following:
Without CONSTTIME flag
Result greater than modulus (BN_FLG_CONSTTIME not set) :11s 258755us
Result less than modulus (BN_FLG_CONSTTIME not set) :2s 614403us
With CONSTTIME flag
Result greater than modulus (BN_FLG_CONSTTIME set) :11s 864898us
Result less than modulus (BN_FLG_CONSTTIME set) :11s 977671us
Much more like what I would have expected.
You could argue that this is actually an OpenSSL bug, i.e. in a call to
BN_mod_add(r, a, b, mod, ctx) I had set the flag on a and b (but not on
mod). I would reasonably have expected the flag to be honored for the
whole operation - not just the "add" bit.
Matt
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
