From: Stephan Mueller <smueller@chronox.de>
To: Nicolai Stange <nstange@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Nicolai Stange <nstange@suse.de>, Hannes Reinecke <hare@suse.de>,
Torsten Duwe <duwe@suse.de>, Zaibo Xu <xuzaibo@huawei.com>,
Giovanni Cabiddu <giovanni.cabiddu@intel.com>,
David Howells <dhowells@redhat.com>,
Jarkko Sakkinen <jarkko@kernel.org>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
qat-linux@intel.com, keyrings@vger.kernel.org
Subject: Re: [PATCH 09/18] crypto: dh - implement private key generation primitive
Date: Wed, 08 Dec 2021 08:16:18 +0100 [thread overview]
Message-ID: <4767831.y2tiDqZFiq@tauon.chronox.de> (raw)
In-Reply-To: <87pmq7ehxg.fsf@suse.de>
Am Mittwoch, 8. Dezember 2021, 07:20:43 CET schrieb Nicolai Stange:
Hi Nicolai,
> >> + return -EINVAL;
> >> +
> >> + /*
> >> + * 5.6.1.1.1: choose key length N such that
> >> + * 2 * ->max_strength <= N <= log2(q) + 1 = ->p_size * 8 - 1
> >> + * with q = (p - 1) / 2 for the safe-prime groups.
> >> + * Choose the lower bound's next power of two for N in order to
> >> + * avoid excessively large private keys while still
> >> + * maintaining some extra reserve beyond the bare minimum in
> >> + * most cases. Note that for each entry in safe_prime_groups[],
> >> + * the following holds for such N:
> >> + * - N >= 256, in particular it is a multiple of 2^6 = 64
> >> + * bits and
> >> + * - N < log2(q) + 1, i.e. N respects the upper bound.
> >> + */
> >> + n = roundup_pow_of_two(2 * g->max_strength);
> >> + WARN_ON_ONCE(n & ((1u << 6) - 1));
> >> + n >>= 6; /* Convert N into units of u64. */
> >
> > Couldn't we pre-compute that value for each of the safeprime groups? This
> > value should be static for each of them.
>
> Can you elaborate why this would be better? As long as the value
> calculated above is considered reasonable for every usecase, I don't see
> the advantage of storing it somewhere.
Well, I usually try to avoid using CPU resources if I have information a-
priori. And as we have only known domain parameters in this code path, I
thought we can spare a few CPU cycles.
>
> OTOH, calculating the value on the fly
> - enforces conformance to 5.6.1.1.1 (>= twice the sec strength)
> - and guarantees that it is a multiple of 64 bits, as required
> by the implementation,
> whereas you'd had to examine each and every individual group's setting
> for correctness when storing precomputed values alongside the other,
> "primary" group parameters.
You are right, but when we reach this code path we only have well-known
parameters. Hence my suggestion.
Ciao
Stephan
next prev parent reply other threads:[~2021-12-08 7:16 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-01 0:48 [PATCH 00/18] crypto: dh - infrastructure for NVM in-band auth and FIPS conformance Nicolai Stange
2021-12-01 0:48 ` [PATCH 01/18] crypto: dh - remove struct dh's ->q member Nicolai Stange
2021-12-01 7:11 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 02/18] crypto: dh - constify struct dh's pointer members Nicolai Stange
2021-12-01 7:13 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 03/18] crypto: dh - optimize domain parameter serialization for well-known groups Nicolai Stange
2021-12-01 7:17 ` Hannes Reinecke
2021-12-09 9:08 ` Nicolai Stange
2021-12-01 0:48 ` [PATCH 04/18] crypto: dh - introduce RFC 7919 safe-prime groups Nicolai Stange
2021-12-01 7:23 ` Hannes Reinecke
2021-12-09 9:10 ` Nicolai Stange
2021-12-01 0:48 ` [PATCH 05/18] crypto: testmgr - add DH RFC 7919 ffdhe2048 test vector Nicolai Stange
2021-12-01 7:24 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 06/18] crypto: dh - introduce RFC 3526 safe-prime groups Nicolai Stange
2021-12-01 7:24 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 07/18] crypto: testmgr - add DH RFC 3526 modp2048 test vector Nicolai Stange
2021-12-01 7:25 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 08/18] crypto: testmgr - run only subset of DH vectors based on config Nicolai Stange
2021-12-01 7:28 ` Hannes Reinecke
2021-12-09 9:18 ` Nicolai Stange
2021-12-01 0:48 ` [PATCH 09/18] crypto: dh - implement private key generation primitive Nicolai Stange
2021-12-01 7:28 ` Hannes Reinecke
2021-12-05 5:52 ` Stephan Müller
2021-12-08 6:20 ` Nicolai Stange
2021-12-08 7:16 ` Stephan Mueller [this message]
2021-12-01 0:48 ` [PATCH 10/18] crypto: dh - introduce support for ephemeral key generation to dh-generic Nicolai Stange
2021-12-01 7:29 ` Hannes Reinecke
2021-12-05 6:11 ` Stephan Müller
2021-12-08 6:32 ` Nicolai Stange
2021-12-01 0:48 ` [PATCH 11/18] crypto: dh - introduce support for ephemeral key generation to hpre driver Nicolai Stange
2021-12-01 7:30 ` Hannes Reinecke
2021-12-05 6:11 ` Stephan Müller
2021-12-01 0:48 ` [PATCH 12/18] crypto: dh - introduce support for ephemeral key generation to qat driver Nicolai Stange
2021-12-01 7:30 ` Hannes Reinecke
2021-12-05 6:11 ` Stephan Müller
2021-12-01 0:48 ` [PATCH 13/18] crypto: testmgr - add DH test vectors for key generation Nicolai Stange
2021-12-01 7:31 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 14/18] lib/mpi: export mpi_rshift Nicolai Stange
2021-12-01 7:32 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 15/18] crypto: dh - store group id in dh-generic's dh_ctx Nicolai Stange
2021-12-01 7:32 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 16/18] crypto: dh - calculate Q from P for the full public key verification Nicolai Stange
2021-12-01 7:33 ` Hannes Reinecke
2021-12-05 6:07 ` Stephan Müller
2021-12-08 6:41 ` Nicolai Stange
2021-12-01 0:48 ` [PATCH 17/18] crypto: dh - try to match domain parameters to a known safe-prime group Nicolai Stange
2021-12-01 7:34 ` Hannes Reinecke
2021-12-01 0:48 ` [PATCH 18/18] crypto: dh - accept only approved safe-prime groups in FIPS mode Nicolai Stange
2021-12-01 7:34 ` Hannes Reinecke
2021-12-09 9:26 ` Nicolai Stange
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4767831.y2tiDqZFiq@tauon.chronox.de \
--to=smueller@chronox.de \
--cc=davem@davemloft.net \
--cc=dhowells@redhat.com \
--cc=duwe@suse.de \
--cc=giovanni.cabiddu@intel.com \
--cc=hare@suse.de \
--cc=herbert@gondor.apana.org.au \
--cc=jarkko@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nstange@suse.de \
--cc=qat-linux@intel.com \
--cc=xuzaibo@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.