Stephan Müller <smueller@xxxxxxxxxx> writes: > Am Mittwoch, 1. Dezember 2021, 01:48:56 CET schrieb Nicolai Stange: > >> As the ->q in struct dh_ctx gets never set anywhere, the code >> in dh_is_pubkey_valid() for doing the full public key validation in >> accordance to SP800-56Arev3 is effectively dead. >> >> However, for safe-prime groups, Q = (P - 1)/2 by definition and this >> enables dh_is_pubkey_valid() to calculate Q on the fly for these groups. >> Implement this. >> >> With this change, the last code accessing struct dh_ctx's ->q is now gone. >> Remove this member from struct dh_ctx. > > Isn't it expensive to always calculate Q for a-priori known values? Why not > add Q to the safe-prime definitions and do not do this operation here? I actually considered this when writing the patch: it's basically a time-memory tradeoff and I opted for time here. The reason is that I'd expect the rather trivial Q calculation to be negligible when compared to the subsequent mpi_powm() operation in dh_is_pubkey_valid(). OTOH, as the size of Q is (almost) equal to that of P, the space needed for storing all the the individual groups' precomputed Qs would be significant. So I'd say let's wait and see whether the dynamic Q calculation does actually show up in profiles before thinking about optimizations like e.g. precomputations. Thanks, Nicolai > > If you need Q for all of those safe-primes, you may get them from [1] and > following lines. > > [1] https://github.com/smuellerDD/acvpparser/blob/master/parser/ > safeprimes.h#L346 > > Ciao > Stephan > > -- SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany (HRB 36809, AG Nürnberg), GF: Ivo Totev
