make I2OSP more constant time

Question

make I2OSP more constant time

g-k opened this issue 6 years ago · comments

Greg Guthe commented 6 years ago

see discussion around mozilla-services/autograph#76 (comment)

Greg Guthe · Answer 1 · Fri May 18 2018 22:28:11 GMT+0800 (China Standard Time)

per #41 further investigation might help:

Need to profile this, but we could:

iterate through by byte instead
try to make the error checking constant time
find out if the big.Int.Bytes() call is accounting for the discrepancy

Also, the timing test is flaky.

Greg Guthe · Answer 2 · Tue May 22 2018 04:02:08 GMT+0800 (China Standard Time)

Looks like the implementations of both Bytes and Sign methods are O(n) with int size (assuming the make([]byte, len(x.abs)*_S) and len(x.abs) are):

// Bytes returns the absolute value of x as a big-endian byte slice.
func (x *Int) Bytes() []byte {
	buf := make([]byte, len(x.abs)*_S)
	return buf[x.abs.bytes(buf):]
}

https://golang.org/src/math/big/int.go?s=10730:10758#L423

// Sign returns:
//
//	-1 if x <  0
//	 0 if x == 0
//	+1 if x >  0
//
func (x *Int) Sign() int {
	if len(x.abs) == 0 {
		return 0
	}
	if x.neg {
		return -1
	}
	return 1
}

https://golang.org/src/math/big/int.go?s=575:599#L21

The a big int's Bits() that returns the little-endian Word slice method should be constant time.

Franziskus Kiefer · Answer 3 · Mon May 28 2018 15:40:55 GMT+0800 (China Standard Time)

Ugh nasty. Bits looks like a good option.

Hal Wine · Answer 4 · Fri Aug 19 2022 04:55:36 GMT+0800 (China Standard Time)

We are no longer making changes to this repository. See README update for more information on the successor project.