ring icon indicating copy to clipboard operation
ring copied to clipboard
verified publisher icon briansmith

Building the precomputed table for RSA signing is less efficient than before, for non-x86_64

Open briansmith opened this issue 10 months ago • 0 comments

In this code in the non-x86_64 elem_exp_consttime_inner:

for i in 2..TABLE_ENTRIES {
        let (src1, src2) = if i % 2 == 0 {
            (i / 2, i / 2)
        } else {
            (i - 1, 1)
        };
        let (previous, rest) = table.split_at_mut(num_limbs * i);
        let src1 = entry(previous, src1, num_limbs);
        let src2 = entry(previous, src2, num_limbs);
        let dst = entry_mut(rest, 0, num_limbs);
        limbs_mul_mont((dst, src1, src2), m.limbs(), m.n0(), m.cpu_features())?;
    }

we are relying on limbs_mul_mont doing a squaring if src1 aliases src2. This is how it used to work, but now we only do the squaring optimization when we using the squaring function. We should rewrite this code to do the squaring optimization. See how the x86_64 implementation does it.

briansmith avatar Mar 20 '25 16:03 briansmith