-
Notifications
You must be signed in to change notification settings - Fork 618
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: estimate ed25519
base and bytes separately
#7980
Conversation
The old estimation just divided the base estimation by the number of bytes to receive the cost per byte. Now the base is subtracted first and the remainder is divided by the number of bytes. Exact estimations will be done and added later. But icount estimations show that the per byte cost can be reduced from the placeholder value 423 Mgas to 12 Mgas (safety multiplier of 3 included). The base value is still a bit tricky to say. `icount` estimation gives me 90 Ggas, so with a safety multiplier it would be 270 Ggas. The current placeholder of 40 Ggas is quite a bit lower but it was roughly what we expected based on [external benchmarks](https://github.com/dalek-cryptography/ed25519-dalek#benchmarks). It could be that qemu based estimation does not work well here because AVX instructions are used. Besides the actual estimation, there is another TODO. The verify function used is not constant-time. So we need to evaluate different inputs for validation and see if the worst-case is significantly different from the time for a random private key and signature. Attack idea: An attack could try many keys until one produces a suitable `k` and combine it with a suitable `s`. Note that `s` does not need to be a valid signature, as long as it is smaller than `q` it cannot be rejected until `[s]B - [k]A` is computed, which is the expensive part. The attacker can do the analysis offline and submit the prepared (invalid) signature to the chain, which could lead to undercharged cost if we just go with a random input for the estimation.
cc @blasrodri and link #7567 |
TLDR: variation on input is small and has an upper bound Details: see comments on `Ed25519VerifyBase`.
I just updated the comments that expressed worries around timing depending on the input. My conclusion here is that the variance is small enough that we can keep a single signature for the estimation. Side channel attacks are possible even with very small changes in timing. We need to deal with much higer variance between hardware anyway. Thus, we round up estimations generously (e.g. safety multiplier of 3x) and these small variations become negligible. |
// private key: OReNDSAXOnl-U6Wki95ut01ehQW_9wcAF_utjzRNreg | ||
// public key: M4QwJx4Sogjr0KcMI_gsvt-lEU6tgd9GWmgejE_JYlA |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❤️
Co-authored-by: Alex Kladov <aleksey.kladov@gmail.com>
The old estimation just divided the base estimation by the number of bytes to receive the cost per byte. Now the base is subtracted first and the remainder is divided by the number of bytes. Exact estimations will be done and added later. But icount estimations show that the per byte cost can be reduced from the placeholder value 423 Mgas to 12 Mgas (safety multiplier of 3 included). The base value is still a bit tricky to say. `icount` estimation gives me 90 Ggas, so with a safety multiplier it would be 270 Ggas. The current placeholder of 40 Ggas is quite a bit lower but it was roughly what we expected based on [external benchmarks](https://github.com/dalek-cryptography/ed25519-dalek#benchmarks). It could be that qemu based estimation does not work well here because AVX instructions are used.
The old estimation just divided the base estimation by the number of bytes to receive the cost per byte. Now the base is subtracted first and the remainder is divided by the number of bytes. Exact estimations will be done and added later. But icount estimations show that the per byte cost can be reduced from the placeholder value 423 Mgas to 12 Mgas (safety multiplier of 3 included). The base value is still a bit tricky to say. `icount` estimation gives me 90 Ggas, so with a safety multiplier it would be 270 Ggas. The current placeholder of 40 Ggas is quite a bit lower but it was roughly what we expected based on [external benchmarks](https://github.com/dalek-cryptography/ed25519-dalek#benchmarks). It could be that qemu based estimation does not work well here because AVX instructions are used.
The old estimation just divided the base estimation by the number of
bytes to receive the cost per byte. Now the base is subtracted first and
the remainder is divided by the number of bytes.
Exact estimations will be done and added later. But icount estimations
show that the per byte cost can be reduced from the placeholder value
423 Mgas to 12 Mgas (safety multiplier of 3 included).
The base value is still a bit tricky to say.
icount
estimation givesme 90 Ggas, so with a safety multiplier it would be 270 Ggas.
The current placeholder of 40 Ggas is quite a bit lower but it was
roughly what we expected based on
external benchmarks.
It could be that qemu based estimation does not work well here because
AVX instructions are used.