Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to trigger the fixed_window_exponentiator in mod_exp? #754

Closed
computereasy opened this issue Dec 3, 2016 · 7 comments
Closed

How to trigger the fixed_window_exponentiator in mod_exp? #754

computereasy opened this issue Dec 3, 2016 · 7 comments

Comments

@computereasy
Copy link

Hello,

I am playing with the rsa decryption routine of botan (version 1.10.13), and it seems that I can only trigger the Montgomery_Exponentiator implementation of the modular exponentiation.

I find the following routines in the source code, and figure out that by I can change the n (it is derived from the key, right?) to trigger the fixed_window_exponentiator. However, after trying to re-generate the secret key for several times, I still cannot trigger the fixed window implementation.

Modular_Exponentiator*
Core_Engine::mod_exp(const BigInt& n, Power_Mod::Usage_Hints hints) const
 {
 if(n.is_odd())
    return new Montgomery_Exponentiator(n, hints);
 return new Fixed_Window_Exponentiator(n, hints);
 }

So here is my question:

  1. Is it legit if I hack the code, ruling out the if condition above and force the execution flow to hit the Fixed_Window_Exponentiator implementation? This is only for some academic study, not real usage so no worries about the potential safety issue. I just want to execute the fixed_window routine.

  2. If not, how should I trigger this fixed window implementation?

I would really appreciate any advice and suggestion, thank you in advance!
@randombit
Copy link
Owner

Yes the fixed window exponentiation algorithm should be correct for all moduli, Montgomery representation is just an optimization.

@computereasy
Copy link
Author

@randombit Thank you. I got it.

@computereasy computereasy reopened this Dec 4, 2016
@computereasy
Copy link
Author

computereasy commented Dec 4, 2016
edited

Hi @randombit , I comment out the branch, compile, and re-run the example code rsa_dec, however, I got the following exception:

➜  examples ./rsa_dec rsapriv.pem messagefile.enc a
Exception caught: Internal error: Assertion m == powermod_e_n(x) failed (RSA private op failed consistency check) in virtual Botan::SecureVector<unsigned char>   Botan::RSA_Private_Operation::decrypt(const byte*, size_t) @src/pubkey/rsa/rsa.cpp:113

This is how I tweak the source code:

Modular_Exponentiator*
Core_Engine::mod_exp(const BigInt& n, Power_Mod::Usage_Hints hints) const
{
 // if(n.is_odd())
 //    return new Montgomery_Exponentiator(n, hints);
 return new Fixed_Window_Exponentiator(n, hints);
}

@randombit
Copy link
Owner

Thanks, bug for certain - I will take a look at this soon.

@computereasy
Copy link
Author

@randombit Thank you!

randombit added a commit that referenced this issue Dec 14, 2016
@randombit
Fix exponentiation bug, related fixes
e72a88b 
GH #754 exposed a bug in the non-Montgomery exponentiation case.
It turned out then when the fixed window was picked to any value
> 1, the result would be incorrect due to an off by one. This is
the one line fix in powm_fw.cpp

Also fix a bug in bigint_mul which caused incorrect results,
because the output BigInt was not being zeroed out before use. This
is only exposed in rare cases, found (somewhat indirectly) in
OSS-Fuzz #287.

Add more modular exponentiation tests, which would have caught
these issues earlier.
randombit added a commit that referenced this issue Dec 14, 2016
@randombit
Correct error in fixed window exponentiation.
1a0f41b 
If window size > 1, the result was incorrect :(

GH #754
@randombit
Copy link
Owner

@computereasy I believe the bug you encountered is fixed in 1.10 branch with 1a0f41b

@randombit randombit mentioned this issue Dec 14, 2016
Merged
@randombit
Copy link
Owner

Closing as fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randombit @computereasy