delta/python-packages/pycrypto.git/src, branch master github.com: dlitz/pycrypto.git Increase attempts for recovering RSA (p,q) from (n,e,d) 2014-06-23T07:12:24+00:00 Wouter Bolsterlee uws@xs4all.nl 2014-06-20T20:07:46+00:00 7acba5f3a6ff10f1424c309d0d34d2b713233019 Bump the maximum number of iterations to recover (p,q) given (n,e,d) to increase the chance that the algorithm succeeds. The algorithm used is a probabilistic one with a 1/2 chance of finding the right value in each iteration, so it's likely that only a few iterations are needed. However, in some extreme cases this may still fail. Bumping the maximum number allow the algorithm to correctly find the right values for these cases. This changes bumps the number of iterations from 50 to 500 (the value 'a' is increased by 2 in each step), and hence reduces the chance of failure from 2**-50 to 2**-500. Note that this change does *not* result in a performance degradation. 
Bump the maximum number of iterations to recover (p,q) given (n,e,d) to
increase the chance that the algorithm succeeds. The algorithm used is a
probabilistic one with a 1/2 chance of finding the right value in each
iteration, so it's likely that only a few iterations are needed.

However, in some extreme cases this may still fail. Bumping the maximum
number allow the algorithm to correctly find the right values for these
cases. This changes bumps the number of iterations from 50 to 500 (the
value 'a' is increased by 2 in each step), and hence reduces the chance
of failure from 2**-50 to 2**-500.

Note that this change does *not* result in a performance degradation.
Realign V tables dynamically 2014-06-23T06:47:53+00:00 Legrandin helderijs@gmail.com 2014-05-13T06:19:55+00:00 13fcb9e63892f18de043e8308bc645ae5baf4aa4 






Make Cipher.galois module private
2014-06-23T06:47:53+00:00

Legrandin
helderijs@gmail.com

2014-04-26T07:10:19+00:00

9e2b6af8c34efba80d141490b48b82a3c2185ae5












Make GHASH more robust against timing attacks.
2014-06-23T06:38:31+00:00

Legrandin
helderijs@gmail.com

2014-03-23T17:46:55+00:00

947b554d85012cf35185ded38ef3484de010d2cf

In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.

If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.

This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).

This patch will reduce the overall performance.

This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.





In order to speed up as much as possible the GHASH,
the current implementation expands the 16 byte hash key
(H) into a table of 64 KBytes. However, that is sensitive
to cache-based timing attacks.

If we assume that access to data inside the same cache line
is constant-time (likely), fitting a table item into a cache
line may help against the attacks.

This patch reduce the pre-computed table from 64K to 4K
and aligns every item to a 32 byte boundary (since most modern
CPUs have cache line of that size or larger).

This patch will reduce the overall performance.

This patch also reverts commit 965871a727 ("GCM mode:
Optimize key setup for GCM mode") since I actually
got conflicting benchmark results.







Add side-channel countermeasures to DSA.
2014-06-23T06:30:26+00:00

Legrandin
helderijs@gmail.com

2013-12-27T22:44:38+00:00

0782d68840d0ebf850516e606e398b8a5396eb64

This patch strenghten the DSA signing code against
side-channel attacks.

The DSA signing formulae:

r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q

becomes:

b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q

In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).

See also attack DSA_2 in:

"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI





This patch strenghten the DSA signing code against
side-channel attacks.

The DSA signing formulae:

r = (g^{k} mod p) mod q
s = k^{-1} * (H(m) + r*x) mod q

becomes:

b = random in [1..q)
r = (g^{k} mod p) mod q
s = (b * k)^{-1} * (b*H(m) + r*(b*x)) mod q

In this way we avoid that the secret (x) gets multiplied
by a random factor (r) which is immediately disclosed
to an attacker (which we assume can both collect (r) and
also monitor the side-channel produced by the multiplication).

See also attack DSA_2 in:

"Minimum Requirements for Evaluating Side-Channel Attack Resistance
of RSA, DSA and Diffie-Hellman Key Exchange Implementations", BSI







Upgrade libtomcrypt 1.16 -> 1.17 (LP#1264130)
2014-06-23T03:15:21+00:00

Dwayne Litzenberger
dlitz@dlitz.net

2014-06-23T03:11:46+00:00

de67e51324fc7ecfb553046938b2f734e48ce9e7

This should fix a FreeBSD build issue:
https://bugs.launchpad.net/pycrypto/+bug/1264130

Thanks to Richard Mitchell <richard.j.mitchell@gmail.com> for suggesting
how to fix this.





This should fix a FreeBSD build issue:
https://bugs.launchpad.net/pycrypto/+bug/1264130

Thanks to Richard Mitchell <richard.j.mitchell@gmail.com> for suggesting
how to fix this.







PyCrypto customizations: Declare things static so that we don't leak symbols
2014-06-23T03:10:24+00:00

Dwayne Litzenberger
dlitz@dlitz.net

2014-06-23T03:05:02+00:00

780eb557aedd3de7689aa215b3f13082dc60e2e1












Pristine files from libtomcrypt-1.17
2014-06-23T03:09:49+00:00

Dwayne Litzenberger
dlitz@dlitz.net

2014-06-23T03:09:49+00:00

696b31bc95cb98dc17e1bc6daad196cff64af29b

Original tarball downloaded from:

    http://libtom.org/files/crypt-1.17.tar.bz2
    http://libtom.org/files/crypt-1.17.tar.bz2.sig

SHA256 sums:

    e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116 *crypt-1.17.tar.bz2
    8f52ddfb17656f7a2e510d92a26c8b33e0c1f431af7febd9cf1298a77b5fd932 *crypt-1.17.tar.bz2.sig

libtomcrypt-1.17/LICENSE says:

    LibTomCrypt is public domain.  As should all quality software be.

    Tom St Denis





Original tarball downloaded from:

    http://libtom.org/files/crypt-1.17.tar.bz2
    http://libtom.org/files/crypt-1.17.tar.bz2.sig

SHA256 sums:

    e33b47d77a495091c8703175a25c8228aff043140b2554c08a3c3cd71f79d116 *crypt-1.17.tar.bz2
    8f52ddfb17656f7a2e510d92a26c8b33e0c1f431af7febd9cf1298a77b5fd932 *crypt-1.17.tar.bz2.sig

libtomcrypt-1.17/LICENSE says:

    LibTomCrypt is public domain.  As should all quality software be.

    Tom St Denis







DES3: Move "Two-key 3DES" support into DES.c instead of customizing tomcrypt_des.c
2014-06-23T02:50:22+00:00

Dwayne Litzenberger
dlitz@dlitz.net

2014-06-23T02:50:22+00:00

33859d41784c85a64da5b6cf8856f086b2c77b8f












Workaround missing bit_AES defines
2014-06-23T00:26:16+00:00

Sebastian Ramacher
sebastian+dev@ramacher.at

2013-11-06T16:24:19+00:00

2549c4dc2d47309a7635b85341e8450ce3eab9c6

clang provides the same constant as bit_AESNI in some versions, and doesn't
provide it at all in others.

Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>





clang provides the same constant as bit_AESNI in some versions, and doesn't
provide it at all in others.

Signed-off-by: Sebastian Ramacher <sebastian+dev@ramacher.at>