| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aGaCTOJ30KNPOBIC@zx2c4.com> Date: Thu, 3 Jul 2025 15:14:52 +0200 From: "Jason A. Donenfeld" <Jason@...c4.com> To: Gu Bowen <gubowen5@...wei.com> Cc: Herbert Xu <herbert@...dor.apana.org.au>, David Howells <dhowells@...hat.com>, David Woodhouse <dwmw2@...radead.org>, Lukas Wunner <lukas@...ner.de>, Ignat Korchagin <ignat@...udflare.com>, "David S . Miller" <davem@...emloft.net>, Jarkko Sakkinen <jarkko@...nel.org>, Maxime Coquelin <mcoquelin.stm32@...il.com>, Alexandre Torgue <alexandre.torgue@...s.st.com>, Eric Biggers <ebiggers@...nel.org>, Ard Biesheuvel <ardb@...nel.org>, Tianjia Zhang <tianjia.zhang@...ux.alibaba.com>, Dan Carpenter <dan.carpenter@...aro.org>, keyrings@...r.kernel.org, linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org, linux-stm32@...md-mailman.stormreply.com, linux-arm-kernel@...ts.infradead.org, Lu Jialin <lujialin4@...wei.com>, GONG Ruiqi <gongruiqi1@...wei.com> Subject: Re: [PATCH RFC 0/4] Reintroduce the sm2 algorithm Hi, On Mon, Jun 30, 2025 at 09:39:30PM +0800, Gu Bowen wrote: > To reintroduce the sm2 algorithm, the patch set did the following: > - Reintroduce the mpi library based on libgcrypt. > - Reintroduce ec implementation to MPI library. > - Rework sm2 algorithm. > - Support verification of X.509 certificates. > > Gu Bowen (4): > Revert "Revert "lib/mpi: Extend the MPI library"" > Revert "Revert "lib/mpi: Introduce ec implementation to MPI library"" > crypto/sm2: Rework sm2 alg with sig_alg backend > crypto/sm2: support SM2-with-SM3 verification of X.509 certificates I am less than enthusiastic about this. Firstly, I'm kind of biased against the whole "national flag algorithms" thing. But I don't know how much weight that argument will have here. More importantly, however, implementing this atop MPI sounds very bad. The more MPI we can get rid of, the better. Is MPI constant time? Usually the good way to implement EC algorithms like this is to very carefully work out constant time (and fast!) field arithmetic routines, verify their correctness, and then implement your ECC atop that. At this point, there's *lots* of work out there on doing fast verified ECC and a bunch of different frameworks for producing good implementations. There are also other implementations out there you could look at that people have presumably studied a lot. This is old news. (In 3 minutes of scrolling around, I noticed that count_leading_zeros() on a value is used as a loop index, for example. Maybe fine, maybe not, I dunno; this stuff requires analysis.) On the other hand, maybe you don't care because you only implement verification, not signing, so all info is public? If so, the fact that you don't care about CT should probably be made pretty visible. But either way, you should still be concerned with having an actually good & correct implementation of which you feel strongly about the correctness. Secondly, the MPI stuff you're proposing here adds a 25519 and 448 implementation, and support for weierstrauss, montgomery, and edwards, and... surely you don't need all of this for SM-2. Why add all this unused code? Presumably because you don't really understand or "own" all of the code that you're proposing to add. And that gives me a lot of hesitation, because somebody is going to have to maintain this, and if the person sending patches with it isn't fully on top of it, we're not off to a good start. Lastly, just to nip in the bud the argument, "but weierstrauss is all the same, so why not just have one library to do all possible weierstrauss curves?" -- the fact that this series reintroduces the removed "generic EC library" indicates there's actually not another user of it, even before we get into questions of whether it's a good idea. Jason
Powered by blists - more mailing lists